Sandia Studies Botnets In 1M OS Digital Petri Dish

← Back to Stories (view on slashdot.org)

Sandia Studies Botnets In 1M OS Digital Petri Dish

Posted by kdawson on Tuesday July 28, 2009 @09:44AM from the million-bottles-of-wine-on-the-wall dept.

Ponca City, We love you writes "The NY Times has the story of researchers at Sandia National Laboratories creating what is in effect a vast digital petri dish able to hold one million operating systems at once in an effort to study the behavior of botnets. Sandia scientist Ron Minnich, the inventor of LinuxBIOS, and his colleague Don Rudish have converted a Dell supercomputer to simulate a mini-Internet of one million computers. The researchers say they hope to be able to infect their digital petri dish with a botnet and then gather data on how the system behaves. 'When a forest is on fire you can fly over it, but with a cyber-attack you have no clear idea of what it looks like,' says Minnich. 'It's an extremely difficult task to get a global picture.' The Dell Thunderbird supercomputer, named MegaTux, has 4,480 Intel microprocessors running Linux virtual machines with Wine, making it possible to run 1 million copies of a Windows environment without paying licensing fees to Microsoft. MegaTux is an example of a new kind of computational science, in which computers are used to simulate scientific instruments that were once used in physical world laboratories. In the past, the researchers said, no one has tried to program a computer to simulate more than tens of thousands of operating systems."

161 comments

Life imitates XKCD by Tackhead · 2009-07-28 09:46 · Score: 5, Interesting

Once again, life imitates XKCD: Network.
1. Re:Life imitates XKCD by Kotoku · 2009-07-28 09:49 · Score: 1
  
  I wanted to post that but the botnets slowed the internet down. Clogged tubes.
  
  --
  AnimePapers.org: Anime Wallpapers Handled With Care
2. Re:Life imitates XKCD by The_mad_linguist · 2009-07-28 10:21 · Score: 4, Informative
  
  Well, given that XKCD was imitating an old hacker competition...
3. Re:Life imitates XKCD by dintlu · 2009-07-28 11:02 · Score: 3, Informative
  
  Goes to show that ideas are a dime a dozen.
  Implementing something like this is what makes the news.
4. Re:Life imitates XKCD by Anonymous Coward · 2009-07-28 11:35 · Score: 1, Interesting
  
  Which is why patents are stupid.
5. Re:Life imitates XKCD by Ambvai · 2009-07-28 12:20 · Score: 2, Interesting
  
  Is there any serious implementation of that XKCD comic, or even just in an imitation of what looks like computers fighting for control of a network?
6. Re:Life imitates XKCD by Anonymous Coward · 2009-07-28 15:16 · Score: 0, Offtopic
  
  Linux is the shit and anyone who abuses it is gays.
  Fixed that for you by adding 6 characters.
7. Re:Life imitates XKCD by Anonymous Coward · 2009-07-28 15:19 · Score: 0
  
  But don't you know? All that XKCD does is original and completely correct! You shall not dirty it's name heathen!
8. Re:Life imitates XKCD by Anonymous Coward · 2009-07-28 21:00 · Score: 0
  
  XBill?
I've got an easier way by iamapizza · 2009-07-28 09:47 · Score: 3, Insightful

what is in effect a vast digital petri dish able to hold one million operating systems at once in an effort to study the behavior of botnets
If they've set up this mini-internet and have set up this botnet, then the easiest way to understand its behavior would be to look at the source code

--
Always proofread carefully to see if you any words out.
1. Re:I've got an easier way by Anonymous Coward · 2009-07-28 09:51 · Score: 0
  
  Not that kind of behavior.
2. Re:I've got an easier way by Ant+P. · 2009-07-28 09:51 · Score: 2, Funny
  
  OK, here's seven hundred million lines of source code. Come back when you've solved the halting problem.
3. Re:I've got an easier way by leuk_he · 2009-07-28 09:57 · Score: 2, Informative
  
  The source code does not help you to imange what happens in peer to peer network with very large amounts of cleints that have a different kind of environment. Not to mention software that has bugs.
  BTW... who is the first to post to the xkcd comic about it normal people have aquaria
4. Re:I've got an easier way by dotgain · 2009-07-28 10:12 · Score: 2, Informative
  
  BTW... who is the first to post to the xkcd comic about it
  Uhh, the First Post?
5. Re:I've got an easier way by Sta7ic · 2009-07-28 10:19 · Score: 3, Insightful
  
  Just like the easiest way to understand how a dog works is to dissect them.
  In short, no. You can figure out how some of the parts work, but there's a lot within complex software that is non-deterministic, whether for internal, external, or thoroughly inadvertant reasons on either side. Just because you _think_ you know what it's doing doesn't mean it'll act the way you expect it to.
  Also, see http://xkcd.com/397/
6. Re:I've got an easier way by Gerzel · 2009-07-28 10:28 · Score: 1
  
  Exactly and biologists should only look at the DNA of animals to understand their behavior.
  Just because we know what the instructions are doesn't mean we can account for what will happen when those instructions actually meet any given environment. Even simple things like instructions for installing or using software should be tested on some users in order to see their pitfalls and problems.
7. Re:I've got an easier way by Vellmont · 2009-07-28 10:56 · Score: 1
  
  If it's unclear what the code does, run it in a debugger and control the inputs. Step through the code line by line. If the debugger doesn't do everything you want, write a better debugger.
  I have to agree that this seems like a silly idea. Comparing the complexity of a botnet program to a dog is silly. It also ignores the fact that code run in a debug environment can look at every single aspect of running code while it's running. A dog is obviously many many many orders of magnitude more complex.
  
  --
  AccountKiller
8. Re:I've got an easier way by caramelcarrot · 2009-07-28 11:27 · Score: 5, Insightful
  
  Simple rules can give rise to complex behaviour. Who knows what the botnet might do? It could have harmonic resonances, it could have phase changes at critical infection rates, it could do all sorts of interesting and complex behaviour. Looking at the source code won't tell you any of this.
9. Re:I've got an easier way by coreboot · 2009-07-28 11:53 · Score: 2, Insightful
  
  not really. Source code analysis goes just so far. Multiplied by 1M, it goes less far still. And then there's this little issue: http://en.wikipedia.org/wiki/Halting_problem
  ron
10. Re:I've got an easier way by Anonymous Coward · 2009-07-28 12:01 · Score: 0
  
  Sometimes having the code doesn't help you as much as you'd think: http://en.wikipedia.org/wiki/Busy_beaver
11. Re:I've got an easier way by Anonymous Coward · 2009-07-28 13:19 · Score: 0
  
  Source code tells you very little about emergent behavior.
12. Re:I've got an easier way by X0563511 · 2009-07-28 13:23 · Score: 1
  
  Just like the easiest way to understand human behavior is to look at our genetic code?
  Nope. It's not that simple at that level.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
13. Re:I've got an easier way by voidphoenix · 2009-07-28 13:34 · Score: 3, Insightful
  
  You can't study emergent behavior by studying source code. Even within one host, the interactions between malware, applications and every the piece of the OS would already have emergent properties. Magnify by tens of thousands to millions (exponentially, not additively or multiplicatively), and the sheer complexity of the entire system would overwhelm our ability to understand it.
  We have ~100 billion neurons and ~100 trillion synapses. At 2^N - N - 1 subgroups, how many pieces before the system's complexity outruns our brain's processing power? A network of 47 pieces has ~140 trillion subgroups. With several million pieces...
  
