Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Botnet Expert Wants 'Special Ops' Security Teams

timothy posted more than 4 years ago | from the if-wishes-were-horses dept.

Security 115

CWmike writes "Criminal cybergangs must be harried, hounded and hunted until they're driven out of business, a noted botnet researcher said as he prepared to pitch a new anti-malware strategy at the RSA Conference in SF. 'We need a new approach to fighting cybercrime,' said Joe Stewart, director of SecureWorks' counterthreat unit. 'What we're doing now is not making a significant dent.' He said teams of paid security researchers should set up like a police department's major crimes unit or a military special operations team, perhaps infiltrating the botnet group and employing a spectrum of disruptive tactics. Stewart cited last November's takedown of McColo as one success story. Another is the Conficker Working Group. 'Criminals are operating with the same risk-effort-reward model of legitimate businesses,' said Stewart. 'If we really want to dissuade them, we have to attack all three of those. Only then can we disrupt their business.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


A more simple solution... (3, Insightful)

the4thdimension (1151939) | more than 4 years ago | (#27673193)

Teach users to be safe on the internet and not download any old thing that pops up on the screen... seems cheaper and easier than waging an all out witch hunt on botnet admins.

Re:A more simple solution... (4, Insightful)

emocomputerjock (1099941) | more than 4 years ago | (#27673271)

This still doesn't address drive by exploits, XSS, SQL injections, or any number of other threats. That being said, vigilantism isn't the approach either. You have to get countries and governments on board, with treaties signed and all that jazz.

Re:A more simple solution... (5, Funny)

guyminuslife (1349809) | more than 4 years ago | (#27673307)

We get Dick Cheney to run the computer security task force, give him no oversight and a redacted budget. Then tell him there's oil in the Internet.

I guarantee, all your regulatory problems will mysteriously vanish, just like all of the(*)#(*)@R_ *CARRIER LOST*

Re:A more simple solution... (0)

Anonymous Coward | more than 4 years ago | (#27673523)

You obviously didn't remember that Cheney is a /b/tard. That'll teach ya....

Re:A more simple solution... (2, Interesting)

Dan541 (1032000) | more than 4 years ago | (#27674379)

Problem is there arn't any innocent people to sue for infringements so the government wont give it a high priority.

Re:A more simple solution... (1)

the4thdimension (1151939) | more than 4 years ago | (#27674483)

These problems are beyond the scope of botnet research. SQL exploits are a completely different animal than botnets. A botnet is a fairly sophisticated piece of code that requires the host to download some file for it to plant itself in the system. If users are aware of the fact that downloading files that are not trustworthy and most people didn't do it, botnets would cease to exist. Botnets rely on a majority of people being stupid, and if we can get the majority to be smart, than botnets would be a thing of the past.

Re:A more simple solution... (2, Insightful)

emocomputerjock (1099941) | more than 4 years ago | (#27674817)

I argue differently. SQL injections, XSS attacks, and drive-by exploits are every bit a part of the botnet problem. Firstly, malware needs a place to exist. This is not only on domains stood up with the express purpose of hosting said malware, but on legitimate compromised webservers. Secondly, malware and botnet coders are coming up with as many possible exploits that do not involve user interaction through javascript, browser exploits, and unpatched security vulnerabilities. For the remainder there are intensely sophisticated attacks relying on social engineering and reputation hijacking. It's a lot easier to run code on users machine when the webserver is one the user already trusts and has set in a trusted security zone. The solution to this problem is going to require multinational political agreement. The problem with that is not only is it work, but the countries the criminals reside in have little to no incentive to cooperate. These countries are often poor and have a base of computer science and programming majors with low-paying or no jobs who commit computer crime for the income. It may not be legal, but those people are at least making and spending money making it a heck of a lot more difficult to enlist the host countries help in apprehending them.

Re:A more simple solution... (2, Funny)

DriedClexler (814907) | more than 4 years ago | (#27674727)

This still doesn't address drive by exploits, XSS, SQL injections,

True, but I think we could take care of the last one by prohibiting people from taking any legal name that includes the string "); Drop Table"

To quote "The Comedian", from "The Watchmen"... (0)

Anonymous Coward | more than 4 years ago | (#27675243)

"That being said, vigilantism isn't the approach either" - by emocomputerjock (1099941) on Wednesday April 22, @08:16AM (#27673271)

Per my subject-line: This exchange from the film "The Watchmen", fits here imo...


Nite Owl:"How long can we keep this up?"

The Comedian:"Congress is pushing through some new law that's gonna outlaws masks - our days are numbered. Till then, it's like you always say: 'We're society's only protection'... "

Nite Owl:"From what??"

The Comedian:"What're you kidding me? From themselves...!"


Next thing you know? They'll make some law that stops others from helping others... in this art & science, for security.


P.S.=> Nite Owl:"What the hell happened to us? What happened to the 'American Dream'??"

The Comedian:"What happened to the American Dream?!? IT CAME TRUE (you're lookin' @ it)... "


Well (5, Insightful)

I)_MaLaClYpSe_(I (447961) | more than 4 years ago | (#27673331)

If user education was going to work, it would have worked by now.

