SAN FRANCISCO--Technology is not enough to help the security industry keep botnets from stealing peoples' money and committing denial-of-service attacks, a top botnet researcher said on Wednesday. His suggestion? Stop the flow of money to their coffers.
"We need to disrupt their business model and make it hard for them to carry out their attacks and make money," Joe Stewart, a security researcher at SecureWorks, said in an interview at the RSA 2009 security conference here.
"Right now, it's risky to surf the Internet with a PC," he said. "I would like to see us return to a time when you could surf the Internet and trust that your computer wasn't going to get infected."
Computers can be infected in any number of ways, but typically they get a Trojan or other malicious program downloaded onto them without the owner's knowledge, which happens either from visiting a Web site with malicious code on it or opening malicious attachments in e-mail.
Once infected, depending on the attack, a computer can be controlled by remote attackers who are able to steal data or instruct the computer and other so-called zombies into sending spam or launching distributed denial-of-service attacks to shut down Web sites.
Researchers have focused on trying to stop attacks, but once they get a botnet operator kicked offline by shutting down its hosting provider it's usually not long before the botnet cranks back up with its command-and-control server at a different location, he said. For example, four months after a major botnet hoster, McColo, was shut down in November, the spam volumes were back up to normal levels.
Specifically, victims should be encouraged to seek reimbursement when they are charged for things like purchasing software that masquerades as a legitimate antivirus program, said Stewart, who created an ingenious eye-chart program that PC users can use to test whether their computers are infected with Conficker. The eye chart was needed because Conficker blocks access to security sites people would normally visit to check for infection.
The industry should also create teams of researchers that would focus on a single crime group or operation much like police stay on the trail of a particular real-world organized crime gang until everyone is arrested, Stewart said.
The organization would need funding, which could possibly come from the companies that seem to be impacted the most from cybercrime, like credit card processors, he said.
Law enforcement efforts are thwarted because officials in other countries where cybergangs are based often can't be convinced to cooperate, he said. Getting countries to sign a global anti-Internet abuse accord would be ideal, he said.
Meanwhile, national CERT (Computer Emergency Readiness Team) organizations should be given authority to fight botnets, by ordering Internet service providers to shut down hosting providers, Stewart said. In South Korea, for example, malicious Internet activity dropped drastically when the CERT three got teeth, he added.
Stewart is scheduled to give a presentation on his idea during a session Thursday at RSA and at an upcoming Interpol meeting.
When political tensions flared last month between Georgia and its large neighbor to the north, the country was ready to block Internet traffic from Russia, hoping to avoid the denial-of-service attacks that shut down Internet service in Estonia for several days in 2007. Instead, most of the DoS attacks that were directed against Georgia came from an unlikely place: the United States.
"Russia is one of the most capable countries when it comes to launching system intrusion hacking attempts, distributed denial-of-service attacks, and operation of botnets," said Don Jackson, director of Threat Intelligence for SecureWorks. "Yet you'll notice the number of attacks coming from Russia are very low."
SecureWorks on Monday released a list ranking the countries with the most infected computers enlisted for use with botnets. On that list, Russia ranks 7th, far behind the United States, China, Brazil, South Korea, Poland, and Japan. The reason Russia is so low, Jackson said, is that hackers from Russia don't attack from within Russia.
Instead of attacking using Russian IP addresses, Jackson said, the hackers who wanted to attack Georgia used "computers and control servers located in Turkey while the bots (the infected computers) that they controlled were mostly in the United States."
... Read more
LAS VEGAS--On Wednesday, Joe Stewart, director of malware research for SecureWorks, presented his work on protocols and encryption used by the Storm worm botnet at Black Hat 2008.
He said as far as botnets go, Storm is not particularly sophisticated, nor is it our No. 1 threat. Yet while other botnets come and go, Storm remains amazingly resilient, in part because the Trojan horse it uses to infect systems changes its packing code every 10 minutes, and, once installed, the bot uses fast flux to change the IP addresses for its command and control servers.
None of this surprising, it's just handled well.
In explaining Storm worm's resiliency compared to newer and sleeker botnets, Stewart looked at the encryption used within the commands sent from the command and control server. He said the compression or packing code changes so often in order to thwart antivirus signature files.
Storm uses P2P to communicate with its various nodes and supernodes throughout the Internet. He said because of that, it has to contend with bogus media files being sent via P2P and researchers such as himself attempting man-in-the-middle attacks to see what the commands might be. To handle that, Storm has started using 64-bit RSA encryption based, in part, on the date.
Joe Stewart talks about what botnet code is available and what can be found within it.
- prev
- 1
- next
