Technology Review
The team gathered data on compromised pages and the would-be victims.
By infiltrating a criminal computer network aimed at infecting visitors to legitimate websites, university researchers have gained firsthand insight into the scale and scope of so-called "drive-by downloading." They found more than 6,500 websites hosting malicious code that redirected nearly 340,000 visitors to malicious sites.
Drive-by downloading involves hacking into a legitimate site to covertly install malicious software on visitors' machines or redirect them to another site.
In an unpublished paper, researchers at the University of California at Santa Barbara describe a four-month study in which they connected their servers to a collection of compromised computers known as the Mebroot botnet. Among their findings, the researchers discovered that, while the seedier sites on the Internet--those hosting porn and illegal downloads--were most effective at redirecting users to a malicious download site, business sites were more common among the compromised referrers.
"Once upon a time, you thought that if you did not browse porn, you would be safe," says Giovanni Vigna, a UCSB professor of computer science and one of the paper's authors. "But staying away from the seedy places on the Internet is no longer an assurance of staying safe."
First discovered by researchers in late 2007, the Mebroot network uses compromised websites to redirect visitors to centralized download servers that attempt to infect the victim's computer. The malicious software, named for its tactic of infecting a Windows computer's master boot record (MBR), shows signs of professional programming, including a rapid cycle of debugging, researchers say.
"It is definitely one of the most advanced and professional botnets out there," says Kimmo Kasslin, director of security response for antivirus firm F-Secure, which is based in Helsinki, Finland.
Using a variety of methods, the criminals behind Mebroot infect legitimate Web servers with Javascript code. The code redirects visitors to a different Internet domain, which changes every day, and where a malicious server attempts to compromise their computer with a program that provides the botnet's owners with remote control over that machine.
The custom domain generation technique is a relatively sophisticated way to foil attempts to permanently shut down the network, the researchers say. Older drive-by download schemes have redirected victims to a hard-coded Web address. Rather than a static address, the Javascript used by Mebroot generates a new address every day, similar to the domain algorithm used by another computer pest called Conficker. However, because the algorithm relies on known inputs--namely the date--domains can be precomputed, aiding the defenders. The Conficker Working Group, for example, attempted to reserve future domains at least a month in advance.
Researchers created their own, imprisoned, network of zombie computers to better learn how to take down those at large on the Internet.
Focusing on the top 50 infected networks could eliminate half of all compromised machines.
How effective is browser safe mode?
If visitors use the safe mode of a browser (e.g., FireFox), are they still vulnerable to methods of infection used by the botnets?
I don't understand why this is allowed to continue. Where is law enforcement? Why aren't the perpetrators flogged to death in the public square? (That's just my preference. I'd settle for putting them in prison.)
If they are operating with impunity because a gov't is protecting them, then cut off that country entirely from the web (and cut off any country that refuses to cut them off). I'd happily give up access to Russian web sites (for example) in exchange for a safe internet.
They operate with impunity because the botnets don't exist in any country--they move from server to server across the internet landscape--they take over a website of a legitimate company--they then infect legitimate users' computer, then they infect ten more servers and 100 more PCs... They dont care if the website or the users computer is in the US or Russia or Liberia--think like a disease. You can't outlaw the flu and the flu doesnt care about arbitrary things like borders. It spreads because people don't take precautions (and even spreads sometimes when they do)--I suppose you could fine people for not updating their systems (and thus contributing to the spread of botnets), but that's a bit of the "kill-the-homeless-and-feed-them-to-the-hungry" type of solution that's not going to fly very well with end users. And even if you did, there would still be polymorphic and emergent viral code that could infect a patched system (so who do you sue then?).
The anger and frustration is understood well--but a simplistic, arrest-em-all (or kill-em-all) attitude isnt a practical, useful response to the threat.
If you want to do something useful to combat the villains, update your PC. Update your mother's and your neighbor's PC. Get them to run automatic updates--show them how. Teach them. Keep their antivirus software update. Use common sense when browsing the internet.
And, as for the flu, wash your hands. Stay home from work when you are sick. If you got to sneeze or cough, cover your mouth (preferably with the crook of your elbow).
I think dmm is referring to the original creator of the bots. Somebody created these bots and released them into the World Wide Web before it starts spreading like wild fire.
There are laws that will send them to prison if they were caught. However, it is difficult to bring down international crook or any crook for that matter. The internet anonymity and the bots modus operandi as explained in the article and by Kcase above made it very complex to identify those that are responsible.
Until scientists come up with an immunization for computer bots, the logical option is to follow Kcase prescriptions.
Uhhh, why doesn't someone write a botnet to hijack and update, scan and repair all the computers people are not updating ? :)
B
You wouldn't dare, no matter how cool, powerful, good looking and rich it would make you... plus I think creating such a killer(literally) app would stop male pattern baldness!
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
This document is part of the “How-To Guide for Most Common Measurements” centralized resource portal. This tutorial provides a detailed guide for measurement and device considerations to take temperature measurements using thermocouples. Get an introduction to thermocouples, which are inexpensive sensing devices widely used with PC-based data acquisition systems. Also review some specific thermocouple examples and learn how thermocouples work and ways to integrate them into a data acquisition measurement system.
View full PDF >
Listen to story > 
Our list of the 50 most innovative companies, including the following:
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
fiberman
186 Comments
Happened to us
Exactly as described!
However, the important issue is how they compromised the website - they appear to have hacked a SQL database we used for allowing registrants to list themselves for searches. SQL seems to have been the culprit.
Reply
kcasey
12 Comments
Re: Happened to us
Probably wasnt "SQL" per se but rather the application code used to read/write from SQL that allowed them to succeed in their attack--typically this would be thru what's known as a SQL injection attack. If SQL was directly exposed to the internet (instead of thru application code), that would have been the height of foolhardiness.
Ask you app code developers to read OWASP's top ten list of vulnerabilities--SQL injection is an easy to prevent, but often made blunder made by inexperienced/unaware developers. And there are plenty of test tools designed to detect whether application code is vulnerable to SQL injection--so plan on testing for vulnerabilities too or you're likely to be a victim of drive-by attacks.
Reply