~ Anti-virus researcher Vesselin Bontchev

Re:Well (2, Informative)

I)_MaLaClYpSe_(I (447961) | more than 4 years ago | (#27673363)

If user education was going to work, it would have worked by now. ~ Anti-virus researcher Vesselin Bontchev

Why the hell are quotations not shown in the preview line of comments?

That having said, please excuse the reply to my own posting.

Re:Well (1)

the4thdimension (1151939) | more than 4 years ago | (#27674505)

Seems like a logical fallacy here. It assumes we have tried to educate users, which I don't really feel we have. Anti-virus companies WANT users to remain uneducated, because if they become educated that will put most AV companies out of the job. So, I disagree that education can't work because we haven't even tried. I never learned about safe internet techniques in school, or at work, or anywhere... it was something I had to learn on my own.

When we start aggressively educating people, and THAT fails, then we can talk.

Re:Well (1)

sopssa (1498795) | more than 4 years ago | (#27674567)

You know how it is to teach people something they have absolutely no interest in. Even if they seem to listen, they never remember or use the info in practice. If it seems working, they're happy.

Re:Well (1)

the4thdimension (1151939) | more than 4 years ago | (#27674609)

No doubt, but like the scammers of yore, if you attach a consequence for not listening (you lose all your data, or you expose your private data, etc) and tell them that there are few outlets to lean on, they will listen - eventually.

Like I mention in a lower reply, if people want to be ignorant and think that someone will always make it good again, thats their problem, not mine.

Re:Well (1)

tnk1 (899206) | more than 4 years ago | (#27675563)

I honestly don't believe that is true. Education only works if the effects are both of import to the people involved and they understand what is at stake.

You *may* be able to educate the general public into taking certain steps to protect their online identity, but taking steps to prevent botnets, which is a problem that most people don't understand and which usually does not directly impact them, is likely to be a losing battle. There is not enough understanding, and even if they are infected, remote use of their machine is usually only a slow down that some users wouldn't even notice.

Bear in mind that other educational programs, like disease prevention education, have been going on for decades, even centuries now. Education is vital for limiting a problem, but for the most part, you still need a significant infrastructure out there to treat problems and enforce regulations. Education is never going to even be remotely enough by itself.

We need people to fight back. We also need anti-virus software, the industry's fearmongering notwithstanding. Dealing with this issue is something that will need many approaches to bring it under control.

It would be nice if we didn't have to resort to vigilantism, but given the inability of government to cope with the issue, materially or intellectually, it may be necessary for self-defense.

Re:Well (0)

Anonymous Coward | more than 4 years ago | (#27676155)

"There's a user born every minute."

~ Anti-Sucker Researcher P.T. Barnum

Re:A more simple solution... (5, Insightful)

pzs (857406) | more than 4 years ago | (#27673399)

Any solution that relies on people not being lazy morons is never going to work.

Re:A more simple solution... (0)

Anonymous Coward | more than 4 years ago | (#27673475)

That would be very sad news for things universal health care, the stimulus bills, bank bailouts, our "new" foreign policy, basically anything Obama's done. After all, if such a thing were to be used as an easy way out, without responsible use of resources, it would quickly become a major disaster. I mean, let's face it even if just some ridiculously small amount of people were dishonest, such bills would wipe out America's economy.

Of course I wholeheartedly agree with you ...

Re:A more simple solution... (1)

the4thdimension (1151939) | more than 4 years ago | (#27674457)

Ignorance is really no excuse. If people are going to be ignorant, than leave it to them to work out their own solutions. Why should I pay money (likely tax dollars) so people get to be more ignorant about computers? Knowledge is power when it comes to defending yourself on the internet, and if people took like 30 minutes to learn about safe procedures and obvious warning signs then all of this would be moot. If people don't want to invest this kind of time, that's their problem, not mine.

Re:A more simple solution... (1)

Beezlebub33 (1220368) | more than 4 years ago | (#27676253)

It's not "their problem" when the botnet can be used to attack services affecting everyone.

If a bank gets robbed by masked gunmen, is it 'their problem' or everyone's problem? I'd say the effects are on everyone, so it's everyone's problem and society should do something about it (i.e. hiring police to go get them).

Re:A more simple solution... (1)

X0563511 (793323) | more than 4 years ago | (#27676255)

It gets to be your problem when all the bullshit traffic from such botnets impedes your own traffic, or manages to target you or your destination.

It would be your problem then.

Re:A more simple solution... (0)

Anonymous Coward | more than 4 years ago | (#27673403)

Are you kidding? Some users can't even learn how to use the start menu to launch an Office application. If It's not on their desktop, it's not there (to them). A large portion of the rest can't figure out "Set as Default" for printers no matter how many times I walk them through it.

Re:A more simple solution... (1)

Vu1turEMaN (1270774) | more than 4 years ago | (#27673467)

Why not just force everyone to upgrade to Windows 7 and reformat? ;)

Re:A more simple solution... (1)

Opportunist (166417) | more than 4 years ago | (#27674437)

That postpones the problem 'til they hit the internet for the first time. Malware writers will have a field day, hunting to be the first to infect and keep the competing herders out of their new turf.

Basically, you're building a new home for the nuisance. Essentially, you're burning down a house infested by termites, then you build a new one, on the same ground, made from the same untreated wood.