  --
  Excuse me, wtf r u doin?
14. Re:I've got an easier way by Vellmont · 2009-07-28 14:32 · Score: 2, Insightful
  
  Maybe. But why use ACTUAL botnets for this purpose and not study the underlying algorithms and infection behavior directly? That would give you the ability to generalize instead of relying on -botnet X, version z-
  If that's what you care about, study it. Why rely on botnet authors to code some arbitrary botnet spreading code when you can write your own and study various different scenarios at will?
  
  --
  AccountKiller
15. Re:I've got an easier way by swillden · 2009-07-28 15:58 · Score: 4, Insightful
  If it's unclear what the code does, run it in a debugger and control the inputs. Step through the code line by line. If the debugger doesn't do everything you want, write a better debugger.
  Is that right?
  Here, I'll describe a program so simple it can be coded in under 100 lines, and can be fully specified in a few sentences, then ask you a question about its behavior. It should be easy, right?
  There is a 100x100 grid of cells. Each cell is in one of two states "live" or "dead". Each cell has 8 neighbors, the cells horizontally, vertically and diagonally adjacent (the edges of the grid "wrap", so this is true even for edge cells). Each "generation", the state of the cells is updated according to the following rules:
  
  Any live cell with fewer than two live neighbours becomes dead.
  Any live cell with more than three live neighbours becomes dead.
  Any dead cell with exactly three live neighbours becomes live.
  All other cells remain unchanged.
  That's it. Now, given an initial state of the grid, tell me what the state is after 100, 500 and 1000 generations. Further, tell me whether or not any patterns of live cells will survive across across generations. Will patterns repeat? Can patterns move? Interact?
  Amazing complexity can arise from very simple rules. In this case (known as Conway's Game of Life, if you hadn't recognized it), the above rules contain enough power that if you make the grid infinite in size, the result is a Turing-complete computation system. In addition, the shifting patterns it creates are bewildering in their number, complexity and behavior.
  Now scale that up to thousands of lines of code. Granted, not code specifically chosen to create interesting interactions, but still 2-3 orders of magnitude more complex. Further, code that itself lives in and interacts with a complex and varied ecosystem of other code, some of which is trying to detect the code and kill it -- so the code is written to be self-modifying, to "mutate" a bit, after a fashion. Also add in the ability to migrate between "ecosystems", reproduce, receive deliberate external updates and instructions, etc.
  Simulation is the only way to get a handle on this sort of thing. And that's why the very smart people who designed and built the world's first million-machine simulator decided to do it.
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
16. Re:I've got an easier way by Opportunist · 2009-07-28 20:05 · Score: 1
  
  You have the source for this trojan? First, I'd pay well for it. Second, there are some guys that wanna talk with you.
  Even if you had the source (which isn't really that long, judging from its disassembly), it's like trying to figure out how two different classes play in an MMO from the values of their attacks. If it was easy, balancing would be trivial.
  Also, this "petri dish" allows you to test vaccines and remedies, and check how successful they are. With much better accuracy than a statistical "what if" game ever could.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
17. Re:I've got an easier way by AliasMarlowe · 2009-07-28 20:20 · Score: 2, Funny
  
  OK, here's seven hundred million lines of source code. Come back when you've solved the halting problem.
  Power switch. Halts that sucker every time.
  
  --
  Those who can make you believe absurdities can make you commit atrocities. - Voltaire
18. Re:I've got an easier way by knarf · 2009-07-28 22:24 · Score: 1
  
  Just like the easiest way to understand how a dog works is to dissect them.
  If by dissecting the dog you got access to the 'source code' of the 'program' which runs the dog you might actually get a better idea of how a dog functions and *why* it does so. Alas, this is not possible - yet. Genetic information can be decoded quite easily nowadays but whatever goes on in the brain is still mostly a mystery.
  
  --
  --frank[at]unternet.org
19. Re:I've got an easier way by Ginger+Unicorn · 2009-07-28 23:10 · Score: 1
  
  I'm sure both approaches have valid benefits, and both approaches will be tried, even if not by this particular research group.
  
  --
  (1.21 gigawatts) / (88 miles per hour) = 30 757 874 newtons
20. Re:I've got an easier way by BaronElectricPhase · 2009-07-29 00:05 · Score: 1
  
  They will (hopefully) use both techniques...
  First to examine actual models, and then form and test theories with their own code.
  And the primary reason for creating such a thing, is to allow multiple botnets to battle it out. A simulated bot war of sorts. Who wins, and then determine why?
  A potentially (un)?/fortunate side effect is that better bots can/will be written. The ethical discussion of bots that *fix* computers needs to be re-opened... Do we write and deploy bots that perform "search and destroy" missions in order to *increase* security?
  I am in favor of such a bot war (presuming the good guys win) , though I am sure that it would lead to a crippling escalation of traffic as the battle(s) rage. I am sure my router will get quite busy once ideas from this project make it into the wild.
  And who do we trust? Who/what decides which "repair bot" to release? Should the open source community start a repair bot project?
  (preparing for total autonomous/un-attended cyber-warfare)
  (time to install that Quad-core)
21. Re:I've got an easier way by Anonymous Coward · 2009-07-29 00:56 · Score: 0
  
  If that's what you care about, study it. Why rely on botnet authors to code some arbitrary botnet spreading code when you can write your own and study various different scenarios at will?
  Because the authors of botnet agents aren't using nifty-keen-like-wow academic algorithms that people have based their dissertations on, they're using fuck-it-x+=(rand(23)) propagation algorithms. If you want to have a hope in hell of stopping what's out there, study what's out there and not what you coerced your grad students into whipping up for you.
22. Re:I've got an easier way by mikael · 2009-07-29 03:06 · Score: 1
  
  If they've set up this mini-internet and have set up this botnet, then the easiest way to understand its behavior would be to look at the source code
  By that logic, by dissecting a single neuron you would be able to understand how a human brain works. Unfortunately, human brains have a wide number of different neurons, each of which serve a separate purpose. While the DNA may contain the instructions to build a brain, it's not possible to deduce what the final layout will be.
  Similarly, in a botnet, each host will have a seperate purpose, some machines will be dedicated to sending spam, or ping packets, while other machines will be command and control centers which communicate directly with the attacker. Command instructions will be encrypted and some botnets actually randomly change command and control centers to avoid detection. The only way to see the final layout is to run a full network simulation.
  
  --
  Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
23. Re:I've got an easier way by lomedhi · 2009-07-30 04:05 · Score: 1
  
  If that's what you care about, study it. Why rely on botnet authors to code some arbitrary botnet spreading code when you can write your own and study various different scenarios at will?
  First, the obvious: why would you design and study a proxy when you have full access to the real thing, isolated where it can do no harm? But there's more to it than that.
  The whole point is to study what real botnets do; to discover the large-scale emergent behaviour that cannot be predicted by looking at the code. I think you're still having trouble accepting that it might not be possible to fully predict behaviour by examining an algorithm, but I'm not here to educate you in logic and math; it's true whether you accept it or not. How can you design a proxy algorithm that will exhibit the same emergent behaviour as some other algorithm, without knowing in advance what that behaviour is, let alone understanding how it arises? It's impossible by definition.
  
