Mild-Mannered Malware Sleuth Rocks Security

  /     /     /  
Publicated : 22/11/2024   Category : security


Mild-Mannered Malware Sleuth Rocks Security


Botnet and malware expert Joe Stewart chats up his self-taught skill of picking apart malware and botnets, how targeted companies are in denial, Metallica -- and his raucous rock n roll years



Joe Stewart played bass guitar and sang backup vocals for two years in a Southern rock cover band that scored a regular gig at Joes Bar and Grill, a dive bar literally situated in the woods of South Carolina -- and where pretty much every night a bar brawl erupted.
Like many of his security researcher counterparts, the renowned botnet and malware expert took a circuitous route to his current profession. Security was the last thing on his mind in the early days of his career: His passion was music, and he first wrote and recorded songs in college, mainly parody tunes that played off various music genres. He entered college to study broadcasting, but got married and dropped out after his freshman year after he and his wife realized they couldnt really afford to pay two tuitions.
Music was my main focus after college. I was trying to play guitar and start a band, says Stewart, who is the director of malware research at Dell SecureWorks.
Joe Stewart and his ride
After years of trying to get a band together, Stewart teamed with a co-worker at LURHQ -- where he worked in the security operations center after a three-year stint as a Web programmer -- in 2002 and formed the cover band Option 2, which played Joes Bar and Grill. The inspiration for the groups name: When you needed to call into the SOC for support ... you would press 2 to talk to us, he says.
Stewart isnt your typical security rock star. Soft-spoken and characteristically low-key, he mostly steers clear of the social scene at security conferences, and rarely pipes in on Twitter, where many security big-names gather and speak out. He says he embraces his socially reclusive self now. Socially, Im not very out there at all, says Stewart, 41, who lives with his wife and two sons in Myrtle Beach, S.C. He says he only tweets when he has something to say that no one else is talking about.
I prefer to have my work speak for me, Stewart says.
[ Researcher Joe Stewart uncovers hundreds of different custom malware families used by cyberspies -- and discovers an Asian security company conducting cyberespionage. See
Scope Of APTs More Widespread Than Thought
. ]
And thats basically how Stewarts security career has evolved. The turning point came in early 2003 when he decided to analyze a phishing email sent to one of his co-workers at LURHQ. He discovered that a botnet was sending out the phishing emails and spreading the now-infamous Sobig virus, a technique that was relatively new at the time. Stewarts
research
caught the attention of law enforcement, security researchers, and the media. LURHQ, which later merged with SecureWorks, then made him a full-time security researcher.
But ask Stewart what security research hes most proud of to date, and its not Sobig. It was a lesser-publicized peer-to-peer botnet called Sinit that he analyzed in 2005. Stewart says what was most striking about Sinit was its discovery protocol and that it had no prior knowledge of other bots in the network.
I got the malware ... it was pretty advanced for the day. It used encryption and PKI for updates so no one could hijack the botnet, Stewart says. No one had heard of it.
Stewarts most recent research at Dell SecureWorks has revolved mostly around malware and tools used by advanced persistent threat (APT) actors, as well as botnets, such as Coreflood and massive infections such as Conficker. He was one of the first to
reveal a link between China
and the RSA breach, as well as find clues in the Aurora attacks on Google and other major corporations that pointed to China.
But unlike many of his counterparts, hes no bug hunter. I dont find hunting for vulnerabilities particularly interesting. Its a little like shooting fish in a barrel, Stewart says. He likes taking things apart to see how they work, which is a big part of his job in malware and botnet research. He began to hone those skills in his later work in the LURHQ SOC, doing analysis of network traffic. I thought of myself as a security guy then, he says.
He attributes his affinity to programming and reverse-engineering to toying with gaming apps on his first computer, a Commodore VIC-20. Having the knowledge of how programs are put together and the logic of how programs are built, Im sure, helped me in how to take them apart, he says.
His first real brush with security came when working as Webmaster of a Web-based life-coaching company, where he programmed Web forms, wrote scripts, and maintained the companys database. I was taking on the role of more of a systems administrator. I was reading on the latest security exploits, and it had me nervous. I didnt want anything getting our servers, he recalls.
I did really start sensing that security was something I really liked, and would like to get into that arena. But it didnt seem like a realistic career path at the time, he says.
Fast-forward to today; Stewart is one of the most well-respected malware and botnet researchers in the industry. He doesnt worry much about the cybercriminals or cyberspies whose operations he disrupts ultimately turning on him with hacks, although his personal website was once DDoSed by the Rustock botnet gang for a full week. He didnt know who was behind it until he did a little investigating of his own. Of course I had to trace it back, which meant getting hold of malware again, he says. I figured out it was delivered through the Rustock mechanism, which made sense because I had [just] written an article on Rustock.
What concerns Stewart most, however, is that many companies being targeted by attackers today just arent taking the threat seriously enough. They are not even acknowledging that [the threat] exists. That worries me, he says.
He once tried to warn a Vietnamese newspaper that Chinese hackers had infiltrated its network, but the publication never responded. Its discouraging. It takes a lot of effort to track it down, and when you bring it to a company thats being impacted, you may not even get a reply, he says.
Worst day ever at work:
The worst day at my current job was still better than the best day at any of my previous jobs.
What your co-workers dont know about you that would surprise them:
Ive been known once or twice to bust out a karaoke performance of Metallica.
First full-time job:
Working at Lowes, stocking shelves and then managing a department. This is where I found out I didn’t like managing people, so I switched back to unloading trucks and stocking shelves at night.
Favorite team:
The Logicians
(Attention non-Trekkies: This was a baseball team formed by Captain Solok and members of the all-Vulcan crew of the USS TKumbra.)
Favorite hangout:
My back patio
In his music player right now:
Muse -- The 2nd Law
Stewarts security must-haves:
Some flavor of *nix. I can take care of the rest.
Comfort food:
PB&J
Ride:
Kawasaki Vulcan 800
For fun:
Photography, electronics, and music.
First music gig:
Writing and recording songs for the college radio station: It was nothing serious, just weird, off-the wall, parody music ... It was anything from rock or country parody or some weird, spacey acid-trippy stuff.
Actor who would play him in a film:
Dean Haglund
Next career:
Solar energy pioneer. Why? I find power lines to be unsightly.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Mild-Mannered Malware Sleuth Rocks Security