The fight against botnets is largely ineffective

Currently, the efforts of criminal prosecuting authorities and the IT industry to deal with botnet operators and other cyber-criminals are ineffective. That was the message delivered by Joe Stewart, Director of Malware Research for Secureworks, in "Demonetizing Botnets", his presentation at the ongoing RSA Conference 2009. Stewart said countermeasures mostly concentrated on technical solutions, such as patching holes, switching off botnet command-and-control servers (C&C), installing spam filters and so forth.

The worldwide IT security community in particular, he said, has focused more on defending against attacks than on identifying and prosecuting the attackers. Yet it was precisely these experts who should be passing the fullest possible information to prosecuting authorities about the people responsible for attacks. Stewart said the activities of researchers and of the authorities barely overlapped. In combination with a chronic shortage of money and staff, as well as frequently imperfect international cooperation, this accounted for the meagre success rate of prosecutions and the steadily rising number of new attacks. Stewart also complained that many countermeasures only afforded a brief respite, encouraging attackers to get back to work with more determination, following a short break.

He felt the host McColo should not have been completely removed from the network, because that just stirred up the botnet operators whose C&C servers had been hosted by McColo. They then most likely looked for a host in a country where ISPs can't easily be compelled to cooperate with the crime-stoppers. Consequently the chance to learn more about the cyber-criminals was lost.

Stewart suggested a less conspicuous approach. It would, in his opinion, be sufficient to reduce the bandwidth of the C&C servers, thus reducing their efficiency and giving security researchers and the police time to collect clues about the identity of the operators. At the same time, the ISPs of the clients whose computers were infected would be able to isolate them by DNS zone. The tactics of the hunters should under no circumstances be so obvious and so easily seen through as to alert their quarry and spur them on to refining their malicious techniques. Stewart believes that the cunningly decentralised peer-to-peer structure of the Whaledac and Conficker botnets is the result of the earlier conspicuous switching off of some C&C servers.

Stewart said different structures and capabilities are required in order to act very effectively against cyber-gangsters. He had in mind a series of specialised teams made up of experts, each team acting very purposefully against a specific group of criminals. These teams should include people spread over the whole planet and having a variety of capabilities, specialising say in reverse engineering, social engineering and linguistics. Stewart did not say whether work was already taking place behind the scenes in order to form such teams.

He said the ideal partners for this group of experts would be the national CERTs (Computer Emergency Readiness Teams) with extended capabilities and mentioned as an example the South Korean CERT, which receives status reports about network traffic and any striking events from all the ISPs in South Korea every five minutes. If malicious events are detected, the CERT can block IP addresses, filter out URLs or bar dangerous traffic, without wasting time consulting authorities or prosecutors. Information so accumulated doesn't just serve as a basis for immediate technical countermeasures, but also for the identification of the culprits.

Stewart granted at the same time that such a concept would only promise success if as many countries as possible would maintain a CERT with such extended powers. But CERTs, he said, should never become deputy sheriffs acting on behalf of the music and film industries. They should concentrate exclusively on combating cyber-criminals.

(Uli Ries)

(crve)