  --
  Did you say "insightful" or "inciteful"?
First Findings! by CorporateSuit · 2009-07-28 09:48 · Score: 2, Funny

The first thing the researchers noticed is that within 30 minutes, the botnet had sent over 6 billion emails out of newly-registered gmail and hotmail accounts, and continued to send millions more each hour. The researchers say the botnet thrives on pain and misery, and probably shouldn't have been given access to the real internet.

--
I am the richest astronaut ever to win the superbowl.
1. Re:First Findings! by maxume · 2009-07-28 11:45 · Score: 1
  
  When I first glanced at the headline, I wondered if they were running it on top of a botnet.
  It would have a nice poetry to it.
  
  --
  Nerd rage is the funniest rage.
They can't afford an MSDN subscription? by n0tWorthy · 2009-07-28 09:49 · Score: 3, Funny

Then they can run 1 million copies without a subscription.

--
"Be kind, for everyone you meet is facing a great battle." - Philo of Alexandria -
1. Re:They can't afford an MSDN subscription? by Anonymous Coward · 2009-07-28 09:59 · Score: 0
  
  Yes, but their time has value too.
2. Re:They can't afford an MSDN subscription? by Anonymous Coward · 2009-07-28 15:09 · Score: 3, Informative
  
  Someone marked this as 'funny' but it is true. Read the license it is per user... If your creating a cluster with THOUSANDS of nodes and testing things you are perfectly within your rights to do this. You can even get most of the different versions of the OS going. 98, 98se, 95 (shudder), ME (double shudder), NT4, 2k, XP, Vista, 7, etc... Putting different versions at different patch levels etc...
  http://msdn.microsoft.com/en-us/subscriptions/cc150618.aspx
  They lost me at Wine. As that would not truly create the environment they are trying to describe.
  I have had up to 100 desktops all going from 10 msdn licenses (10 users). With different levels of the OS to test install and different configurations. They probably dont even need a very high level of it.
3. Re:They can't afford an MSDN subscription? by Fred_A · 2009-07-28 23:15 · Score: 1
  
  They lost me at Wine. As that would not truly create the environment they are trying to describe.
  I have had up to 100 desktops all going from 10 msdn licenses (10 users). With different levels of the OS to test install and different configurations. They probably dont even need a very high level of it.
  You're looking at this at the wrong level. They're interested in what the botnets do, not in what the hosts do. What runs the botnet software is irrelevant as long as it runs it.
  
  --
  
  May contain traces of nut.
  Made from the freshest electrons.
4. Re:They can't afford an MSDN subscription? by sjames · 2009-07-29 00:25 · Score: 1
  
  Just imagine all the clicking to set up and manage 1 million Windows environments. No mouse can stand up to that. Imagine all the bandwidth 1 million copies of windows phoning home would burn up.
Is that really a windows environment? by damn_registrars · 2009-07-28 09:50 · Score: 5, Interesting

I understand not wanting to buy 1M windows licenses; I am of the persuasion that is not inclined to buy 1 license.

However, the summary seems to claim that Wine == Windows environment. I don't see how they are analogous in this sense. In particular, if you are trying to understand botnet behavior, you need infected botnet systems. Is there a way to make Wine vulnerable to the infections that frequently hit Windows systems?

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
1. Re:Is that really a windows environment? by geegel · 2009-07-28 09:54 · Score: 2, Insightful
  
  Welcome to the world of open source software. The place where you can modify the code in any way you want.
  
  --
  right...
2. Re:Is that really a windows environment? by damn_registrars · 2009-07-28 10:01 · Score: 1
  
  Welcome to the world of open source software. The place where you can modify the code in any way you want.
  Though Wine is just an API, AFAIK. It would seem that you would need to modify it extensively to actually have it truly behave like Windows. And I suspect not all botnet infections exploit the same Windows flaws, so wouldn't the total number of vulnerabilities to implement into Wine to reach the same level of vulnerability be rather substantial?
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
3. Re:Is that really a windows environment? by mcrbids · 2009-07-28 10:02 · Score: 5, Insightful
  
  I don't see how they are analogous in this sense. In particular, if you are trying to understand botnet behavior, you need infected botnet systems. Is there a way to make Wine vulnerable to the infections that frequently hit Windows systems?
  WINE is an implementation of the Win32 API. Since the *target* of WINE is to emulate Windows, then in order to be successful, it must implement the bugs as well. So the better WINE is, the better it runs *ALL* Windows software - including the viruses and malware!
  I would assume (ass + u + me) that they've done enough unit testing on the particular botnet software in question to determine its compatibility with WINE, and so long as this compatibility is sufficient, then this could be a very useful test environment. It's the botnet being studied, not Windows itself!
  Another example: Windows 2000. I build data management software. I test with Windows 2000. Not because Win2000 is an example of the latest greatest from MS, but because it costs me nothing extra and runs nicely in a VM. Since the only O/S features I care about are those that are already present in Win2000, it creates a very useful test environment despite lacking many pieces present in later OS versions.
  
  --
  I have no problem with your religion until you decide it's reason to deprive others of the truth.
4. Re:Is that really a windows environment? by EdIII · 2009-07-28 10:07 · Score: 2, Insightful
  
  I understand not wanting to buy 1M windows licenses; I am of the persuasion that is not inclined to buy 1 license.
  However, the summary seems to claim that Wine == Windows environment. I don't see how they are analogous in this sense. In particular, if you are trying to understand botnet behavior, you need infected botnet systems. Is there a way to make Wine vulnerable to the infections that frequently hit Windows systems?
  Yeah, I call bullshit that on too. If you want to study botnet behavior, which includes studying malware and viruses, then it should be a "real" Microsoft OS. I don't think WINE counts.
  I am not the biggest fan of ol' M$, but considering how interesting this research is and it's possible positive impact on the greater community (which does benefit Microsoft) you would think they would at least ask Microsoft for some licenses gratis.
  Microsoft would probably be reasonable, if just for the good PR, which they sorely and always need.
5. Re:Is that really a windows environment? by Anonymous Coward · 2009-07-28 10:08 · Score: 1, Interesting
  
  Modifying Wine to emulate a Windows machine which is vulnerable to viruses does not result in a Windows machine. You still just have Linux running Wine. The very idea behind these tests is already critically flawed.
  A previous poster already got it right. The researchers should just buy a MSDN Universal license and legally run 1M instances of actual Windows. Otherwise, their findings will have little to no real value (IMO).
6. Re:Is that really a windows environment? by ammorais · 2009-07-28 10:13 · Score: 1
  
  The objective is to study botnet behavior and propagation on Windows environments on large scale.
  They don't need everything to work on WINE. They just need the some specific software like the botnets they use to behave and propagate exactly like in windows.
  And that can be easily achieved.
7. Re:Is that really a windows environment? by Anonymous Coward · 2009-07-28 10:15 · Score: 1, Insightful
  
  Hell, they should have just called Microsoft, said "we'd like to do this research" and gotten a license to do things that way.
8. Re:Is that really a windows environment? by Anonymous Coward · 2009-07-28 10:16 · Score: 4, Insightful
  
  I can't possibly imagine how a simulation of millions of instances of your software infecting itself would be good PR.
9. Re:Is that really a windows environment? by Anonymous Coward · 2009-07-28 10:18 · Score: 2, Funny
  
