At the RSA conference, security researcher Joe Stewart is proposing a sustained, three-pronged approach to attacking the worst offenders on the Internet. The strategy requires international cooperation and more than just ad-hoc groups of volunteers if we want to take down botnets, he told eWEEK.
Joe Stewart, director of malware research at SecureWorks, is pushing
for security researchers to adopt a concerted, three-pronged effort to
take down the Web's most troublesome botnets.
Call it offense in-depth.
"If you look at how the criminal considers whether to continue their
enterprise or not, they are probably affected by three things: risk, effort, reward
he said in an interview with eWEEK at the RSA Conference in San
Francisco. "We should be fighting these guys on all three of these
Targeting any one of those elements isn't going to significantly change the threat landscape, but a coordinated, focused attack
all three fronts could make a difference, he said. Doing that, however,
requires a stealthy approach by focus groups dedicated to targeting
specific botnets or cyber-criminals on a continuous basis.
"We're just concentrating on it a little while, and then we're moving on to the others," he explained. "I think that's what is lacking
I'm proposing is that we restructure and maybe institutionalize some of
these ideas and tactics and start putting together small teams of
people that just concentrate on one particular botnet or one particular
cyber-criminal and just do it long-term and try to affect each one of
those three factors."
Ideally, hackers won't even know they are being targeted, he
continued. Rather than take down a botnet's command-and-control
servers, host ISPs could be pressured to throttle their bandwidth, he
This will take an international effort Stewart foresees involving a
global treaty signed by every nation with an Internet connection. Each
country would hold each autonomous system with a border router
physically located in their country responsible for malicious activity
emanating from their networks.
As part of the treaty, there would be mandatory implementation of
BCP 38 by all AS holders to stop packet IP spoofing. Each country
should have a CERT (Computer Emergency Readiness Team) with legal
authority to hold network operators responsible. There would also be a
global body to route information about abuse between researchers, law
enforcement and the per-country CERTS.
Information would be shared between researchers and vendors to make
sure they had the most up-to-date signatures for the related malware.
Less technical answers involve encouraging victim of rogue anti-virus
schemes to use the "charge back" system, in which credit card companies
take back payments issued to the scammers. This in turn hurts profits
as not only are the payments recalled, the credit card companies may
move to disallow the scammers from receiving payments altogether due to
number of complaints.
It could also hurt relations between affiliate networks
by disrupting the payment process.
"None of these things by themselves could really stop a criminal
enterprise," he said. "But doing them simultaneously on all fronts, and
doing it focused over a long-term period we could have an impact where
we get them to a point where the amount of risk they are undertaking,
the amount of effort they are taking is not worth the reward their