By Tom Espiner
Wednesday, December 13 2006 09:46 AM
URL: http://www.zdnetasia.com/news/security/0,39044215,61974697,00.htm

Eugene Kaspersky, head of antivirus research at Kaspersky Labs, has called for greater international law enforcement co-operation to combat the growing threat from cybercrime.

"I would like to see more international organization--some kind of Internet Interpol, to react quickly once an infection [or botnet] is known," said Kaspersky, speaking in Moscow last week. "Hackers change proxies quickly, so the police have to be very reactive."

He warned that hackers are typically using different proxy servers distributed around the world to avoid being detected and caught in any one country.

Interpol, which helps national police forces to work together, has a financial and hi-tech crime sub-directorate that investigates cybercrime, including botnet activity. But Kaspersky believes that a more formal body with stronger powers is needed.

According to detective chief inspector Charlie McMurdie of the Metropolitan Police e-crime unit, who is also one of the permanent members of the U.K. Interpol working group, existing Interpol forums are addressing key priorities in e-crime including botnets, hacker tools and techniques.

"Most of our relationships come through international investigations. If we've got a time-critical case we can pick up the phone and speak to somebody," said McMurdie.

But McMurdie also admitted that she was not happy with the international speed of response in all cases.

"It depends on which country," said McMurdie. "Different countries have different legislation, and we have to be aware of those differences to be able to deliver a timely response. I certainly wouldn't say I'm happy with the speed of response in all cases--we could do an awful lot more to improve relationships with some countries," McMurdie added.

Botnet investigations, which focus on legions of compromised computers that hackers use to launch attacks and steal information, are exceedingly time critical as botnets can change form, composition and international distribution very quickly. Investigations into other vectors of attack show that speed is of the essence in terms of response. Mail security company MessageLabs reported an attack on Tuesday that lasted four seconds and sought to exploit a zero-day vulnerability in Microsoft Word, the second reported within a week, in a highly targeted attack against specific organizations.

Ed Gibson, Microsoft's chief security advisor in the United Kingdom, praised law-enforcement efforts, but is unhappy that there is such a disparity in cybercrime legislation and law-enforcement funding around the world.

"Law enforcement and security services are doing the best they can under different legislation, and considering the resources they have," said Gibson.

Kaspersky criticized ineffectual cybercrime laws, especially in Russia where a computer crime investigation can only be initiated on the request of the victim. This means Russian police have their hands tied when investigating Russian hackers, Kaspersky explained.

"Unfortunately in Russia computer laws are not so effective," said Kaspersky. "With the Computer Act, an investigation starts on the request of the victim--but victims don't like to disclose they've been hacked. Banks and companies don't want to disclose their networks have been hacked [due to damage to reputation], and personal users don't care."

"In several cases the police have the address and telephone number of hackers--they know everything about them--but they don't have the request," said Kaspersky.

Kaspersky claimed that Russian hackers are a growing problem, as well as hackers from China and Latin America.

"Russian hackers develop tricky technologies to hide malicious code--mutating utilities that reassemble malicious source code once a computer is infected. Signatures simply don't work, so you have to develop specific anti-mutation code," said Kaspersky.