Vulnerabilities / Threats
10/10/2012
05:05 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Mild-Mannered Malware Sleuth Rocks Security

Botnet and malware expert Joe Stewart chats up his self-taught skill of picking apart malware and botnets, how targeted companies are in denial, Metallica -- and his raucous rock 'n' roll years

Joe Stewart played bass guitar and sang backup vocals for two years in a Southern rock cover band that scored a regular gig at Joe's Bar and Grill, a dive bar literally situated in the woods of South Carolina -- and where pretty much every night a bar brawl erupted.

Like many of his security researcher counterparts, the renowned botnet and malware expert took a circuitous route to his current profession. Security was the last thing on his mind in the early days of his career: His passion was music, and he first wrote and recorded songs in college, mainly parody tunes that played off various music genres. He entered college to study broadcasting, but got married and dropped out after his freshman year after he and his wife realized they couldn't really afford to pay two tuitions.

"Music was my main focus after college. I was trying to play guitar and start a band," says Stewart, who is the director of malware research at Dell SecureWorks.

Joe Stewart of Dell SecureWorks
Joe Stewart and his ride

After years of trying to get a band together, Stewart teamed with a co-worker at LURHQ -- where he worked in the security operations center after a three-year stint as a Web programmer -- in 2002 and formed the cover band Option 2, which played Joe's Bar and Grill. The inspiration for the group's name: "When you needed to call into the SOC for support ... you would press "2" to talk to us," he says.

Stewart isn't your typical security rock star. Soft-spoken and characteristically low-key, he mostly steers clear of the social scene at security conferences, and rarely pipes in on Twitter, where many security big-names gather and speak out. He says he embraces his socially reclusive self now. "Socially, I'm not very out there at all," says Stewart, 41, who lives with his wife and two sons in Myrtle Beach, S.C. He says he only tweets when he has something to say that no one else is talking about.

"I prefer to have my work speak for me," Stewart says.

[ Researcher Joe Stewart uncovers hundreds of different custom malware families used by cyberspies -- and discovers an Asian security company conducting cyberespionage. See Scope Of APTs More Widespread Than Thought. ]

And that's basically how Stewart's security career has evolved. The turning point came in early 2003 when he decided to analyze a phishing email sent to one of his co-workers at LURHQ. He discovered that a botnet was sending out the phishing emails and spreading the now-infamous Sobig virus, a technique that was relatively new at the time. Stewart's research caught the attention of law enforcement, security researchers, and the media. LURHQ, which later merged with SecureWorks, then made him a full-time security researcher.

But ask Stewart what security research he's most proud of to date, and it's not Sobig. It was a lesser-publicized peer-to-peer botnet called Sinit that he analyzed in 2005. Stewart says what was most striking about Sinit was its discovery protocol and that it had no prior knowledge of other bots in the network.

"I got the malware ... it was pretty advanced for the day. It used encryption and PKI for updates so no one could hijack the botnet," Stewart says. "No one had heard of it."

Stewart's most recent research at Dell SecureWorks has revolved mostly around malware and tools used by advanced persistent threat (APT) actors, as well as botnets, such as Coreflood and massive infections such as Conficker. He was one of the first to reveal a link between China and the RSA breach, as well as find clues in the Aurora attacks on Google and other major corporations that pointed to China.

But unlike many of his counterparts, he's no bug hunter. "I don't find hunting for vulnerabilities particularly interesting. It's a little like shooting fish in a barrel," Stewart says. He likes taking things apart to see how they work, which is a big part of his job in malware and botnet research. He began to hone those skills in his later work in the LURHQ SOC, doing analysis of network traffic. "I thought of myself as a security guy then," he says.

He attributes his affinity to programming and reverse-engineering to toying with gaming apps on his first computer, a Commodore VIC-20. "Having the knowledge of how programs are put together and the logic of how programs are built, I'm sure, helped me in how to take them apart," he says.

His first real brush with security came when working as Webmaster of a Web-based life-coaching company, where he programmed Web forms, wrote scripts, and maintained the company's database. "I was taking on the role of more of a systems administrator. I was reading on the latest security exploits, and it had me nervous. I didn't want anything getting our servers," he recalls.

"I did really start sensing that security was something I really liked, and would like to get into that arena. But it didn't seem like a realistic career path" at the time, he says.

Fast-forward to today; Stewart is one of the most well-respected malware and botnet researchers in the industry. He doesn't worry much about the cybercriminals or cyberspies whose operations he disrupts ultimately turning on him with hacks, although his personal website was once DDoS'ed by the Rustock botnet gang for a full week. He didn't know who was behind it until he did a little investigating of his own. "Of course I had to trace it back, which meant getting hold of malware again," he says. "I figured out it was delivered through the Rustock mechanism, which made sense because I had [just] written an article on Rustock."

What concerns Stewart most, however, is that many companies being targeted by attackers today just aren't taking the threat seriously enough. "They are not even acknowledging that [the threat] exists. That worries me," he says.

He once tried to warn a Vietnamese newspaper that Chinese hackers had infiltrated its network, but the publication never responded. "It's discouraging. It takes a lot of effort to track it down, and when you bring it to a company that's being impacted, you may not even get a reply," he says.

PERSONALITY BYTES

  • Worst day ever at work: The worst day at my current job was still better than the best day at any of my previous jobs.
  • What your co-workers don't know about you that would surprise them: I've been known once or twice to bust out a karaoke performance of Metallica.
  • First full-time job: Working at Lowe's, stocking shelves and then managing a department. This is where I found out I didn’t like managing people, so I switched back to unloading trucks and stocking shelves at night.
  • Favorite team: The Logicians (Attention non-Trekkies: This was a baseball team formed by Captain Solok and members of the all-Vulcan crew of the USS T'Kumbra.)
  • Favorite hangout: My back patio
  • In his music player right now: Muse -- "The 2nd Law"
  • Stewart's security must-haves: Some flavor of *nix. I can take care of the rest.
  • Comfort food: PB&J
  • Ride: Kawasaki Vulcan 800
  • For fun: Photography, electronics, and music.
  • First music gig: Writing and recording songs for the college radio station: It was nothing serious, just weird, off-the wall, parody music ... It was anything from rock or country parody or some weird, spacey acid-trippy stuff.
  • Actor who would play him in a film: Dean Haglund
  • Next career: Solar energy pioneer. Why? I find power lines to be unsightly.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.