Re:A more simple solution... (1)

Vu1turEMaN (1270774) | more than 4 years ago | (#27674707)

I feel that W7 (and the lack of IE6) no longer makes W7 a wooden house (although IE8 sucks). I look at it as burning down all of the unpatched wooden XP homes and building new W7 aluminum homes ontop of it. Sure, the termites may come back and learn to like aluminum, but it would take them out of their comfort zone.

If W7 ships with some forms of protection already embedded (that actually works), suggesting users to upgrade might be the best solution we have for the "click on the flashing ad" masses. If only they had an easy way to back up their documents and mp3s that is beyond foolproof.

However, the number of possible hacks in W7 and Vista right now that are accessible through exploiting the file types wizard is immense. Ever try opening an .exe with explorer.exe? It gives you a very fun overload method. And you can freely change that without UAC. Same goes for 30 or so other system file types. When I notified someone on technet, they said "you shouldn't use registry files to fix that, you should reformat".

Re:A more simple solution... (1)

wastedlife (1319259) | more than 4 years ago | (#27674895)

He did say reformat AFTER upgrading to Windows 7.

Seriously though, even if Windows 7 was the most secure OS out there, undereducated users are the problem. Not enough people are afraid to install any old thing they find on the internet. Even without standard exploits, trojans work because the user chooses to install them. There is no way to stop that is with user education or by preventing users from installing anything other than vetted software. Most users are too lazy for the former and Microsoft cannot do the latter without risking yet another antitrust lawsuit. A linux distro with a good package manager is a nice step because most software a user would need can be easily found and installed from a trusted source. However, a trojan can still be packaged into FREESMILIES.deb and can be installed with a double-click in nearly any distro with apt, sometimes easier than a .exe in windows. The only way to stop that in linux is to force packages to be only installed from the trusted repositories, or make it so difficult to install untrusted packages that the average joe would not bother.

Re:A more simple solution... (1)

wastedlife (1319259) | more than 4 years ago | (#27674969)

There is no way to stop that is with user education or by preventing users from installing anything other than vetted software.

Massive brain fart while typing that sentence. Should read "The only way to stop that is with..."

Time for more coffee.

Re:A more simple solution... (1)

Opportunist (166417) | more than 4 years ago | (#27675121)

Allow me to say it again in this thread (no, not because I usually get informative mods for it, but because it is true and catchy, use it when appropriate), security is the minimum of a system's abilities and its admin's abilities. Not the average. The minimum. You can be the top security guru and cannot secure a hopelessly insecure system. Likewise, a completely secure system is worthless with an admin that allows anything to run with maximum privileges.

There are now essentially two ways to make the admin secure. Either educate him or take the privileges out of his hands. The former is something the users don't want. The second is something that I'd loathe because I know where "trusted computing" leads to.

The biggest security problem today is basically the person using the computer. It is very well summed up in the Dancing pigs article on Wikipedia [wikipedia.org]. Bottom line: (quote) Given a choice between dancing pigs and security, users will pick dancing pigs every time. (/quote).

Give the user something he wants, something he really, really wants, and he will disable all security for you. Especially when you promise him something the maker of the machine you're using would like to disable (like, say, cracking the system you're using). Imagine you disguise your malware as a crack for Vista's activation routine, do you think any "this system is trying to turn your driver setup upside down" warning would keep the user from hitting "allright"? It is actually something you'd expect from a crack for the security system of Vista.

The same is true for a lot of drivers, or things that less informed users would consider drivers. Take codecs. Would a user get suspicious when you told him to circumvent the DVD copy protection you have to install some "special DVD driver"? And deny you the right to install a new driver?

This works for any system, secure or not. It is just as true for Linux as it is for Windows.

Re:A more simple solution... (1)

postbigbang (761081) | more than 4 years ago | (#27673579)

It's not a witch hunt, and cyber criminals and botnet admins deserve what they get. Users are people and people have all sorts of failings. Protecting them is a good thing, and there is no cogent defense for these people. Shake down rackets, ponzi schemes, and other schemes are just as evil.

So are the people that make rotten, buggy operating systems and apps.

Hackers I can believe in.

Botnet cowboys deserve as Johnny Carson might say, early transmission failure.

Re:A more simple solution... (1)

wastedlife (1319259) | more than 4 years ago | (#27675189)

A scammer is a scammer, whether they are running back-alley games of 3 card Monte or are distributing applications loaded with spyware or other malware. Just because it is ignorance causing people to fall for these scams does not mean the scammers should get away with it.

One might as well say that they shouldn't go after people that rob houses because the houses should have had better locks.

Re:A more simple solution... (2, Insightful)

mrboyd (1211932) | more than 4 years ago | (#27673655)

Why calling it a witch hunt? Police force and army should gear up and have some kind of internet swat team as more and more crimes are committed online. I don't see why sometime a team of "security researcher", white hat or iSwat (however you want to call them) working under a police mandate couldn't be allowed to "raid" a computer, place rootkits, keyloggers and whatnot if they have the proper warrant. Just like they could bug your phone or search your house, car, financial records with again the proper warrant. Just because it's the internet doesn't mean it has to be out of the scope of law enforcement.

Re:A more simple solution... (1)

Opportunist (166417) | more than 4 years ago | (#27674405)

This will work if, and only, absolutely only if, users become liable for their computer's actions. Not any moment sooner.

