SAN FRANCISCO – Frontline internet-crime fighters from security companies, law enforcement agencies, banks and e-commerce sites huddled at a secretive conference last week to confer on new tactics in the war on cybercrime. And while nearly everyone agreed the internet has become an infected and dangerous breeding ground for malware and scams, no one could quite agree on what do.

That didn't mean that the participants at the Anti-Phishing Working Group's Counter e-Crime Operations Summit lacked for proposals for breaking the internet crime wave.

Joe St Sauver, who heads up security for Internet2, told the audience at a Thursday afternoon conference session that the online fraud problem had become so bad – under the neglect of ISPs, users and private corporations alike – that the only recourse was to build government-funded free clinics for infected computers around the United States.

St Sauver says the clinic technicians, like doctors in hospitals, would be trained to overlook minor infractions like pirated software or large collections of dubiously sourced mp3s so people wouldn't be afraid of the computer center. That way the center could simply focus on treating sick computers and bolstering their immune systems before sending them home.

"Millions of consumer PCs are compromised, and those machines can be used to host phishing, scan other sites, sniff traffic and in denial-of-service attacks," St Sauver said. "They really have the potential to be a tremendous weapon in the hands of the wrong folks. They represent a significant threat to the United States."

St Sauver and others were referring to botnets: the internet's zombie armies of compromised PCs that malefactors use to send spam, host fake websites for phishing attacks or bombard websites with spurious traffic in a distributed denial-of-service attack.

The malicious power of botnets was on display in April when Russian attackers launched sustained denial-of-service attacks against thousands of government and financial-firm websites in the small European republic of Estonia to avenge that country's relocation of a World War II memorial statue of a Soviet soldier.

According to anti-virus firm McAfee, 37,413 new malicious programs hit the internet last year, including exploit code and bots.

Paul Ferguson, a network architect at the security giant Trend Micro, argued the threat now requires some top-down authority to fix the problem; the current remediation model – which mostly involves running from one computer to another installing patches – cannot keep up with attackers that are now better organized and better funded than the security community.

"Criminals are going to overwhelm the web," Ferguson said, arguing that national governments and international aid groups, among others, need to join in the fight.

The panelists also agreed that a largely unused technique called ingress filtering, that prevents one computer from successfully spoofing the internet IP address of another, should be widely adopted by ISPs and router manufacturers.

Service providers and everyday users were singled out by panelists and audience members for not taking enough responsibility. Attendees slammed ISPs for not searching for rogue computers on their network or shutting off internet access to compromised PCs reported to them by security companies, charging that ISPs were endangering the internet to avoid support calls from cut off customers.

For their part, users don't care about security because the rogue zombie software often only uses minimal computing power, making the background spam-spouting code not their problem.

A few audience members argued seriously that computer users should have to take a test to get an internet license, maintain botnet insurance and have their machines inspected for information-super highway worthiness. Others countered that individuals shouldn't have to know how to secure their own computers – the machines should simply be more inherently secure.

An eBay employee suggested that a system like the United States credit-scoring system would be better. Every PC user would get a score based on the security of their system, and the computer would transmit that score in every packet it sends out. Websites could then judge what level of access to give based on that security score.

Uriel Maimon, a senior researcher for security giant RSA, later told Wired News that none of those solutions would work, because new technical specifications for a security score would take years, and the other proposals wouldn't have the international reach needed to make a dent in the global internet infosphere.

His solution? Money. Governments need to provide rewards to ISPs for taking down botnets, Maimon contends.

"Governments are the only body with money and the incentive to take down botnets," Maimon says. "If you are looking at either a carrot or stick approach, I would go carrot. If you are paying ISPs to get rid of the botnets, then it's international. Everyone wants to make money."