  I understand not wanting to buy 1M windows licenses; I am of the persuasion that is not inclined to buy 1 license.
  However, the summary seems to claim that Wine == Windows environment. I don't see how they are analogous in this sense. In particular, if you are trying to understand botnet behavior, you need infected botnet systems. Is there a way to make Wine vulnerable to the infections that frequently hit Windows systems?
  Yeah, I call bullshit that on too. If you want to study botnet behavior, which includes studying malware and viruses, then it should be a "real" Microsoft OS. I don't think WINE counts.
  I am not the biggest fan of ol' M$, but considering how interesting this research is and it's possible positive impact on the greater community (which does benefit Microsoft) you would think they would at least ask Microsoft for some licenses gratis.
  Microsoft would probably be reasonable, if just for the good PR, which they sorely and always need.
  True... But if they did use *real* windows instead of Wine, then the supercomputer could only virtualise a few hundred copies of Windows XP running simultaneously, or 2-3 copies if it's Vista. :E
10. Re:Is that really a windows environment? by MaskedSlacker · 2009-07-28 10:18 · Score: 4, Informative
  
  I think you're misunderstanding what they are doing. They are not studying in-the-wild worms. They are trying to build theoretical models of botnets and how they propagate through networks--this is the equivalent of computer simulations of viral epidemics. You don't need to simulate what the virus does in a person to study how it spreads through a population.
11. Re:Is that really a windows environment? by eclectro · 2009-07-28 10:20 · Score: 1
  
  Microsoft would probably be reasonable, if just for the good PR, which they sorely and always need.
  Hey guess what everyone?? There's millions of our OS infected with viruses because we have never been able to fix the code!
  
  --
  Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
12. Re:Is that really a windows environment? by geegel · 2009-07-28 10:24 · Score: 1
  
  Actually it would be plain more easier to just code their own virii and botnets, while modifying Wine slightly to make sure that the virtual computers get infected and the infection vector works.
  They are not interested in how a certain virtual computer behaves like after all, but rather on how the mini-internet looks like as a result of these infections.
  
  --
  right...
13. Re:Is that really a windows environment? by geegel · 2009-07-28 10:30 · Score: 1
  
  Flawed yes, critically flawed... I don't think so.
  By having the power to control the infection vectors (by having different flavors of Wine designed with different vulnerabilities) you have a much better insight on how dangerous these vectors are.
  Wine is simply the perfect lab rat, not quite the same as a human, but much better suited for scientific studies
  
  --
  right...
14. Re:Is that really a windows environment? by amicusNYCL · 2009-07-28 10:31 · Score: 2, Insightful
  
  Since this is a closed environment for a scientific study, it would make sense for them to use viruses which spread via exploits that they know are present.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
15. Re:Is that really a windows environment? by CarpetShark · 2009-07-28 10:31 · Score: 1, Funny
  
  I would assume (ass + u + me)...
  ASL?
16. Re:Is that really a windows environment? by amicusNYCL · 2009-07-28 10:34 · Score: 3, Insightful
  
  The research isn't to determine how Windows reacts to a botnet. They're trying to figure out how the botnet itself communicates and spreads. Or, more specifically, what the botnet looks like as it is spreading. Windows is just the platform that they're running the botnet on (sort of), but they don't really care how Windows reacts to it.
  In other words, they're studying the botnet itself, not the infrastructure it runs on.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
17. Re:Is that really a windows environment? by vux984 · 2009-07-28 11:18 · Score: 2, Interesting
  
  I think you're misunderstanding what they are doing.
  I think you are correct. However, that raises the question: why use WINE?
  Since they aren't relying on 'real in the wild exploits' they could model botnets and how they proagate through networks on linux or freebsd just as easily. Its really just specialized p2p and client server software to simulate botnet behaviour and spread.
18. Re:Is that really a windows environment? by UncleTogie · 2009-07-28 12:55 · Score: 1
  
  Since this is a closed environment for a scientific study, it would make sense for them to use viruses which spread via exploits that they know are present.
  Captain Obvious here... If they create the exploits and viruses themselves, they might have a pretty good idea of the infection vectors. It doesn't have to be what's in the wild now. Even better that it NOT be; after all, Robert Morris didn't expect his worm to replicate as far as it did, either...
  
  --
  Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
19. Re:Is that really a windows environment? by Wesley+Felter · 2009-07-28 13:03 · Score: 1
  
  In that case, why use Wine at all? Why not just write a pure Linux botnet?
20. Re:Is that really a windows environment? by theskipper · 2009-07-28 13:04 · Score: 1
  
  I respectfully disagree...have you read any Microsoft TCO papers?
  Reading them is like watching David Copperfield make a pyramid disappear.
21. Re:Is that really a windows environment? by Antique+Geekmeister · 2009-07-28 13:05 · Score: 2, Informative
  
  WINE is far less resource intensive, and typically runs far faster, than fully virtualized simulation software, especially because it leaves out the basically rewritten-VMS kernel and memory management of the Windows kernel in favor of Linux's own pretty zippy kernel. And the cost of buying and running a million actual Windows boxes to avoid the performance penalties of virtualization is simply infeasible.
22. Re:Is that really a windows environment? by Brian+Gordon · 2009-07-28 13:06 · Score: 1
  
  You wouldn't expect to pay for a million licenses, but then you wouldn't expect to pay for any additional licenses ....
23. Re:Is that really a windows environment? by Brian+Gordon · 2009-07-28 13:10 · Score: 1
  
  Probably about how encouraging every user to use a tool that publicly admits to security flaws is good PR. Customers like to hear that the software they buy is being secured by ongoing research.
24. Re:Is that really a windows environment? by Brian+Gordon · 2009-07-28 13:12 · Score: 1
  
  Hey guess what everyone?? We just rented a 4,480-processor supercomputer and set up a fascinating experiment in an attempt to better understand how we can secure our software. Look at all the money we're pouring into making our products better!
25. Re:Is that really a windows environment? by Zantetsuken · 2009-07-28 13:13 · Score: 1
  
  So they can come up with study results that say "The vast majority of Windows boxen out there are horribly misconfigured and using out of the box defaults, making Windows one of the most insecure OS's in the world." I don't think there are enough chairs for Ballmer to throw when he sees those results...
26. Re:Is that really a windows environment? by LeinadSpoon · 2009-07-28 13:16 · Score: 1
  
  Wasn't there an article posted a while back about trying to get windows viruses to infect a linux box with wine, and it didn't work too well?
27. Re:Is that really a windows environment? by Tubal-Cain · 2009-07-28 13:21 · Score: 1
  
  ASL?
  What about it?
28. Re:Is that really a windows environment? by X0563511 · 2009-07-28 13:28 · Score: 1
  
  When why bother with Wine at all? Isn't that just an added layer of complexity?
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
29. Re:Is that really a windows environment? by Anonymous Coward · 2009-07-28 13:43 · Score: 0
  
  And disinfecting 370,500 win machines is not a trivial task
  (My estimate of the rate of Botnet infection, derived from looking at my own Pubes after a trip to Botswana)
30. Re:Is that really a windows environment? by cenc · 2009-07-28 13:48 · Score: 1
  
  They are studying the net more than the bot. It is just simpler to create a super cheap net of bots on wine, then I am sure they have just for fun tossed in a couple virgin copies of windows to keep them fed and find out if they differ much from the wine versions. Bots are extreamly simple animals in isolation. It is the colective that gives them balls.
  