My computer participates in a DDoS? Do I care, as long as I have sufficient bandwidth to surf and mail? My computer sends out spam mail, do I care as long as I don't end up on every blacklist I want to mail to. My computer collects my data and I get bombarded by targeted spam, do I care? I have a good spamfilter...

People are, if anything, lazy. Yes, some want to be educated, but their number is small. Insignificant. Most don't even know what dangers are and frankly, they don't want to know. It's a burden. And nobody is going to accept this burden as long as there is no reason to.

Re:A more simple solution... (1)

Tdawgless (1000974) | more than 4 years ago | (#27674521)

Unfortunately, this isn't simple. Are you going to force people into class rooms? Maybe run some PSAs? I doubt people will listen or pay attention, considering that's the problem we're having now.

Finally! (4, Funny)

mc1138 (718275) | more than 4 years ago | (#27673201)

A bunch of fat, cheetos eating super hero's I can identify with!

Re:Finally! (1)

Opportunist (166417) | more than 4 years ago | (#27674471)

HEY! Damn you and your stereotypes, we're not all fat, cheeto munching attic-dwellers with pale skin, the love life of a hermit and only get a high when we crack open some botnet and infiltrate it!

Some of us, like me, prefer nachos!

Re:Finally! (0)

Anonymous Coward | more than 4 years ago | (#27674863)

mmm... doughnuts.

ISPs (3, Interesting)

orange47 (1519059) | more than 4 years ago | (#27673205)

they need cooperation of ISPs. If only ISPs worldwide would at least send warning to customers that run 'zombie machines'.

Re:ISPs (4, Interesting)

Culture20 (968837) | more than 4 years ago | (#27673281)

If they start doing that, then botnet writers will have an incentive to have their rootkits start deleting emails (when a common email program loads up). I don't think they'll be that choosy about what they delete either.

Re:ISPs (2, Interesting)

new_breed (569862) | more than 4 years ago | (#27673391)

What better warning to a user that his/her machine is infected than email suddenly dissappearing?

Re:ISPs (1)

Opportunist (166417) | more than 4 years ago | (#27674491)

If an email vanishes and nobody is there to read it before it is gone, did it make a "you got mail" sound?

A bot that intercepts all traffic between your mail program and your mail provider can easily filter out the relevant mails before the client is even notified of its existance.

Re:ISPs (2, Insightful)

hesaigo999ca (786966) | more than 4 years ago | (#27673469)

Not if they charge per email sent... like .0001 cent...still adds up enough to let someone know they are infected, and with a cap at 100$ month, this will avoid a user falling off his chair, but make it sure evident to do something about it before next month.

As for the culprits, 100$ per month for spamming, might not be much, but then you have a paper trail of which could be used to track activity for perticular botnets.

Re:ISPs (4, Insightful)

JerkBoB (7130) | more than 4 years ago | (#27673537)

If they start doing that, then botnet writers will have an incentive to have their rootkits start deleting emails (when a common email program loads up). I don't think they'll be that choosy about what they delete either.

Sending warning emails to users is a pointless exercise. Assuming that they read/understand the email in the first place (BIG assumption), I guarantee that the majority of them will just delete it. Why should they care if their computer's a zombie? It still works well enough to do whatever it is they're online to do.

No, I think the solution is for zombied computers to be quarantined. Use DNS and routing tricks to redirect any attempts to go anywhere "on the internets" (i.e. a web browser) to a site which explains that they're quarantined, and what they have to do to get out.

Unfortunately, that would raise call volumes to the ISP support lines, and require commitment on the ISPs' part to train their support monkeys. If ISPs started facing financial penalties for zombied users, then maybe the economics would balance out.

I'm sure I'm not the first person to think of this, though, so I'm probably missing something.

Re:ISPs (1, Informative)

cbiltcliffe (186293) | more than 4 years ago | (#27673711)

Why should they care if their computer's a zombie? It still works well enough to do whatever it is they're online to do.

In my experience, it's worse than that. It's not that they don't care. They don't even believe it.

"My computer works fine. It can't be infected. I have Norton 2003 that came with the computer, so I'm fine. It's maybe a little slow, but that's because it's getting old and wearing out. I'M NOT INFECTED!I'MNOTINFECTED!I'MNOTINFECTED!LALALALALA"

Re:ISPs (0)

Anonymous Coward | more than 4 years ago | (#27673985)

ISP's face the economic burden for stupid OS policies and design decisions?

Re:ISPs (2, Insightful)

dnaumov (453672) | more than 4 years ago | (#27674587)

I work for a major finnish ISP and since this information is public knowledge, I am not going to anon this post.

We have several systems (which are actually pretty good and do work) in place that identify and warn us regarding the kind of traffic that happens when a customer machine is turned into a botnet zombie. When this is deteched, the customer is approached by either email or phone and given a grace period of a couple of days to clean up his machine. If the customer ignores this, his internet connection gets locked when the grace period is up.

If we cannot contact the customer by email/phone, we simply lock the connection, eventually the customer will call us.

Quite obviously we also block any outgoing :25 STMP traffic to any and all servers except our own.

Re:ISPs (2, Insightful)

JerkBoB (7130) | more than 4 years ago | (#27674737)

I don't mean this in a snarky way, but given that the population of the entire country of Finland is ~5.2M folks, I can't imagine that even a "major" Finnish ISP has a huge userbase.

