secureworks

Botnet expert suggests hitting cybercriminals in pocket book

SAN FRANCISCO--Technology is not enough to help the security industry keep botnets from stealing peoples' money and committing denial-of-service attacks, a top botnet researcher said on Wednesday. His suggestion? Stop the flow of money to their coffers.

"We need to disrupt their business model and make it hard for them to carry out their attacks and make money," Joe Stewart, a security researcher at SecureWorks, said in an interview at the RSA 2009 security conference here.

"Right now, it's risky to surf the Internet with a PC," he said. "I would like to see … Read more

Infected U.S. PCs may have attacked Georgia

When political tensions flared last month between Georgia and its large neighbor to the north, the country was ready to block Internet traffic from Russia, hoping to avoid the denial-of-service attacks that shut down Internet service in Estonia for several days in 2007. Instead, most of the DoS attacks that were directed against Georgia came from an unlikely place: the United States.

"Russia is one of the most capable countries when it comes to launching system intrusion hacking attempts, distributed denial-of-service attacks, and operation of botnets," said Don Jackson, director of Threat Intelligence for SecureWorks. "Yet you'll notice the number of attacks coming from Russia are very low."

SecureWorks on Monday released a list ranking the countries with the most infected computers enlisted for use with botnets. On that list, Russia ranks 7th, far behind the United States, China, Brazil, South Korea, Poland, and Japan. The reason Russia is so low, Jackson said, is that hackers from Russia don't attack from within Russia.

Instead of attacking using Russian IP addresses, Jackson said, the hackers who wanted to attack Georgia used "computers and control servers located in Turkey while the bots (the infected computers) that they controlled were mostly in the United States." … Read more

Anatomy of a botnet

What if you wanted to build your own botnet to act as a spam relay or to launch a denial-of-service attack against an organization or a country? "It's actually a lot of work," says Joe Stewart, director of malware research at SecureWorks.

I had a chance to talk with Stewart at this year's Black Hat security conference in Las Vegas where, in a talk, he provided insight into the inner workings of one botnet, the Storm worm botnet. Using unpackers, debuggers, and decompilers, Stewart was able to dissect the rogue network and learn how it works … Read more

Looking inside the Storm worm botnet

LAS VEGAS--On Wednesday, Joe Stewart, director of malware research for SecureWorks, presented his work on protocols and encryption used by the Storm worm botnet at Black Hat 2008.

He said as far as botnets go, Storm is not particularly sophisticated, nor is it our No. 1 threat. Yet while other botnets come and go, Storm remains amazingly resilient, in part because the Trojan horse it uses to infect systems changes its packing code every 10 minutes, and, once installed, the bot uses fast flux to change the IP addresses for its command and control servers.

None of this surprising, it'… Read more

SecureWorks unmasks the Coreflood Trojan

On Monday, SecureWorks released its analysis of the Coreflood Trojan, providing an inside look at a stealthy online predator.

According to a blog by Joe Stewart, director of malware research for SecureWorks, Coreflood started out as an IRC (Internet relay chat) botnet back in 2002. Coreflood--or AFcore, as the author refers to it within the code--is apparently viewed by its author as corporate software that can be tweaked as business needs change. For example, over the last six years, Coreflood has evolved from initiating distributed denial-of-service attacks to collecting IDs and passwords for bank fraud.

With the help of Spamhaus, … Read more