  --
  Living in Chile
31. Re:Is that really a windows environment? by rm999 · 2009-07-28 13:59 · Score: 1
  
  "Since the *target* of WINE is to emulate Windows"
  I hope I'm not missing your point, but WINE stands for "WINE Is Not an Emulator". It's a compatibility layer, and I'm sure it wouldn't keep any bugs that exist in Windows. Code that is required to run legitimate software is not a bug.
32. Re:Is that really a windows environment? by MaskedSlacker · 2009-07-28 14:17 · Score: 1
  
  And the cost of buying and running a million actual Windows boxes to avoid the performance penalties of virtualization is simply infeasible.
  Damn the cost man, where in the hell would you put them?
33. Re:Is that really a windows environment? by hairyfeet · 2009-07-28 14:36 · Score: 3, Insightful
  
  As an old greybeard PC repairman I can tell you that Windows bugs are screwing around with the guts of Windows more than any tweaked Wine could ever replicate. I don't see why they wouldn't just pony up for MSDN where they could then run all the real Windows versions they wanted and then get more realistic results. This seems like they are going pretty far out of their way to keep from spending a buck, when the cost of that monster PC makes being so "penny wise, pound foolish" seem extra crazy to me.
  But IMHO you aren't gonna see how a real botnet works without running real unpatched Windows boxes. I used to keep a box here in the shop for dropping bugs on to find the best ways to clean them (before cleaning got to be pointless) and the amount of crap some of these bugs were screwing with was just mind blowing, we are talking fake .tmp files, stuff hidden in places like program files/ windows media player, a couple that would even rip out different windows system files and replace them with their own hacked versions, just really crazy stuff. But since Wine is primarily a very tiny subset of the Windows susbsystem I really don't see how they are gonna get any real results from this.
  If it was just some guys playing in their basement I would think "okay...maybe cool" but spending the amount they did on that "Bigtux" makes it just nuts not to buy an MSDN and run a real simulation. I feel this is a moment where we need the late Graham Chapman to come out in his military uniform and tutu and demand that they cease and desist for being just too silly, because spending all that cash to study Windows botnet behavior and then cheaping out on a ...what? $600 MSDN license? It is just too silly.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
34. Re:Is that really a windows environment? by Antique+Geekmeister · 2009-07-28 15:58 · Score: 3, Funny
  
  Lease time on one of the larger botnets?
35. Re:Is that really a windows environment? by Anonymous Coward · 2009-07-28 16:06 · Score: 0
  
  Because there are no linux botnets.
36. Re:Is that really a windows environment? by Anonymous Coward · 2009-07-28 18:29 · Score: 0
  
  In other words, they're studying the botnet itself, not the infrastructure it runs on.
  Then why wouldn't they just run the botnet on linux? It would certainly be faster and require less resources, than using WINE on top of that.
37. Re:Is that really a windows environment? by Anonymous Coward · 2009-07-28 18:53 · Score: 0
  
  In other words, they're studying the botnet itself, not the infrastructure it runs on.
  Then, why aren't they just running it on linux? It would certainly need less resources than using WINE on top of that.
38. Re:Is that really a windows environment? by shervinemami · 2009-07-28 18:54 · Score: 1
  
  that raises the question: why use WINE?
  Maybe they don't know how to use Linux so they use WINE instead. A lot of academics use Windows because they don't want to spend time learning Linux, even if it suits them much more than Windows does. I've worked in 3 robotics labs now that run Windows XP on robots because the academics don't want to learn Linux!
39. Re:Is that really a windows environment? by sFurbo · 2009-07-28 19:16 · Score: 1
  
  But couldn't you say it emulates windows, just not in the specific sense "emulator" indicates?
  
  To copy or imitate, especially a person; of a program or device to imitate another program or device
  So, wouldn't the case be, at WINE functionally is an emulator, but technically, it isn't?
  
  That kind of semantics quickly gets really hairy, and english is not my primary language, so I might be wrong...
40. Re:Is that really a windows environment? by Opportunist · 2009-07-28 20:30 · Score: 1
  
  I was wondering the very same, and I don't think it's a good idea to use this machine for exploits that use a security problem in a part of the Windows OS, but in this special case the exploit relies on third party software (in this case, flash) which can be installed in Wine just like it would be in Windows, thus making the use of Wine possible. Despite being from Adobe and Adobe products being notorious for not behaving nicely under Wine.
  (seriously, when it's easier to run MS-Office on Wine, a product where it would be quite possible that they use undocumented and esotheric calls, than it is to run Photoshop, you know that it is not the system but the software that didn't do its homework correctly...)
  Wine also allows you to use Windows DLLs in place of its built-in DLLs (unfortunately not for the ones that are the most exploited ones), though I'd run that through legal first to see whether the use of a native Windows DLL is possible without a license.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
41. Re:Is that really a windows environment? by Opportunist · 2009-07-28 20:35 · Score: 1
  
  Only in this case, it makes lots of money disappear.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
42. Re:Is that really a windows environment? by Opportunist · 2009-07-28 20:40 · Score: 1
  
  Hey, that's great! What did you find?
  Well... that it takes nanoseconds to infect our system.
  Oh... and what are you doing against it?
  Umm... beats me...
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
43. Re:Is that really a windows environment? by CarpetShark · 2009-07-28 21:32 · Score: 1
  
  Actually, many of the things that make windows incompatible (Microsoft's embrace and extend) are bugs of one kind or another. For instance, often, websites written to work with IE's bugs don't work on functioning browsers that don't have those bugs. I think there are similar issues with kerberos, etc. So WINE does have to implement some buggy things exactly as they are on windows. Obviously, especially with security bugs, it tries to make things work without the bugs, or at least without them affecting the host machine. However, bugs are implemented.
44. Re:Is that really a windows environment? by LiquidCoooled · 2009-07-28 23:28 · Score: 1
  
  yet.
  
  --
  liqbase :: faster than paper
45. Re:Is that really a windows environment? by rm999 · 2009-07-29 05:24 · Score: 1
  
  You are talking about IE, I am talking about the Windows kernel and core dlls. Yes, IE is a buggy POS, but the Windows NT kernel is extremely mature, and any bugs in it would only hinder applications.
  I'm sure the researchers will be running some buggy versions of IE 6, but my comment was about WINE specifically.
Wine? by Facegarden · 2009-07-28 09:52 · Score: 4, Insightful

I understand using WINE to avoid license fees, but wouldn't that potentially hinder the results of the experiment? I suppose that if they knew what functionality was needed by the botnet, they could be sure WINE provided what they needed, but it also seems like they might be able to work out a deal with MS to get a free site license for use in this test only, since it betters the computing world in general, which ultimately benefits microsoft?
Seems like a few phone calls might go a long way, if they get a hold of the right people.
-Taylor

--
Worldwide Military budgets: $2100 billion. Worldwide Space Exploration budgets: $38 billion. Really, world? Really?
1. Re:Wine? by Shikaku · 2009-07-28 09:53 · Score: 1
  
  Wine can get Windows viruses.
2. Re:Wine? by gad_zuki! · 2009-07-28 10:00 · Score: 1
  
  Yes, but which ones? Trojans just set to run in userspace? Is this any different than just running a million .exe's and not really infecting anyone or emulating a real infection vector?
  I dont see how, say, conficker would infect these machines. The RPC exploit doesnt exist in wine.
3. Re:Wine? by Darkness404 · 2009-07-28 10:09 · Score: 1
  
  ...Except for that they basically would have to say "Hey MS, your code is broken, so broken that we need free licenses in order to show the world how broken it is". While it is a great idea and would benefit them, all MS can see is bad press, and they want to avoid that.
  