I used to work for a medium-sized regional ISP. We were one of several similar-sized ISPs serving a multi-metro area of maybe 3M people. At our peak, we had 30k accounts, if I recall correctly. This was back in the dialup days, btw.

Anyhow, my point is that when you're talking about the scale of the behemoth ISPs here in the States, expecting proactive approaches to zombie fighting is unrealistic. Support is an expensive cost center, which is why it's been farmed off to India. Getting experienced people who know how to do more than reboot the computer or reinstall ethernet/modem drivers is pretty experienced.

It's the financial aspects of the problem which make me pessimistic that ISPs will do anything to fix it.

Re:ISPs (1)

dnaumov (453672) | more than 4 years ago | (#27674773)

We were one of several similar-sized ISPs serving a multi-metro area of maybe 3M people. At our peak, we had 30k accounts, if I recall correctly.

I don't mean this in a snarky way either, but to give you a sense of scale, we, in a country of 5,2 million, have 500k broadband accounts and have no problem maintaining this policy.

Re:ISPs (1)

AndyGJ (1212742) | more than 4 years ago | (#27674681)

I was a ISP support chap in a previous life, during the blaster days.

A fairly common reaction when explaining to people that they had been infected, was to be shouted at for "sending my PC viruses".

Sadly I think that before any quarantine plans can be implemented a pretty major shift in user perception must occur - otherwise the level of bitching that will occur will be apocalyptic.

However, I don't work in support anymore - I say go for it ;)

Re:ISPs (1)

nametaken (610866) | more than 4 years ago | (#27674977)

Yeah I think the call volume part is really the singular problem there. Like every other business, it seems they HATE taking phone calls.

Maybe a mutual arrangement that all ISP's could pay into, one call center where each ISP pays by subscriber count. They could all quarantine using similar techniques and the call center would give out the same advice to people.

Hell, my windows machines are well protected, and I have little fear my *nix machines will see many problems, but I wouldn't mind having an ISP profile for malware traffic off my line.

Re:ISPs (0)

Anonymous Coward | more than 4 years ago | (#27675645)

YOUR COMPUTER IS INFECTED...Click here to install Antivirus 2009.

Yeah, that'll work.

Re:ISPs (0)

Anonymous Coward | more than 4 years ago | (#27673297)

they need cooperation of ISPs.
If only ISPs worldwide would at least send warning to customers that run 'zombie machines'.

"Your computer is a zombie, download our zombie removal software to fix your problem. ISP@ISP.net"

Re:ISPs (1)

Deanalator (806515) | more than 4 years ago | (#27673447)

I totally agree. If ISPs would set egress limits on syn packets and email traffic, that would seriously reduce the value of these botnets as well. Even just filtering out obviously forged syn packets would improve things greatly.

Of course these features would have a slight cost, and no benefit to the ISP directly, so I am sure it is never going to happen.

Re:ISPs (0)

Anonymous Coward | more than 4 years ago | (#27673595)

My ISP (www.exetel.com.au) cuts off spam relays and redirects HTTP traffic to a page telling you to disinfect your computer (with links to various tools and online scanners) before they will remove the block.

Md5 - solution to some of the problems atleast (1)

LeonN (1534989) | more than 4 years ago | (#27673233)

Couldnt each OS just have its own installer which md5 checked the isntallation files for downloaded programs against the website which was ofc atleast https secured? For pople without internet available there had to be another solution though.

Re:Md5 - solution to some of the problems atleast (0)

Anonymous Coward | more than 4 years ago | (#27673299)

one time they accessed the debian main repository and switched md5sums and signatures of certain packets. still it's better secure that random donwload from internet, but when you have only one point of failure the whole process increase the reward of breaking it.

Re:Md5 - solution to some of the problems atleast (1)

betterunixthanunix (980855) | more than 4 years ago | (#27673465)

Something very similar is already done by many Linux distributions. For example, Fedora/Red Hat Enterprise Linux/clones all use GPG to check digital signatures on packages against a public signing key that is unique for each repository. The problem is that users can still be convinced to import signing keys from "rogue" repositories or convinced to just allow bad/nonexistent signatures.

Of course, this is not a true fix anyway. There is no reason that someone cannot just write a program that does the same thing as the installer, but without any checks. Users can be convinced to enter root/administrator passwords as needed by such programs.

Really, this is not something that can be solved by OS programmers or by user education.

Re:Md5 - solution to some of the problems atleast (1)

Opportunist (166417) | more than 4 years ago | (#27674531)

What would keep me from redirecting your request for the MD5 to a page that tells you everything is fine, or simply supply you with the "right" checksum altogether? I can't see a reason why a request to such a page cannot be redirected internally to a locally running server that gets supplied the MD5 sum of the software you just downloaded.

Since such a system would certainly be used to ensure you only run software that you are supposed to run (read: does not pester MS, RIAA or similar nice orgs), I'm fairly sure a lot of people would run such a tool deliberately.

New Cyber Command will stop Cyber Crime (0)

Anonymous Coward | more than 4 years ago | (#27673261)

After killing the USAF Cyber Command it's now back, better than ever, under DHS.

That'll put the fear of Dog in those bad botnet operators.

