Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Hijack Mebroot Botnet, Study Drive-By Downloads

Posted by ScuttleMonkey on from the hijack-and-inject-vaccine dept.

TechReviewAl writes "Researchers at the University of California at Santa Barbara hijacked the Mebroot botnet for about a month and used it to study drive-by downloading. The researchers managed to intercept Mebroot communications by reverse-engineering the algorithm used to select domains to connect to. Mebroot infects legitimate websites and uses them to redirect users to malicious sites that attempt to install malware on a victim's machine. The team, who previously infiltrated the Torpig botnet, found that at least 13.3 percent of systems that were redirected by Mebroot were already infected and 70 percent were vulnerable to about 40 common attacks."

4 of 130 comments (clear)

  1. Re:arrest them by noundi · · Score: 5, Insightful

    so universities can break the law but common criminals can't? remind's me of nazi/japanese experiments on humans in the name of 'science'.

    Really? Intercepting a botnet reminds you of experiments leading to the deaths and suffering of thousands of helpless adults and children? No I see your point, exactly the same thing.

    --
    I am the lawn!
  2. Re:Great idea, narrowly averted by clone53421 · · Score: 5, Informative

    Yes.

    They didn't exactly hijack the botnet. They just hijacked it's reproductive system. RTFA.

    It spreads by a javascript which the criminals were able to inject into innocuous sites. This javascript sent visitors to an auto-generated URL which was registered by the botnet owners. This URL hosted the actual exploit which attempted to attack vulnerable visitors who landed there from the javascript. The URL changed every day, but by predicting it, the researchers were able to register domains before the botnet owners. As a result, victims of the drive-by javascript landed on the researchers' server instead of the botnet owners' servers. Needless to say, the researchers didn't attack the visitors and exploit their machines, but they did do some profiling to find out what sort of computers were hitting their server and how many of the visitors were unpatched, vulnerable boxes.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  3. Re:70% by tsm_sf · · Score: 5, Funny

    I've never really understood the whole Mac vs. WIndows debate, and it's even more pointless now that you can have Mac, Win, and Linux running on the same box at the same time. Now, vi vs. emacs is a legitimate jihad.

    ((vi is better))

    --
    Literalism isn't a form of humor, it's you being irritating.
  4. Video of the Tech Talk by these Researchers Here by grendelb · · Score: 5, Informative

    Richard Kemmerer, one of the authors, gave a Tech Talk at Google titled "How to Steal a Botnet and What Can Happen When You Do." The video of the talk is available on YouTube.