Raising a Botnet In Captivity

holy_calamity writes "Technology Review reports that researchers installed 3000 copies of Windows XP on a high performance cluster at a Canadian university and set loose the Waledac botnet on them. It's the first time researchers have built and operated their own botnet as a strategy to better understand those at large on the internet. Doing it inside an experimental computing cluster removes the legal and ethical complications of experimenting with live botnets that control innocent users' machines."

Real environments

I'm not quite sure why they chosen to do that; where is the fun in running a botnet in a simulated environment? Wouldn't it be much better to do it in real environment?

Re:Real environments

Not really. Sure you have some reliable bots, but most are regularly d/c-ing, which makes examination or control of a single bot sometimes difficult.

Re:Real environments

[easyTree]

I'm not quite sure why they chosen to do that

I guess it's one more string to their bow. Now they're able to offer students experience with botnets - ready for the real world where they can go on to become some of the best botnet authours around :D

PS. I'm sure you can do better than seven banner ads per eight-paragraph page. Please try harder.

Re:Real environments

My name is Mr.Moses Odiaka.I work in the credit and accounts department of
Union Bank of NigeriaPlc,Lagos, Nigeria. I write you in respect of a
foreign customer with a Domicilliary account. His name is Engineer Manfred
Becker. He was among those who died in a plane crash here in Nigeria
during the reign of late General Sani Abacha.

Since the demise of this our customer, Engineer Manfred Becker, who was an
oil merchant/contractor, I have kept a close watch of the deposit records
and accounts and since then nobody has come to claim the money in this a/c
as next of kin to the late Engineer. He had only $18.5mllion in his a/c
and the a/c is coded. It is only an insider that could produce the code or
password of the deposit particulars. As it stands now,there is nobody in
that position to produce the needed information other than my very self
considering my position in the bank.

Based on the reason that nobody has come forward to claim the deposit as
next of kin, I hereby ask for your co operation in using your name as the
next of kin to the deceased to send these funds out to a foreign offshore
bank a/c for mutual sharing between myself and you. At this point I am the
only one with the information because I have removed the deposit file from
the safe.By so doing, what is required is to send an aplication laying
claims of the deposit on your name as next of kin to the late Engineer. I
will need your full name and address telephone/fax number,company or
residential, also your bank name and account,where the money will be
transfer into.

Finally i want you to understand that the request for a foreigner as the
next of kin is occassioned by the fact that the customer was a foreigner
and for that reason alone a local cannot represent as next of kin. When
you contact me, then we shall discuss on how the money will be split
between us and others we shall also speak in details.I am currently in
europe for a six months course,you can reach me on this number for further
discussion 0031 623 866 723.Kindly send your reply to my private email
address stated below mosesodig1@zwallet.com or mosesodiaka1@yahoo.com

Trusting to hear from you,

I remain Respectfully yours,

Mr Moses Odiaka.
mosesodig1@zwallet.com or mosesodiaka1@yahoo.com
(0031 623 866 723)

Re:Real environments

[easyTree]

Hi

Would you be kind enough to use the contact page on my website to send me a private message:
  * http://www.419eater.com/

Thanks :D

Re:Real environments

Doing it inside an experimental computing cluster removes the legal and ethical complications of experimenting with live botnets that control innocent users' machines.

Please Slashdot, do not ever confuse "innocence" with "terminal stupidity".

Re:Real environments

[GameboyRMH]

Terminal stupidity?

How to catch a virus:

1. Install/buy a new PC with Windows 7, now more secure than ever!

2. Install the usual apps, like the ever popular Adobe Reader, Flash, and Java RE, maybe even Firefox because it's faster and more secure! Also make sure you have an AV, whether it's AVG or the 1-year subscription to Norton or McAffee that came with your PC.

3. Using the new super-secure IE8 browser (or even Firefox) at any time when the number of zero-day/unfixed exploits for it or any of the apps you installed in step 2 is greater than zero, browse your legitimate website of choice.

4. A malicious ad with brand-new and/or metamorphic code exploits one or more of the apps mentioned in steps 2-3 and pwns your user account with no user interaction required. In some cases it may exploit a vulnerability in Windows itself and infect your whole machine.

5. Congratulations! You're a botnet peer!

Re:Real environments

[GameboyRMH]

I wonder if these guys are using some kind of app that "broadcasts" spam onto a number of different commenting systems, including Slashdot, the worst place on the Internet to spam.

Re:Real environments

I wonder if you lack a sense of irony. Let me explain it for you: a notorious SPAM message posted in the comments section of a story about an experimental botnet is an example of irony.

Imagine...

...a beowulf cluster of those...

Obligatory XKCD

[NickFortune]

http://xkcd.com/350/

Re:Obligatory XKCD

[chichilalescu]

do you think they're going to cite him when they publish their results?

Re:Obligatory XKCD

[Pharago]

this is the first thing i thought upon reading the article :)

Re:Obligatory XKCD

[oiron]

Really, what else is one to think?

I wonder if they actually have a graph display...

Re:Obligatory XKCD

[camperdave]

http://xkcd.com/350/

That may have been what gave them the idea in the first place.