Nuh-uh... (4, Informative)

pHus10n (1443071) | more than 4 years ago | (#27673273)

-- Requiring ISPs to send out warnings to zombie machines would help, but I'm not sure if I'd like to give them the opportunity to use packet inspection on my connection to verify the nature of the traffic. That's a slippery slope.
-- How does the Internet Police cross international boundaries in a legal fashion? A Status of Forces Agreement, perhaps? Would England really like Argentina (for example) to shut customers off because they're supporting a botnet?
-- What enforcement tools would be utilized to force people to use anti-virus/malware programs? What are the consequences for the user if they choose not to? There's quite simply too many potholes for a one-nation or government solution, I think. I can't think of a country that's fixed all of their own individual problems, much less open up an Internets Po-Po division to take care of a global problem as well.

McColo success story? (4, Insightful)

T5 (308759) | more than 4 years ago | (#27673289)

I'd call that a abject failure, a speed bump at best. It was a temporary takedown that was reinstated long enough for the baddies to copy all of their goods off to another site and reset the command and control to point to that other site.

How about... (0, Insightful)

Anonymous Coward | more than 4 years ago | (#27673321)

How about building secure systems?

Swat one fly, ten arrive to feed.
Swat ten flies, a hundred arrive instead.
Remove the food, and no flies arrive.

Re:How about... (0)

Anonymous Coward | more than 4 years ago | (#27673359)

My kingdom for modpoints!!

Re:How about... (1)

betterunixthanunix (980855) | more than 4 years ago | (#27673503)

The problem is that a lot of botnet malware behaves like a normal, run of the mill program. You cannot make the claim that a program should be unable to execute code, connect to a server over the Internet, and modify its execution path based on what the server does. Nor can you prevent programs from sending emails. Nor can you prevent a program from installing software if it has appropriate root/administrator privileges.

The only solution, really, is for your users to not download malware. Good luck with that one....

The death of a meme? (1)

querist (97166) | more than 4 years ago | (#27675239)

I am surprised that no one has brought up the "evil" bit from RFC 3514. Is this really Slashdot?

Idea Guy (5, Interesting)

Anonymusing (1450747) | more than 4 years ago | (#27673345)

Stewart... acknowledged he doesn't have all the answers. "I'm more of an idea guy."

Thanks for the idea! Because nobody has thought of this before [networkworld.com]. Congrats on the ComputerWorld article, though.

By necessity, the work would have to be done in secret, so as to not alert hackers that a group is on their trail.

But... you just published your idea to the world.

Stewart declined to comment on whether there were teams organized along the lines he suggests already in operation. "I don't want to comment on ones that have or have not started," he said.

So... this may or may not be your own original idea, because there may or may not be teams like this already in existence?

... must be harried, hounded and hunted until (1)

alukin (184606) | more than 4 years ago | (#27673427)

Every programmer who knows C and Win32 API but runs Linux on his notebook must be must be harried, hounded and hunted until he dies or goes total moron. That's the logical conclusion.

May be there is another way to leverage risks? Windows monoculture and total ignorance of users creates "open doors" only lazy can not penetrate. Just leave your wallet on the floor ant shut everybody who cares to peek it.

Re:... must be harried, hounded and hunted until (1)

MadKeithV (102058) | more than 4 years ago | (#27673785)

Care to explain how C, the Win32 API and Linux are in any way connected to this article?

Track, infiltrate, disrupt (3, Insightful)

AHuxley (892839) | more than 4 years ago | (#27673431)

When the researchers came for the malware authors,
I remained silent;
I was not a malware author.
Then they locked down the adult sites,
I remained silent;
I was not a pervert.
Then they came for the bittorrent trackers,
I did not speak out;
I was not a pirate.
Then they came for the internet,
I did not speak out;
I was not a blogger.
When they came for me,
there was no where left to speak out.

Re:Track, infiltrate, disrupt (1)

Opportunist (166417) | more than 4 years ago | (#27674573)

I'm willing to give him the benefit of doubt, that he actually really has no nefarious intentions to become the new "ruler of the online world". Some malware researchers are a wee bit zealous, I've seen people who would demand nothing less but to ban people from connecting to the internet should they be part of a botnet, who demand "driver's licenses" for computers, and that's some of the tamer examples.

I believe him that he has no intention to be the internet overlord. I also believe, though, that he didn't realize that his idea can quickly be used to become just that.

Re:Track, infiltrate, disrupt (1)

nametaken (610866) | more than 4 years ago | (#27675029)

Per your order of operations there, I'm pretty sure we'd stop them dead before they cut off our porn. ;)

Re:Track, infiltrate, disrupt (1)

der wachter (821950) | more than 4 years ago | (#27675113)

Who needs intellects to go on strike, the mediocre will eventually stop the motor of the world all by their lonesome. O'Bama is the Dagny Taggart of the new millenium.

Der Wachter.

"employing a spectrum of disruptive tactics" (1)

Sockatume (732728) | more than 4 years ago | (#27673441)

My understanding is that the illegality of tampering with others' computers would forbid them from "employing a spectrum of disruptive tactics" inside the botnet, in much the same sense that the illegality of blowing up people's houses stops cops from spending all day recreating Lethal Weapon. Certainly the "illegality defense" (where relevant) would be in effect should the botnet operators or their clients ever be prosecuted.