  --
  Taxation is legalized theft, no more, no less.
4. Re:Wine? by Anonymous Coward · 2009-07-28 10:11 · Score: 0
  
  The Wine project is actively working to support some of the more popular malware commonly found in the Windows environment - like IE.
5. Re:Wine? by Facegarden · 2009-07-28 10:18 · Score: 2, Informative
  
  ...Except for that they basically would have to say "Hey MS, your code is broken, so broken that we need free licenses in order to show the world how broken it is". While it is a great idea and would benefit them, all MS can see is bad press, and they want to avoid that.
  I'm pretty sure that the notion of windows being susceptible to malware and viruses is probably something Microsoft has come to terms with, i really can't imagine anyone getting terribly upset. Viruses exist, someone wants to do some research, it shouldn't be that offensive of an idea.
  -Taylor
  
  --
  Worldwide Military budgets: $2100 billion. Worldwide Space Exploration budgets: $38 billion. Really, world? Really?
6. Re:Wine? by bertoelcon · 2009-07-28 10:28 · Score: 1
  
  I thought MS used the "any press is good press" thinking, or is that just limited to Apple, music, and movies.
  
  --
  Anything can be found funny, from a certain point of view.
7. Re:Wine? by andydread · 2009-07-28 10:43 · Score: 1
  
  No it will not hinder the results. The goal of the project is not to evaluate the security of said 1million operating systems. The goal is to get the 1 million systems to be functional enough so as to be able to run a functional contained botnet. Basically u want the lowest common denominator (security-wise) as the base for all systems so as to easily infect them. The problem with WINE is that there is some code to mitigate SOME worm infections that would otherwise infect Windows. So they would have to remove this bit of code to make it easy to infect it. Also some worms do not run in wine as it is so they would have to massage it there too. Basically all they need is to have the 1million systems easily infected and compatible enough to run the code they need to run.
8. Re:Wine? by purpledinoz · 2009-07-28 19:30 · Score: 1
  
  Scientist: "I would like to buy 1 million Windows XP licenses for my botnet research."
  MS: "That would be 300 Million dollars please. Muahahaha!"
Imagine... by Anonymous Coward · 2009-07-28 09:54 · Score: 0

a beowul... Oh, a butterfly!
Sounds like Software by Rudy Rucker by Numbah+One · 2009-07-28 09:54 · Score: 0, Offtopic

in the book, AI evolves as competing programs in a computing environment through natural selection. it was a pretty good book published in the 80's. the robots wind up on the moon (i don't remember how they got there in the first place) and eventually overthrow the humans there. here's an Amazon link http://www.amazon.com/Software-Rudy-Rucker/dp/0380701774/
WINE by Phroggy · 2009-07-28 09:55 · Score: 2, Insightful

Can a botnet run on WINE with 100% compatibility? Doesn't malware often use exactly the same kinds of tricks that WINE doesn't fully implement? This might not create an accurate picture.
Also, are they simulating network latency between nodes? Many bots take this into account.

--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
1. Re:WINE by monopole · 2009-07-28 10:20 · Score: 5, Funny
  
  I hope Microsoft issues a statement that only Genuine Windows software can fully support viruses and malware in an effective fashion.
2. Re:WINE by Eighty7 · 2009-07-28 11:03 · Score: 5, Funny
  
  In other news, Miguel de Icaza said that he believes botnet support is a good idea. Linux should support malware because Microsoft is going to win anyway, so linux would better be prepared if it doesn't want to be locked out of the future markets, and presented a beta version of the software. Members of the Mono project are participating in the standarization.
3. Re:WINE by Anonymous Coward · 2009-07-28 11:23 · Score: 0
  
  Nicholas Negroponte agrees too.
4. Re:WINE by benjonson · 2009-07-28 11:47 · Score: 1
  
  I hope Microsoft issues a statement that only Genuine Windows software can fully support viruses and malware in an effective fashion.
  Actually, that is true. It is an undocumented feature.
  
  --
  =-+
5. Re:WINE by Lehk228 · 2009-07-28 12:44 · Score: 1
  
  if they are testing botnet behavior, they can do so while fudging the details of infection.
  
  --
  Snowden and Manning are heroes.
But -- how can you infect it? by Nefarious+Wheel · 2009-07-28 09:56 · Score: 3, Funny

My first thought meme was "Yes, but does it run Linux?" ("Megatux". Duh.) Then I thought - hang on, how can you develop a botnet that runs on Linux in the first place? And if you did, how would it reflect the nature of real botnets if those millions of operating systems weren't running NT4 or variants?
Then it got surreal - I imagined all those bots emulating the game of life , with little dots flashing on and off, and little gliders and factories...
Ok, I'll go back to work now.

--
Do not mock my vision of impractical footwear
1. Re:But -- how can you infect it? by dotgain · 2009-07-28 11:06 · Score: 1
  
  Ok, I'll go back to work now
  Hundreds of use would *love* to know what that is now :)
14 comments so far by zmollusc · 2009-07-28 10:00 · Score: 2, Funny

and nobody yet has imagined a beowulf cluster of these? Standards are slipping!

--
They whose government reduces their essential liberties for temporary security, receive neither liberty nor security.
Wine for viruses? by Tubal-Cain · 2009-07-28 10:00 · Score: 2, Funny

Wine's come a long way in the past 4 years if it can run viruses now!
A few notes from Ron Minnich by coreboot · 2009-07-28 10:13 · Score: 5, Informative

Hi, Ron here. Just thought I would mention a few things.
I love the "life imitates xkcd" aspect. :-)
We're well aware that Wine is not quite enough to run many windows bots. Until a year or so ago, however, there was a researcher in North Carolina running Storm under Wine, but he told me that that effort ended when Storm added a kernel driver. We've got some ideas in that area. We expect that implementing them will cost less than 1 million Vista licenses.
I was surprised to find I have become a cybersecurity expert! What I really am is an HPC expert who is using HPC tools and resources to build a system for studying cybersecurity phenomena on a millions-of-nodes scale.
Doing anything with a million of something gets interesting fast. There's a lot of interesting challenges.
Thanks
ron
1. Re:A few notes from Ron Minnich by PCM2 · 2009-07-28 10:34 · Score: 3, Interesting
  
  Well Ron, since you're here, I'm curious whether you had in fact tried to approach Microsoft for a free site license. You could explain to them that you're doing security research in a unique environment and that you'd be willing to share your results with them, etc. I could even imagine a distorted PR spin where the fact that all this major security research is being done on Windows shows that Windows is clearly the dominant operating system, blah blah...
  Or if Microsoft doesn't see the value of the kind of information your research could yield, maybe someone like Symantec would be willing to buy a license and donate it to you (if that's even possible, given EULAs etc.)?
  