Were they..

licensed copies?

Re:Were they..

[AndGodSed]

Where They...

*Puts on Sunglasses*

Licensed Copies?

YYYEEAAAAHHHHHhhhhh!

Re:Were they..

[fahlenkp]

At a large University, Windows XP licenses are trivally cheap. I believe at my last job $5. If you tell them you are running an experiment like this, it is even cheaper. People give M$ a bad rap on licensing. A lot of times it is cheaper than Red Hat when you have a number of computers.

Re:Were they..

[AHuxley]

XP would be fine for this as the University has paid for "MS XP" for all over a set time.
MS has learned from this "friendly" era and now likes the idea of a 24/7 on site computer system to count the "number of computers" using MS products and then count much more $ flowing back.
The bad rap on licensing is getting more real, the past was just playing 'nice' to get MS products on site.
A real fun study would be some pretty 'graph' of total cost of ownership/longterm rental/cleanup/admin teams for 3000 copies of Windows XP vs other more mature/secure OS options at that time, year after year ...

Re:Were they..

At a large University, Windows XP licenses are trivally cheap. I believe at my last job $5. If you tell them you are running an experiment like this, it is even cheaper. People give M$ a bad rap on licensing. A lot of times it is cheaper than Red Hat when you have a number of computers.

MS still deserves a bad rap on licensing. It's not just a moneymaker for them. It's a form of leverage they can pull out whenever it's convenient. They turn a blind eye to piracy when it suits their marketshare figures for example.

The only reason they let university students/staff have Windows so cheap is not the goodness of their hearts for the next generation or some crap like that. They want the next generation of students and research and important projects to all rely on Windows. They want students working with it from cradle to grave knowing nothing else. They derive more value from that than you do from the discounts they offer, therefore IMO they are still shafting you.

If you want Red Hat and you want it cheap it's called Fedora and community support. I don't understand why you'd complain about licensing costs for software available under the GPL. Presumably your university has its own IT department so you wouldn't need vendor support.

Re:Were they..

[tautog]

Fuck yo couch, nigga!

Re:Were they..

Oh give it up already, really. The evangelism is pointless here, so it's annoying with no cause. People on Slashdot who use Windows are doing so for reasons beyond the corporate hegemony controlling their sheeplike brains. Save your preaching.

Re:Were they..

At most universities, the Engineering department already has unlimited MS licenses to dish out to all students and faculty.

http://msdn.microsoft.com/en-us/academic/default

Re:Were they..

Oh yeah?
Well fuck you!

Re:Were they..

[X0563511]

You should learn what a MAK is for.

To the cloud!!?

Considering that they most assuredly have the go ahead from Redmond to install 3000 copies of XP. (because Canadian universities sure as hell could not afford to license it legally). Perhaps this is really just an experiment in cloud computing sponsored by Microsoft....

Re:To the cloud!!?

The used windows XP because windows 7 would be infected too fast for them to have time to study.

Re:To the cloud!!?

[tibit]

They most likely have a volume site license, and they didn't have to do anything special -- just installed it and that's it. 100% legal.

point being?

[internet-redstar]

... and they discovered it's utterly uselessness?

Re:point being?

[BSAtHome]

it is called Windows Genuine Advantage...

Re:point being?

They must get real tired of hearing the Windows system error chime looping on 3000 machines. Probably sounds like someone threw a ton of hand bells down the stairs of one of the World Trade Center towers. You know, before the sand niggers blew them up.

Re:point being?

I figure the same... I mean, wouldn't it be a mono-culture of identical machines? even the speed between the machines would have been pretty similar... I'm not sure what new information they would be testing,,,

Re:point being?

[GameboyRMH]

XP is still by far the most popular OS, and Windows 7 has much better security so it probably has a much smaller percentage of infected machines than XP, on top of its smaller market share. So using an all-XP environment isn't that unrealistic.

Re:point being?

hey! jews prefer to be called kikes.

Shouldn't they use a bigger sandbox.

[PDX]

After effects, more research needed. Cylon sentience attained on the first day. They keep it running until Tricia Helfer steps out of their 3D printer.

Re:Shouldn't they use a bigger sandbox.

[ColdWetDog]

They keep it running until Tricia Helfer steps out of their 3D printer.

Why the hell would you stop then?

Wow

[exa]

Fucking monkeys doing research with windows botnets! Hilarious! :)

Really?

[yerktoader]

This is the FIRST time a botnet has been studied in captivity? Did they need an excuse? A hall pass?

Anyone got a good reason why it took this long to study a botnet in captivity when researchers have been able to purchase these tools on black hat sites for as long as they have? Otherwise I call shenanigans. Red tape, bureaucracy, what have you.

Re:Really?

I have personally built clusters to test out viruses and botnets. In fact, I'd be willing to bet that almost every single botnet is born in an environment like this. 3000? that's just a waste of money. I wrote my own personal botnet (for late night take overs to run automated tests) using a collection of VMs (6) on my desktop. Once it felt good I just installed it somewhere. What do they really hope to gain by watching the same thing happen 3000 times?

