Hitting Botnets Where It Hurts at RSA Conference

Joe Stewart, director of malware research at SecureWorks, is pushing for security researchers to adopt a concerted, three-pronged effort to take down the Web’s most troublesome botnets.

Call it offense in-depth.

“If you look at how the criminal considers whether to continue their enterprise or not, they are probably affected by three things: risk, effort, reward,” he said in an interview with eWEEK at the RSA Conference in San Francisco. “We should be fighting these guys on all three of these fronts.”

Targeting any one of those elements isn’t going to significantly change the threat landscape, but a coordinated, focused attack on all three fronts could make a difference, he said. Doing that, however, requires a stealthy approach by focus groups dedicated to targeting specific botnets or cyber-criminals on a continuous basis.

“We’re just concentrating on it a little while, and then we’re moving on to the others,” he explained. “I think that’s what is lacking…What I’m proposing is that we restructure and maybe institutionalize some of these ideas and tactics and start putting together small teams of people that just concentrate on one particular botnet or one particular cyber-criminal and just do it long-term and try to affect each one of those three factors.”

Ideally, hackers won’t even know they are being targeted, he continued. Rather than take down a botnet’s command-and-control servers, host ISPs could be pressured to throttle their bandwidth, he suggested.

This will take an international effort Stewart foresees involving a global treaty signed by every nation with an Internet connection. Each country would hold each autonomous system with a border router physically located in their country responsible for malicious activity emanating from their networks.

As part of the treaty, there would be mandatory implementation of BCP 38 by all AS holders to stop packet IP spoofing. Each country should have a CERT (Computer Emergency Readiness Team) with legal authority to hold network operators responsible. There would also be a global body to route information about abuse between researchers, law enforcement and the per-country CERTS.

Information would be shared between researchers and vendors to make sure they had the most up-to-date signatures for the related malware. Less technical answers involve encouraging victim of rogue anti-virus schemes to use the “charge back” system, in which credit card companies take back payments issued to the scammers. This in turn hurts profits as not only are the payments recalled, the credit card companies may move to disallow the scammers from receiving payments altogether due to number of complaints.

It could also hurt relations between affiliate networks by disrupting the payment process.

“None of these things by themselves could really stop a criminal enterprise,” he said. “But doing them simultaneously on all fronts, and doing it focused over a long-term period we could have an impact where we get them to a point where the amount of risk they are undertaking, the amount of effort they are taking is not worth the reward their realizing.”