  --
  Breakfast served all day!
2. Re:A few notes from Ron Minnich by amicusNYCL · 2009-07-28 10:39 · Score: 1
  
  Do you really think it would be easier to set up (and periodically reinstall) a million copies of Windows vs. telling Linux to virtualize a million instances? I mean, it would be nice to run on the real deal but there are practical issues to consider.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
3. Re:A few notes from Ron Minnich by Anonymous Coward · 2009-07-28 10:50 · Score: 1, Informative
  
  MSFT licensing in the big leagues is almost an honor policy sort of thing.
  There are ways for them to set up a single in-house activation server that doles out 1,000,000 activations, for example. It's what I would do.
  Or they could run every license as an evaluation copy for the 30 days, they could script something to re-arm the licensing to run it up to 180 days. (This is possible on all copies of Windows.)
  On top of that, as a research project they may be able to partner with Microsoft and not pay anything at all for 1,000,000 legit licenses for use in this project. Heck, Microsoft might want to help so they can fix some of these issues.
4. Re:A few notes from Ron Minnich by Anonymous Coward · 2009-07-28 10:51 · Score: 0
  
  Neat. LUK[1] has gotten pretty usable I hear. You might want to consider that. It's Wine after all, but a whole lot shinier than Wine. Good Luck.
  [1] http://en.wikipedia.org/wiki/Linux_Unified_Kernel
5. Re:A few notes from Ron Minnich by Anonymous Coward · 2009-07-28 11:10 · Score: 0
  
  You do realize that Windows is virtualizable, too, right?
6. Re:A few notes from Ron Minnich by coreboot · 2009-07-28 11:38 · Score: 5, Informative
  
  We will probably approach MS at some point, if it appears to be necessary, and see if they are interested. I do have friends there who might be interested in what we're doing.
  The biggest limit we've found on the VM side is memory footprint of the VM guests, and it's very easy to control that with Linux; harder with Windows. We have some ideas in that area too, but it's way too early to speculate on them.
  But from my point of view, it is a lot easier to do this kind of work in Linux than in Windows (I have done NT drivers in a past life), not least because of the openness of the environment. Hence, I'd rather try to find a way to make it all work on Linux.
  Consider this work the beginning of the story; it's not even chapter 1, maybe it's the preface. There's a lot of work left to do. There's a lot we still don't know.
  thanks
  ron
7. Re:A few notes from Ron Minnich by Mr+44 · 2009-07-28 12:04 · Score: 0, Troll
  
  We expect that implementing them will cost less than 1 million Vista licenses
  Do you not understand that under no sane circumstance would you ever be responsible for purchasing 1 million licenses? Volume or MSDN licensing would cover your situation quite handily. Repeating the above sentiment (esp with no smiley) just makes you sound ignorant.
  If you want your results to be meaningful, you're going to need to figure out how to get some actual windows VM's into your mix.
8. Re:A few notes from Ron Minnich by PCM2 · 2009-07-28 13:35 · Score: 2, Informative
  
  Do you really think it would be easier to set up (and periodically reinstall) a million copies of Windows vs. telling Linux to virtualize a million instances?
  I'm assuming they would do both. If they didn't have to individually license each Windows instance, it would be trivial to clone a million virtualized instances of a fresh Windows install. (I'm sure he's right that this would make resource management more difficult/costly than using WINE, however.)
  
  --
  Breakfast served all day!
9. Re:A few notes from Ron Minnich by Anonymous Coward · 2009-07-28 17:38 · Score: 0
  
  Other mods please follow suit and mod this 'underrated'? If I ever saw a post that deserves "+5 Troll"...
10. Re:A few notes from Ron Minnich by Anonymous Coward · 2009-07-29 00:02 · Score: 0
  
  it would be trivial to clone a million virtualized instances of a fresh Windows install.
  I fucking doubt it. Anyone who's worked with more than a few (100+) virtualised instances of linux vs windows know just how big the difference is.
11. Re:A few notes from Ron Minnich by Anonymous Coward · 2009-07-29 04:17 · Score: 0
  
  It would be interesting to see what Bogon addressing and sinkhole routing of traffic would provide to mitigate the "outbreaks" in this environment.
Don't want to be there... by Anonymous Coward · 2009-07-28 10:17 · Score: 0

... when this entity become sentient.
1. Re:Don't want to be there... by node+3 · 2009-07-28 11:19 · Score: 1
  
  ... when this entity become sentient.
  Sentience implies some minimal level of rationality. They're emulating the *Internet*, so I really wouldn't worry.
I would guess it wouldnt' be a problem at all by Sycraft-fu · 2009-07-28 10:33 · Score: 5, Interesting

I work for a university and MS is extremely generous with academic licensing. When it is for academics, like education or research, it is actually no cost. For infrastructure it does cost, but not very much. I bet if they asked MS, MS would give them all the licenses they needed for little or no cost.
For that matter, they might be eligible for volume licensing. That is where you pay a fixed yearly fee and get an unlimited use of the software it is for. Often that is based on total academic headcount, which might not be very much.
Regardless, if they asked I'd give good odds MS would figure out a way to offer them a good deal.
I'm also with you that if you want to study something, you need to run it on the actual environment. Wine is a neat idea and a neat goal, but anyone who has made use of it for more than simple testing well tell you that it has some serious issues. Not only do things not run, worse is that they'll run but not completely correct. For a user this might be fine, something works in a bit of an unexpected way, you just work around it. For research though, it could mean your conclusion is invalid.
Inoculate them by wsanders · 2009-07-28 10:34 · Score: 1

Just send the username, password, and IP address of a few of the virtual machines to Nigeria or somewheres, and let the fun begin.
Besides, the idea to not really to view the infections, it's probably to monitor how the botnets behave as a horde, and deduce who controls it and what their objectives are. That's nearly impossible from observice just a few machines.

--
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
1. Re:Inoculate them by Anonymous Coward · 2009-07-28 16:15 · Score: 0
  
  botnet operator: "we just acquired 1 million new machines to our net! wait... they're all running the exact same specs, and none of these computers have personal data stored on them... hrmm."
Cluster by CriX · 2009-07-28 10:53 · Score: 0, Redundant

Has no one yet stopped to imagine a beowulf cluster of these mini-internets?!

--
Moderation: +1 pwnage
Wine on Linux? by PhunkySchtuff · 2009-07-28 10:54 · Score: 0, Redundant

But does Wine on Linux have the same vulnerabilities as Windows itself, and which version of Windows is it "emulating" these vulnerabilities from?
I'm sure there's a lot of malware code out there that may work well on particular versions of Windows, or instances of Windows without a particular hotfix/service pack, but this sounds like each of the 1M Wine instances will be pretty much the same...

--
Specialist Mac support for creative pros, Melbourne
1. Re:Wine on Linux? by geegel · 2009-07-28 11:06 · Score: 3, Interesting
  
  Not necessarily.
  You might want indeed at some point to emulate an internet choke full of unpatched machines, but other times you will probably want only a percentage of them to be this way, or you might want to study a particular vector of infection, or concurrent vectors of infection to see how they interact. The combinations are endless and so will probably be the number of WINE flavors used.
  