What a waste of resources, hope they at least made the payload f@h or something.

Re:Really?

ebaumsworld? really?

Re:Really?

[AHuxley]

Could be some fine print in the 'for edu use only' bulk discount?
You get to study using the OS, not so much study the workings of the OS?

Re:Really?

[pinkushun]

This project, which started some 7 years ago, was delayed while waiting for the 3000 XP PC's to catch up with automatic updates.

Re:Really?

[JMonty42]

This definitely isn't the first time this has been done. Maybe it's the first time anybody has done it with an unnecessarily large cluster of 3000 (all infected) computers. I also think this study is flawed and mostly pointless. First of all, command and control-style botnets are getting easier and easier to mitigate. The real threat is from peer-to-peer botnets. The most useful research taking place as of late is not being done in a closed environment cut off from the rest of the world on a botnet that hasn't been a threat for several months. That research is being done by taking over or infiltrating known botnets that are using newer peer-to-peer botnet protocols [T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling. "Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm." In USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008.] and [B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. "Your Botnet is My Botnet: Analysis of a Botnet Takeover." Technical report, University of California, May 2009.] Also, instead of infected every single computer on the cluster, they should have studied more about the ways the botnet spreads by only infecting 25% or so of the network. Other useful projects related to peer-to-peer botnets is in trying to be one step ahead of the botnet developers. These kind of projects predict what the new peer-to-peer botnet protocols will be so they can better protect computers against being infected by them [Günther Starnberger, Christopher Kruegel, and Engin Kirda. "Overbot: A Botnet Protocol Based on Kademlia." In Proceedings of the 4th Conference on Security and Privacy in Communication Networks (SecureComm’08), pages 1–9, 2008.] I just think this "research" project is getting more press than it should while others that are doing more aren't getting as much.

Re:Really?

[owlstead]

Quickly, somebody mod this up! I want to see how this ends before I need to restart my computer - it just finished downloading them automatic updates.

Re:Really?

[dbIII]

Until relatively recently MS had never heard of clusters so doing this would have been a huge time wasting pain. It probably is one of the first times this has been done at such a scale. Even now it's a case of "ok, so I can cluster MS Windows now - but WTF can I run that can make use of it being a cluster?". Without the software to run on the things they are rare.

This can't be a first

Seriously, is this the first time this and been done?

    I would have thought that mcafee and semantic and the other anti-virus companies would have been doing this as a matter of course for the past decade.

What on earth are their subscription fees for?

Re:This can't be a first

[metageek]

profit

Dissection Vs. Observation

I think it's interesting that our software mechanisms have become so advanced that we can't dissect them to understand what they are doing, we have to observe them in their environments to understand how they work or perhaps they just couldn't be bothered to sink resources into better analysis techniques of bytecode...

innocent users!

innocent users

Ha! I like that.

Only if you pay

Contrary to what seems to be common belief here, you don't get free XP because you have a volume license. You have to pay for those copies.

Re:Only if you pay

[Tacvek]

True enough, although the costs of volume licenses can be absurdly cheap.

Microsoft also has quite a few different licensing programs beyond the standard Volume licensing one. For example they have at least one program for Academic Institutions where you pay per product per staff member, rather than per product per installed computer. For example, the Microsoft Enrollment for Education Solutions program works like that.

They aren't really studying the problem

[FlapHappy]

It would be far more beneficial to (almost) everyone if they studied the people involved in creating botnets in captivity. If not for the legal issues involved with that idea...

Re:They aren't really studying the problem

[pinkushun]

A corroborative study would involve PC users, in captivity, with such expert tests as: flashing ads promoting free stuff, click to clean your infected PC, and chatting with horny single females in your area (now!).

!botnet

This is the FIRST time a botnet has been studied in captivity?

Probably not, but isn't a botnet without a 'net connection just a worm?

I thought the whole point of a botnet was that it received external commands.

From TFA: Fortunately, the new approach is being tested using a high-powered computing cluster that is safely isolated from the Internet.

Re:!botnet

[gnapster]

...isn't a botnet without a 'net connection just a worm?

Not if the controlling computer of the botnet is on the same virtual network. They might even introduce virtual servers so they can try out DDoS attacks.

Re:Real environment

Oops. That was $18.5. Never mind.

The question remains

[Creon04]

"It was [...] something of a challenge to convince the owner of a cluster worth around $1 million that installing malware onto it was a good idea." The question remains: is he referring to Waledac or Windows xp?

First time... right

Lawlz I say. This is the first time someone has openly bothered to declare it's the first time. Other people just did their thing and not brag about it. I mean isn't that done at hackfest every year?

Yes, terminal stupidity.

[r00t]

Us non-stupid users run OpenBSD on sparc64, Linux on PA-RISC, or FreeBSD on IA-64.

Note: do not browse the web with telnet unless you want to get pwn3d. It has everything to do with **terminal** stupidity, as in ESC [ evilness.

Grammar, please.

Try:

a) And they discovered its utter uselessness?
b) And they discovered it's utterly useless?

a + b != c