Raising a Botnet In Captivity

holy_calamity writes "Technology Review reports that researchers installed 3000 copies of Windows XP on a high performance cluster at a Canadian university and set loose the Waledac botnet on them. It's the first time researchers have built and operated their own botnet as a strategy to better understand those at large on the internet. Doing it inside an experimental computing cluster removes the legal and ethical complications of experimenting with live botnets that control innocent users' machines."

Obligatory XKCD

[NickFortune]

http://xkcd.com/350/

Re:Obligatory XKCD

[chichilalescu]

do you think they're going to cite him when they publish their results?

Were they..

licensed copies?

Re:Were they..

[AndGodSed]

Where They...

*Puts on Sunglasses*

Licensed Copies?

YYYEEAAAAHHHHHhhhhh!

Re:Were they..

[fahlenkp]

At a large University, Windows XP licenses are trivally cheap. I believe at my last job $5. If you tell them you are running an experiment like this, it is even cheaper. People give M$ a bad rap on licensing. A lot of times it is cheaper than Red Hat when you have a number of computers.

point being?

[internet-redstar]

... and they discovered it's utterly uselessness?

Shouldn't they use a bigger sandbox.

[PDX]

After effects, more research needed. Cylon sentience attained on the first day. They keep it running until Tricia Helfer steps out of their 3D printer.

Re:To the cloud!!?

[tibit]

They most likely have a volume site license, and they didn't have to do anything special -- just installed it and that's it. 100% legal.

Really?

[yerktoader]

This is the FIRST time a botnet has been studied in captivity? Did they need an excuse? A hall pass?

Anyone got a good reason why it took this long to study a botnet in captivity when researchers have been able to purchase these tools on black hat sites for as long as they have? Otherwise I call shenanigans. Red tape, bureaucracy, what have you.

Re:Really?

[JMonty42]

This definitely isn't the first time this has been done. Maybe it's the first time anybody has done it with an unnecessarily large cluster of 3000 (all infected) computers. I also think this study is flawed and mostly pointless. First of all, command and control-style botnets are getting easier and easier to mitigate. The real threat is from peer-to-peer botnets. The most useful research taking place as of late is not being done in a closed environment cut off from the rest of the world on a botnet that hasn't been a threat for several months. That research is being done by taking over or infiltrating known botnets that are using newer peer-to-peer botnet protocols [T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling. "Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm." In USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008.] and [B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. "Your Botnet is My Botnet: Analysis of a Botnet Takeover." Technical report, University of California, May 2009.] Also, instead of infected every single computer on the cluster, they should have studied more about the ways the botnet spreads by only infecting 25% or so of the network. Other useful projects related to peer-to-peer botnets is in trying to be one step ahead of the botnet developers. These kind of projects predict what the new peer-to-peer botnet protocols will be so they can better protect computers against being infected by them [Günther Starnberger, Christopher Kruegel, and Engin Kirda. "Overbot: A Botnet Protocol Based on Kademlia." In Proceedings of the 4th Conference on Security and Privacy in Communication Networks (SecureComm’08), pages 1–9, 2008.] I just think this "research" project is getting more press than it should while others that are doing more aren't getting as much.

They aren't really studying the problem

[FlapHappy]

It would be far more beneficial to (almost) everyone if they studied the people involved in creating botnets in captivity. If not for the legal issues involved with that idea...

Re:Real environments

[GameboyRMH]

Terminal stupidity?

How to catch a virus:

1. Install/buy a new PC with Windows 7, now more secure than ever!

2. Install the usual apps, like the ever popular Adobe Reader, Flash, and Java RE, maybe even Firefox because it's faster and more secure! Also make sure you have an AV, whether it's AVG or the 1-year subscription to Norton or McAffee that came with your PC.

3. Using the new super-secure IE8 browser (or even Firefox) at any time when the number of zero-day/unfixed exploits for it or any of the apps you installed in step 2 is greater than zero, browse your legitimate website of choice.

4. A malicious ad with brand-new and/or metamorphic code exploits one or more of the apps mentioned in steps 2-3 and pwns your user account with no user interaction required. In some cases it may exploit a vulnerability in Windows itself and infect your whole machine.

5. Congratulations! You're a botnet peer!

Re:Only if you pay

[Tacvek]

True enough, although the costs of volume licenses can be absurdly cheap.

Microsoft also has quite a few different licensing programs beyond the standard Volume licensing one. For example they have at least one program for Academic Institutions where you pay per product per staff member, rather than per product per installed computer. For example, the Microsoft Enrollment for Education Solutions program works like that.