  --
  right...
2. Re:Wine on Linux? by node+3 · 2009-07-28 11:13 · Score: 1
  
  But does Wine on Linux have the same vulnerabilities as Windows itself, and which version of Windows is it "emulating" these vulnerabilities from?
  I'm sure there's a lot of malware code out there that may work well on particular versions of Windows, or instances of Windows without a particular hotfix/service pack, but this sounds like each of the 1M Wine instances will be pretty much the same...
  WINE is open source, so they can patch it to be just as vulnerable as Windows is.
  Yes, the notions of "progress" and "improvement" take a twisted turn when you take on the task of emulating Windows in Linux...
What about Norton Antivirus? by node+3 · 2009-07-28 11:10 · Score: 5, Interesting

What about Norton Antivirus? Specifically they should run a second experiment with a simulation of 1 million systems running Norton Antivirus, and compare the results of the first test to see which has the greatest adverse effect...
1. Re:What about Norton Antivirus? by FlyingBishop · 2009-07-28 12:15 · Score: 1
  
  For that they would need to use virtualization, rather than Wine. This would severely limit the number of computers they could use. From what I gather, they're more interested in how the individual machines interact than on whether or not they get infected. So they want each one to be as lightweight an environment as possible, while still providing enough for each bot to run. Wine allows them to run on smaller Linux VMs.
2. Re:What about Norton Antivirus? by Anonymous Coward · 2009-07-28 13:15 · Score: 1, Interesting
  
  I thought nobody would talk about this. It was the first thing that came to my mind. I don't know if you meant that as a joke, but antivirus software has been, recently, the most annoying thing to remove a virus.
  These subsystems are the first to get disabled, and sometimes even help the virus to spread around the computer.
  The least suspect to a regular user would be an antivirus, because the user would think it's helping. Users are used to their machines slowed down by antivirus subsystems (on-access scans, etc), and the run one or more services under windows. If a virus would attack something is the antivirus itself, which increases its longevity.
  However, how much would it cost to get the million mcafee or norton licenses?
3. Re:What about Norton Antivirus? by Anonymous Coward · 2009-07-28 16:32 · Score: 0
  
  However, how much would it cost to get the million mcafee or norton licenses?
  That depends. How much have you got?
4. Re:What about Norton Antivirus? by sootman · 2009-07-29 06:01 · Score: 1
  
  If they had a million VMs running NAV, the heat generated from CPU and disk usage would cause the data center to melt through the floor and start sinking to the center of the Earth.
  
  --
  Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
5. Re:What about Norton Antivirus? by lomedhi · 2009-07-30 04:34 · Score: 1
  
  Moderators didn't get the joke
  Maybe Symantec would pay them not to do this, and then they could afford real Windows licenses.
  
  --
  Did you say "insightful" or "inciteful"?
Not exactly. by khasim · 2009-07-28 12:02 · Score: 4, Insightful

A patent on an IMPLEMENTATION of an idea is a good thing.
A patent on an idea itself ... that's stupid. And that's what we're stuck with today.
1. Re:Not exactly. by Vahokif · 2009-07-28 21:19 · Score: 1
  
  But in the computing world, implementations are often obvious and just as limiting as patenting algorithms.
One half of one percent of a cpu per VM? by DotDotSlashDot · 2009-07-28 13:09 · Score: 1

Any currently supported Windows OS platform would probably suffer from timeouts breaking everything in this environment. I bet the Dell SuperBungler can't launch a million Windows VMs whiile using Microsoft's virtualization products on such a pitiful platform with fewer than 5000 CPUs. My bullshit detector just vibrated it's way off my desk. WTF?
1. Re:One half of one percent of a cpu per VM? by Anonymous Coward · 2009-07-28 16:50 · Score: 0
  
  It helps if you actually read the summary, not just the headline.
2. Re:One half of one percent of a cpu per VM? by IBBoard · 2009-07-28 20:36 · Score: 1
  
  That'd be why they're using Wine under Linux instead of full Windows VMs ;)
ROTFLMA, by Stumbles · 2009-07-28 13:21 · Score: 1

to quote "The Dell Thunderbird supercomputer, named MegaTux, has 4,480 Intel microprocessors running Linux virtual machines with Wine, making it possible to run 1 million copies of a Windows environment without paying licensing fees to Microsoft.. That must really chap Microsoft's hide. Haha.

--
My karma is not a Chameleon.
In a panic, they try to pull the plug by Gothmolly · 2009-07-28 13:31 · Score: 1

The rest is history.

--
I want to delete my account but Slashdot doesn't allow it.
What a waste by flyingfsck · 2009-07-28 14:54 · Score: 0, Flamebait

What a terrible waste of time and resources to study Windows flaws on a Linux super computer.

--
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Old News... by davevr · 2009-07-28 15:03 · Score: 5, Funny

There is already a system running somewhere around 420 million windows machines in a semi-private walled-off version of the internet, with no license fees paid to Microsoft, hosting several botnets and just about every virus under the sun.

It is called "China".
Linux for a reason... by Entropius · 2009-07-28 16:20 · Score: 4, Informative

The researcher posted up above saying he's an HPC researcher, not a computer security guy, and in that context using Wine makes sense.
HPC people typically study emergent behavior -- how a lot of nodes interacting by simple rules generate complicated phenomena. The challenge is coming up with the simple rules in a form that accurately captures whatever leads to the emergent behavior you want to model. In this case, "actually being Windows so all the viruses work exactly right" is less important than getting a lot of nodes running to capture the interesting behaviors of viruses spreading through a large network.
Supercomputing is difficult on Windows. I'm at a computational physics conference now, and everything runs on Linux just because it's bloody *easier* to make everything go. I doubt many people here would even know *how* to run our models on a Windows supercomputer.
Performance issues aside, my guess is that the fellow chose Linux because the computer *already* ran Linux.
It's "The Matrix" by Michael+Woodhams · 2009-07-28 16:42 · Score: 2, Funny

for bots. Poor little things think they're in the real world.

--
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
1. Re:It's "The Matrix" by Anonymous Coward · 2009-07-29 00:50 · Score: 0
  
  Bots are a disease, and Sandia is the cure.
A Haiku For You, A.I. by scout-247 · 2009-07-28 18:08 · Score: 1

The start of Linux A.I.? Active Intelligence should be how it understands, Seeking throughout; finding the limits
Dell Makes Supercomputers... by longacre · 2009-07-28 19:14 · Score: 2, Funny

And in related news, Hummer will join the Formula 1 circuit next season.

--
Airplane Photos, Airline News, Planespotting Guides
Matrix.. by Anonymous Coward · 2009-07-28 20:53 · Score: 0

"but with a cyber-attack you have no clear idea of what it looks like"
I don't know quite why, but this instantly brought up a mental image of the dock scene in matrix revolutions..
And the team consists of 10 people by Anonymous Coward · 2009-07-28 22:48 · Score: 0

So 10 licenses. 10 MSDN licenses. With an EULA.
That's over nine thousand! by ae1294 · 2009-07-28 23:46 · Score: 1

Wine, making it possible to run 1 million copies of a Windows environment without paying licensing fees to Microsoft
I sense a great disturbance in the arrangement of furniture in Microsoft's underground fortunes somewhere deep beneath the 'LOST' island....
Can you imagine... by hesaigo999ca · 2009-07-29 03:07 · Score: 1

Can you imagine... a Beowulf cluster of these!
Mitigation techniques by metasnoop · 2009-07-29 04:23 · Score: 1

Bogon address isolation, sinkhole routing
There's one liittle problem with this, though: by Hurricane78 · 2009-07-29 08:45 · Score: 1

Where will they get the one million lusers to download and spread the botnet in the first place?
Does the Big Brother "show" still exist and recruit "people"?

--
Any sufficiently advanced intelligence is indistinguishable from stupidity.
parent is really nasty! by Nivag064 · 2009-07-29 17:50 · Score: 1

Using the rules specified in the parent post: try working out how the following pattern will turn out (without simulating it on a computer!).

OXX
XXO
OXO

where:
X - a live cell
O - an empty cell

Should be very easy, as the rules are SO SIMPLE, right???

see the R-pentomino in:
http://www.math.com/students/wonders/life/life.html