Raising a Botnet In Captivity

holy_calamity writes "Technology Review reports that researchers installed 3000 copies of Windows XP on a high performance cluster at a Canadian university and set loose the Waledac botnet on them. It's the first time researchers have built and operated their own botnet as a strategy to better understand those at large on the internet. Doing it inside an experimental computing cluster removes the legal and ethical complications of experimenting with live botnets that control innocent users' machines."

Real environments

I'm not quite sure why they chosen to do that; where is the fun in running a botnet in a simulated environment? Wouldn't it be much better to do it in real environment?

Re:Real environments

[easyTree]

I'm not quite sure why they chosen to do that

I guess it's one more string to their bow. Now they're able to offer students experience with botnets - ready for the real world where they can go on to become some of the best botnet authours around :D

PS. I'm sure you can do better than seven banner ads per eight-paragraph page. Please try harder.

Re:Real environments

[easyTree]

Hi

Would you be kind enough to use the contact page on my website to send me a private message:
  * http://www.419eater.com/

Thanks :D

Re:Real environments

[GameboyRMH]

Terminal stupidity?

How to catch a virus:

1. Install/buy a new PC with Windows 7, now more secure than ever!

2. Install the usual apps, like the ever popular Adobe Reader, Flash, and Java RE, maybe even Firefox because it's faster and more secure! Also make sure you have an AV, whether it's AVG or the 1-year subscription to Norton or McAffee that came with your PC.

3. Using the new super-secure IE8 browser (or even Firefox) at any time when the number of zero-day/unfixed exploits for it or any of the apps you installed in step 2 is greater than zero, browse your legitimate website of choice.

4. A malicious ad with brand-new and/or metamorphic code exploits one or more of the apps mentioned in steps 2-3 and pwns your user account with no user interaction required. In some cases it may exploit a vulnerability in Windows itself and infect your whole machine.

5. Congratulations! You're a botnet peer!

Re:Real environments

[GameboyRMH]

I wonder if these guys are using some kind of app that "broadcasts" spam onto a number of different commenting systems, including Slashdot, the worst place on the Internet to spam.

Obligatory XKCD

[NickFortune]

http://xkcd.com/350/

Re:Obligatory XKCD

[chichilalescu]

do you think they're going to cite him when they publish their results?

Re:Obligatory XKCD

[Pharago]

this is the first thing i thought upon reading the article :)

Re:Obligatory XKCD

[oiron]

Really, what else is one to think?

I wonder if they actually have a graph display...

Were they..

licensed copies?

Re:Were they..

[AndGodSed]

Where They...

*Puts on Sunglasses*

Licensed Copies?

YYYEEAAAAHHHHHhhhhh!

Re:Were they..

[fahlenkp]

At a large University, Windows XP licenses are trivally cheap. I believe at my last job $5. If you tell them you are running an experiment like this, it is even cheaper. People give M$ a bad rap on licensing. A lot of times it is cheaper than Red Hat when you have a number of computers.

Re:Were they..

[AHuxley]

XP would be fine for this as the University has paid for "MS XP" for all over a set time.
MS has learned from this "friendly" era and now likes the idea of a 24/7 on site computer system to count the "number of computers" using MS products and then count much more $ flowing back.
The bad rap on licensing is getting more real, the past was just playing 'nice' to get MS products on site.
A real fun study would be some pretty 'graph' of total cost of ownership/longterm rental/cleanup/admin teams for 3000 copies of Windows XP vs other more mature/secure OS options at that time, year after year ...

Re:Were they..

[X0563511]

You should learn what a MAK is for.

point being?

[internet-redstar]

... and they discovered it's utterly uselessness?

Re:point being?

[BSAtHome]

it is called Windows Genuine Advantage...

Re:point being?

[GameboyRMH]

XP is still by far the most popular OS, and Windows 7 has much better security so it probably has a much smaller percentage of infected machines than XP, on top of its smaller market share. So using an all-XP environment isn't that unrealistic.

Shouldn't they use a bigger sandbox.

[PDX]

After effects, more research needed. Cylon sentience attained on the first day. They keep it running until Tricia Helfer steps out of their 3D printer.

Re:Shouldn't they use a bigger sandbox.

[ColdWetDog]

They keep it running until Tricia Helfer steps out of their 3D printer.

Why the hell would you stop then?

Re:To the cloud!!?

[tibit]

They most likely have a volume site license, and they didn't have to do anything special -- just installed it and that's it. 100% legal.

Really?

[yerktoader]

This is the FIRST time a botnet has been studied in captivity? Did they need an excuse? A hall pass?