Re:"employing a spectrum of disruptive tactics" (1)

nametaken (610866) | more than 4 years ago | (#27675075)

I'd hope you could make the argument that it's more like making a thief's gun jam during a robbery, or disabling his getaway car.

Or just get used to it. (1)

getuid() (1305889) | more than 4 years ago | (#27673527)

Yes, that's just it. Get used to "cybercrime".

As long as nobody gets hurt in the real world, get over it. ... and this leads to rule #1 of anti-cybercrime anti-malware strategy: back up your data, encrypt your data, and make recovery/restore of your data after a malware attack as easy and cheap as possible.

Yes, that also goes for you, secret services. First thing you need to do (and I never thought I'd say that) is implement some kind of secret-service-wide DRM'ed processing network, and *only* work within that network. That will require lots of discipline from you, but... hey, you're a secret service! What's worth the discipline if not the secrecy of your data?

As for you mortal users: nobody wants your grandma letters, so don't bother. As for your bank account / identity data: step on your bank's toes to give you a better identification mechanism, then the whole malware problem for you reduces to reliably proving your identity. Period. (Of course, provided that rule #1 is satisfied.)

And for all you guys in between: governments, public institutions, etc: you're not supposed to have any secret data, and if you really are, see #secret-service. Then you can affort the extra bit of discipline to keep it secret.

For the sake of completeness: this whole "cybercrime" thing is a farce. There is no crime if nobody got hurt in the real life. There is (or should not be) any such thing as cyber-murder, cyber-theft, cyber-kidnapping etc, simply because everything that's "cyber" is "information", and information, by definition cannot be murdered, stolen or kidnapped. If proper measures are taken, it can be restored in its original state any time. If deleted, it can be restored from backups, if modified it can be changed back. If crucial parts of your system are being compromised (as is the case with public energy / transportation / water supply systems): detect the intrusion and restore the system from scratch.

The only critical thing with information is that it can be illegally copied, in which case... see #secret-service: if secrecy of information is valuable enough to you, take measures: encryption, DRM'ed corporate networks, secure rooms, no-networking machines etc -- depending on how much secrecty is worth to you, you can implement more or less user-annoying and/or expensive measures.

There's no way to "put an end" to "cybercrime" simply because there's too many ways to do damage to information by anyone with a slight clue and a C compiler. But, then again, it's trivially easy to revert whatever damage is done to information, if proper measures were taken prior to the damage. So, if banning C compilers under legislation similar to heavy weaponry is not an option (and it *better* not be), then the only decent option that's left is to fight the damage of "cybercrime", not the act itself.

Re:Or just get used to it. (3, Insightful)

Anonymusing (1450747) | more than 4 years ago | (#27673763)

There is no crime if nobody got hurt in the real life. There is (or should not be) any such thing as cyber-murder, cyber-theft, cyber-kidnapping etc, simply because everything that's "cyber" is "information", and information, by definition cannot be murdered, stolen or kidnapped.

Are you serious?

This isn't about virtual murder. It's about botnets that may steal your credit card information, be directed to launch attacks against servers, etc. There is significant potential for financial harm. Suppose your credit lines were maxed out by someone else, rendering your payments late, and then your bank got DoS'd so you couldn't access your money? What if you lived in Estonia, whose governmentand banks were essentially shut down during a massive cyberattack?

you FaIl It (-1, Troll)

Anonymous Coward | more than 4 years ago | (#27673553)

to have to decide And sold in the one common goal - as to which *BSD good manners code sharing Guys a8e usuaaly they want you to

trust (3, Interesting)

Deanalator (806515) | more than 4 years ago | (#27673591)

Most hacker groups I have seen are set up in such a way where no one needs to trust anyone else. Status is based on what you contribute to the group, so if someone doesn't contribute much, they no longer get access to the work of the collective.

For someone to "infiltrate" a group, all they need to do is contribute to the work being done, and I highly doubt IRC logs will be very admissible as evidence.

My point is, if someone is going to get to the level where they can put anyone of any importance in jail, they are first going to need to contribute a significant amount to the underground community, which would probably cause more problems than it would solve.

Cut of their funding (2, Informative)

onyxruby (118189) | more than 4 years ago | (#27673627)

If you really want to make an impact you need to target their source of funds. Getting Visa and Mastercard to get very proactive about shutting down their funding source would do far more than any threat of arrest ever will. These criminal rings do these things (spam, bogus software etc) because they are easy source of money. Visa and Mastercard are so slow in shutting down illicit sites that the time it takes allows them to make a handsome profit.

Easy low cost way to do this.
1. Allow the public at large to easily report suspected fraud to a centralized web site.
2. Assign investigators from the credit card companies to monitor the site and check out reported fraud reports.
3. Have the finance investigators work with requisite police agencies world wide.

Until you shut off the easy finance spigot these will continue to proliferate. Let's face it, does it really take a prolonged investigation to see if AntiVirus 2009 or the latest penile enhancement pill just might be bogus? Right now the criminals act with impunity because it is profitable, and the credit card companies have a laissez affaire attitude because they also make money. You need to convince the credit card companies to be more willing to forgo their fees and do their part.

