Technology Review - Published By MIT
Technology Review  in U.S. | en Español | auf Deutsch | in Italiano | 中文 | in India
Advertisement

Researchers Hijack a Drive-By Botnet

Continued from page 1

By Robert Lemos

Friday, October 02, 2009
smaller text tool iconmedium text tool iconlarger text tool icon

During the four months the researchers studied Mebroot, the infection network used three different domain-generation algorithms, two of which only used the day's date as an input. The last variant, however, adds a variable that cannot be easily guessed well in advance: The second characters of the day's most popular search term on Twitter.

"They (Mebroot's creators) used a variable that was not in control of the bad guys or the good guys," says Marco Cova, a UCSB student and a coauthor of the paper.

After they reverse-engineered the domain-generation algorithm, the researchers temporarily hijacked Mebroot by mirroring the steps the compromised websites take to calculate the current day's domain and registering those domains themselves. But the researchers noticed that when they registered a domain for their sinkhole servers, the Mebroot gang would react by registering future domains faster.

The researchers were also able to profile the typical victim of the network. Almost 64 percent of the visitors redirected to the researchers' servers were running Windows XP, while 23 percent were using Windows Vista. The next two most popular operating systems were Mac OS X 10.4 "Tiger" and Mac OS X 10.5 "Leopard," which accounted for 6.4 percent of all visitors.

The researchers never compromised visitors' systems. But they were able to find evidence that they had been infected by analyzing two kinds of information sent over the network. One suggested that 6.5 percent of visitors were infected with malware. The other indicated that 13.3. percent of systems had been modified by malicious or unwanted files. Moreover, more than half--about 54 percent--were running some sort of antivirus software. About 12 percent of those running the security software were also infected by malware, the researchers found.

The researchers also discovered that nearly 70 percent of those redirected by Mebroot--as classified by Internet address--were vulnerable to one of almost 40 vulnerabilities regularly used by the most popular infection toolkits designed to compromise computer systems. About half that number were vulnerable to the six specific vulnerabilities used by the Mebroot toolkit.

The research suggests that users need to update more often, says UCSB's Vigna.

"Patches are very good at reducing the exposure of the end users, but users are not very good at updating their system," he says.

Tags

computer networks hackers security websites

Related Articles

Comments
  • Happened to us
    Exactly as described!
    However, the important issue is how they compromised the website - they appear to have hacked a SQL database we used for allowing registrants to list themselves for searches. SQL seems to have been the culprit.
    Rate this comment: 12345

    fiberman
    10/02/2009
    Posts:91
    Avg Rating:
    3/5
    • Re: Happened to us
      Probably wasnt "SQL" per se but rather the application code used to read/write from SQL that allowed them to succeed in their attack--typically this would be thru what's known as a SQL injection attack.  If SQL was directly exposed to the internet (instead of thru application code), that would have been the height of foolhardiness. 

      Ask you app code developers to read OWASP's top ten list of vulnerabilities--SQL injection is an easy to prevent, but often made blunder made by inexperienced/unaware developers.  And there are plenty of test tools designed to detect whether application code is vulnerable to SQL injection--so plan on testing for vulnerabilities too or you're likely to be a victim of drive-by attacks.
      Rate this comment: 12345

      kcasey
      10/06/2009
      Posts:5
      Avg Rating:
      4/5
  • How effective is browser safe mode?
    If visitors use the safe mode of a browser (e.g., FireFox), are they still vulnerable to methods of infection used by the botnets?
    Rate this comment: 12345

    tftpgh
    10/06/2009
    Posts:1
  • Easy Solution
    I don't understand why this is allowed to continue.  Where is law enforcement?  Why aren't the perpetrators flogged to death in the public square?  (That's just my preference.  I'd settle for putting them in prison.)

    If they are operating with impunity because a gov't is protecting them, then cut off that country entirely from the web (and cut off any country that refuses to cut them off).  I'd happily give up access to Russian web sites (for example) in exchange for a safe internet.
    Rate this comment: 12345

    dmm
    10/06/2009
    Posts:216
    Avg Rating:
    3/5
    • Re: Easy Solution
      They operate with impunity because the botnets don't exist in any country--they move from server to server across the internet landscape--they take over a website of a legitimate company--they then infect legitimate users' computer, then they infect ten more servers and 100 more PCs...  They dont care if the website or the users computer is in the US or Russia or Liberia--think like a disease.  You can't outlaw the flu and the flu doesnt care about arbitrary things like borders.  It spreads because people don't take precautions (and even spreads sometimes when they do)--I suppose you could fine people for not updating their systems (and thus contributing to the spread of botnets), but that's a bit of the "kill-the-homeless-and-feed-them-to-the-hungry" type of solution that's not going to fly very well with end users.  And even if you did, there would still be polymorphic and emergent viral code that could infect a patched system (so who do you sue then?).

      The anger and frustration is understood well--but a simplistic, arrest-em-all (or kill-em-all) attitude isnt a practical, useful response to the threat.

      If you want to do something useful to combat the villains, update your PC.  Update your mother's and your neighbor's PC.  Get them to run automatic updates--show them how.  Teach them. Keep their antivirus software update.  Use common sense when browsing the internet.

      And, as for the flu, wash your hands.  Stay home from work when you are sick.  If you got to sneeze or cough, cover your mouth (preferably with the crook of your elbow).
      Rate this comment: 12345

      kcasey
      10/06/2009
      Posts:5
      Avg Rating:
      4/5
      • Re: Easy Solution
        I think dmm is referring to the original creator of the bots. Somebody created these bots and released them into the World Wide Web before it starts spreading like wild fire.

        There are laws that will send them to prison if they were caught. However, it is difficult to bring down international crook or any crook for that matter. The internet anonymity and the bots modus operandi as explained in the article and by Kcase above made it very complex to identify those that are responsible.

        Until scientists come up with an immunization for computer bots, the logical option is to follow Kcase prescriptions.
        Rate this comment: 12345

        pao2
        10/07/2009
        Posts:4
      • Re: Easy Solution
        kcasey, One of the best posts I've seen, in a while.

        Nice.
        Rate this comment: 12345

        nekote
        10/09/2009
        Posts:139
        Avg Rating:
        3/5
  • Hmmm
    Uhhh, why doesn't someone write a botnet to hijack and update, scan and repair all the computers people are not updating ?  :)

    Rate this comment: 12345

    macslayer
    11/05/2009
    Posts:2
    • Re: Hmmm
      a good idea! :?
      Rate this comment: 12345

      Botnet_Track...
      12/30/2009
      Posts:1
    • Re: Hmmm
      You wouldn't dare, no matter how cool, powerful, good looking and rich it would make you... plus I think creating such a killer(literally) app would stop male pattern baldness!
      Rate this comment: 12345

      eric.jerniga...
      02/03/2010
      Posts:1
Reply

Videos
Latest Videos
Ultra-Efficient Gas Engine Passes Test

Log In

Forgot your password?     Register »
Advertisement

Top Stories Of The Day

RSS Feeds
xml icon TR Top Stories xml icon TR Editors' Blog
xml icon TR Audio xml icon TR Video
Advertisement
Subscribe to Technology Review's e-mail update. Enter your e-mail address

Advertisement
Advertisement
MIT Massachusetts Institute of Technology CyberMedia © 2010 Technology Review. All Rights Reserved.