Anyone got a good reason why it took this long to study a botnet in captivity when researchers have been able to purchase these tools on black hat sites for as long as they have? Otherwise I call shenanigans. Red tape, bureaucracy, what have you.

Re:Really?

I have personally built clusters to test out viruses and botnets. In fact, I'd be willing to bet that almost every single botnet is born in an environment like this. 3000? that's just a waste of money. I wrote my own personal botnet (for late night take overs to run automated tests) using a collection of VMs (6) on my desktop. Once it felt good I just installed it somewhere. What do they really hope to gain by watching the same thing happen 3000 times?

What a waste of resources, hope they at least made the payload f@h or something.

Re:Really?

[AHuxley]

Could be some fine print in the 'for edu use only' bulk discount?
You get to study using the OS, not so much study the workings of the OS?

Re:Really?

[pinkushun]

This project, which started some 7 years ago, was delayed while waiting for the 3000 XP PC's to catch up with automatic updates.

Re:Really?

[JMonty42]

This definitely isn't the first time this has been done. Maybe it's the first time anybody has done it with an unnecessarily large cluster of 3000 (all infected) computers. I also think this study is flawed and mostly pointless. First of all, command and control-style botnets are getting easier and easier to mitigate. The real threat is from peer-to-peer botnets. The most useful research taking place as of late is not being done in a closed environment cut off from the rest of the world on a botnet that hasn't been a threat for several months. That research is being done by taking over or infiltrating known botnets that are using newer peer-to-peer botnet protocols [T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling. "Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm." In USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008.] and [B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. "Your Botnet is My Botnet: Analysis of a Botnet Takeover." Technical report, University of California, May 2009.] Also, instead of infected every single computer on the cluster, they should have studied more about the ways the botnet spreads by only infecting 25% or so of the network. Other useful projects related to peer-to-peer botnets is in trying to be one step ahead of the botnet developers. These kind of projects predict what the new peer-to-peer botnet protocols will be so they can better protect computers against being infected by them [Günther Starnberger, Christopher Kruegel, and Engin Kirda. "Overbot: A Botnet Protocol Based on Kademlia." In Proceedings of the 4th Conference on Security and Privacy in Communication Networks (SecureComm’08), pages 1–9, 2008.] I just think this "research" project is getting more press than it should while others that are doing more aren't getting as much.

Re:Really?

[owlstead]

Quickly, somebody mod this up! I want to see how this ends before I need to restart my computer - it just finished downloading them automatic updates.

Re:Really?

[dbIII]

Until relatively recently MS had never heard of clusters so doing this would have been a huge time wasting pain. It probably is one of the first times this has been done at such a scale. Even now it's a case of "ok, so I can cluster MS Windows now - but WTF can I run that can make use of it being a cluster?". Without the software to run on the things they are rare.

Dissection Vs. Observation

I think it's interesting that our software mechanisms have become so advanced that we can't dissect them to understand what they are doing, we have to observe them in their environments to understand how they work or perhaps they just couldn't be bothered to sink resources into better analysis techniques of bytecode...

Re:This can't be a first

[metageek]

profit

They aren't really studying the problem

[FlapHappy]

It would be far more beneficial to (almost) everyone if they studied the people involved in creating botnets in captivity. If not for the legal issues involved with that idea...

Re:They aren't really studying the problem

[pinkushun]

A corroborative study would involve PC users, in captivity, with such expert tests as: flashing ads promoting free stuff, click to clean your infected PC, and chatting with horny single females in your area (now!).

Re:Only if you pay

[Tacvek]

True enough, although the costs of volume licenses can be absurdly cheap.

Microsoft also has quite a few different licensing programs beyond the standard Volume licensing one. For example they have at least one program for Academic Institutions where you pay per product per staff member, rather than per product per installed computer. For example, the Microsoft Enrollment for Education Solutions program works like that.

Re:!botnet

[gnapster]

...isn't a botnet without a 'net connection just a worm?

Not if the controlling computer of the botnet is on the same virtual network. They might even introduce virtual servers so they can try out DDoS attacks.

The question remains

[Creon04]

"It was [...] something of a challenge to convince the owner of a cluster worth around $1 million that installing malware onto it was a good idea." The question remains: is he referring to Waledac or Windows xp?

Yes, terminal stupidity.

[r00t]

Us non-stupid users run OpenBSD on sparc64, Linux on PA-RISC, or FreeBSD on IA-64.

Note: do not browse the web with telnet unless you want to get pwn3d. It has everything to do with **terminal** stupidity, as in ESC [ evilness.