I'm not waiting for "a dent" (0, Troll)

Fuzzums (250400) | more than 4 years ago | (#27673755)

Only a total annihilation of spam- and botnetbusiness is what we are looking for.

We have seen how accurate missiles are nowadays. How hard can it be to do some target practice on a \/1@9r@ hosting datacenter?

ISPs? What the hell happened to slashdot? (4, Insightful)

tacokill (531275) | more than 4 years ago | (#27673853)

There are several posts advocating larger ISP involvement and nobody has mentioned the obvious slippery slope with ISP's being put into a "policing" role.

If ISPs are allowed to "track down" botnets and botnet zombies, then why can't they "track down" torrents? Or porn? or any other thing that the powers-that-be don't want you downloading? Am I the only one who sees major problems with ISP's being put in a watchdog role?

I can't believe nobody has brought this up. Am I in the right place? Is this slashdot?

Re:ISPs? What the hell happened to slashdot? (1)

IBBoard (1128019) | more than 4 years ago | (#27674077)

It depends how it is done.

If the ISP goes "you're sending out a huge number of emails - you're either a spam bot or a server, so we're locking you down" then that's not being the police. Action like that is just enforcing fair use on a network and ensuring everyone gets an even share without service being degraded by someone else. There's generally a rather obvious point at which someone goes from "sensible home usage on a home broadband connection" to "some kind of spammer or bot".

"Tracking down" illegal torrents tends to require DPI, which is much more like the police, and blacklisting all torrenters is potentially stopping legit emails, which isn't fair on anyway.

As long as there is some kind of control to compensate and/or resolve false-positives and as long as it doesn't turn to criminal proceedings without police involvement then I can't see a problem with ISPs doing the normal job of service providers - monitoring their service for abusers.

Re:ISPs? What the hell happened to slashdot? (1)

ChinggisK (1133009) | more than 4 years ago | (#27674363)

Am I in the right place? Is this slashdot?

Nope, you got lost and have somehow ended up on NEGA-SLASHDOT. MWAHAHAHAHAHAHA!

Didn't you notice all of our nifty goatees?

National security is being compromised every day.. (1)

w4RthAwG (1538641) | more than 4 years ago | (#27673855)

Asian hackers are being rewarded for their efforts in cybercrimes, moreover, they are being regarded as national heroes. When groups of chinese hackers compromised United States Governmental secured sites, there was no retribution for their actions. The situation is more dire than most of us are aware. Simply having "security" people will not be enough. Just look at all the money that is being wasted on the war on drugs, and we are barely making a dent. There has to be a better way. Lets force the ISP's to be self-regulating and impose fines on those ISP's that are harboring these individuals. Also, we can make our IP's un-accessesible by certain ip segments. Lets tackle this issue before it gets any more serious. God Bless America!

Attack Vector? (3, Informative)

Ukab the Great (87152) | more than 4 years ago | (#27674035)

Googling for conficker gave me wikipedia's entry


Looking through conficker's entry gave me the vector MS08-067

Googling for the vector gave me this article


Is it that win32 lack a high-quality, well-tested, easily reusable path class, or is it that microsoft is such a large company that a rogue programmer circumventing the approved safe path class and engaging in not-invented-here-roll-your-own antics is commonplace?

Re:Attack Vector? (0)

Anonymous Coward | more than 4 years ago | (#27675403)

It is because windows is mostly written in C. Besides this code could be very old.

Anyone remember EHAP? (1)

S7urm (126547) | more than 4 years ago | (#27674399)

Ethical Hackers Against Pedophelia
Great group of kids helping fight against child porn, lot of talented "hackers" involved for that time period...and ya know what........they were considered outlaw vigilantes. SO I ask, what kind of authority is a government going to be willing to give to a "hacker". Especially in light of the fact that any non-technical politician isn't going to know the difference between Black, White, and Gray hat hackers.

Re:Anyone remember EHAP? (0)

Anonymous Coward | more than 4 years ago | (#27675215)

I didn't know there was such a group, but once upon a time I actually got a phonebook out (yeah, the paper kind) and called an FBI field office to report a massive source of child porn. I got voicemail.

I never got a call back. The idea that nobody even cared to do anything was probably the most disturbing part.

And somehow I'm not too terribly surprised that this "cybercrime" stuff goes largely unanswered.

Windows is to blame... (1)

nulled (1169845) | more than 4 years ago | (#27674835)

The only company to blame for the 'botnet' and the sending of all the spam via 'zombie computers' is Microsoft. Windows, as we all know, is a virus haven. Attempts for AVG and Microsoft's own anti-malware software has helped, but has not stopped. The 'success stories' in raiding and taking down a couple botnet groups is no success story. They simply open shop somewhere else. The internet has grown SO HUGE and so global, that no amount of 'man power' in terms of police force, like a friken 'special ops' force will do any good, what do ever. All it will result in are law suits for privacy invasion. Also, what about countries like Russia, where most of the botnet lives? The US or UK can not touch them, legally, what so ever. So, the solution? Microsoft needs to be held accountable, and redesign the core of windows to stop all the zombies... alas... good luck with that.

I've always said... (1)

DigitalCrackPipe (626884) | more than 4 years ago | (#27675639)

that the solution to spam (and malware) is the marines. Nothing takes a spammer off of the net faster than lead. Kindof shakes up that risk-reward balance a bit.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account