(Page 2 of 2)
During the four months the researchers studied Mebroot, the infection network used three different domain-generation algorithms, two of which only used the day's date as an input. The last variant, however, adds a variable that cannot be easily guessed well in advance: The second characters of the day's most popular search term on Twitter.
"They (Mebroot's creators) used a variable that was not in control of the bad guys or the good guys," says Marco Cova, a UCSB student and a coauthor of the paper.
After they reverse-engineered the domain-generation algorithm, the researchers temporarily hijacked Mebroot by mirroring the steps the compromised websites take to calculate the current day's domain and registering those domains themselves. But the researchers noticed that when they registered a domain for their sinkhole servers, the Mebroot gang would react by registering future domains faster.
The researchers were also able to profile the typical victim of the network. Almost 64 percent of the visitors redirected to the researchers' servers were running Windows XP, while 23 percent were using Windows Vista. The next two most popular operating systems were Mac OS X 10.4 "Tiger" and Mac OS X 10.5 "Leopard," which accounted for 6.4 percent of all visitors.
The researchers never compromised visitors' systems. But they were able to find evidence that they had been infected by analyzing two kinds of information sent over the network. One suggested that 6.5 percent of visitors were infected with malware. The other indicated that 13.3. percent of systems had been modified by malicious or unwanted files. Moreover, more than half--about 54 percent--were running some sort of antivirus software. About 12 percent of those running the security software were also infected by malware, the researchers found.
The researchers also discovered that nearly 70 percent of those redirected by Mebroot--as classified by Internet address--were vulnerable to one of almost 40 vulnerabilities regularly used by the most popular infection toolkits designed to compromise computer systems. About half that number were vulnerable to the six specific vulnerabilities used by the Mebroot toolkit.
The research suggests that users need to update more often, says UCSB's Vigna.
"Patches are very good at reducing the exposure of the end users, but users are not very good at updating their system," he says.
Researchers created their own, imprisoned, network of zombie computers to better learn how to take down those at large on the Internet.
Focusing on the top 50 infected networks could eliminate half of all compromised machines.
How effective is browser safe mode?
If visitors use the safe mode of a browser (e.g., FireFox), are they still vulnerable to methods of infection used by the botnets?
I don't understand why this is allowed to continue. Where is law enforcement? Why aren't the perpetrators flogged to death in the public square? (That's just my preference. I'd settle for putting them in prison.)
If they are operating with impunity because a gov't is protecting them, then cut off that country entirely from the web (and cut off any country that refuses to cut them off). I'd happily give up access to Russian web sites (for example) in exchange for a safe internet.
They operate with impunity because the botnets don't exist in any country--they move from server to server across the internet landscape--they take over a website of a legitimate company--they then infect legitimate users' computer, then they infect ten more servers and 100 more PCs... They dont care if the website or the users computer is in the US or Russia or Liberia--think like a disease. You can't outlaw the flu and the flu doesnt care about arbitrary things like borders. It spreads because people don't take precautions (and even spreads sometimes when they do)--I suppose you could fine people for not updating their systems (and thus contributing to the spread of botnets), but that's a bit of the "kill-the-homeless-and-feed-them-to-the-hungry" type of solution that's not going to fly very well with end users. And even if you did, there would still be polymorphic and emergent viral code that could infect a patched system (so who do you sue then?).
The anger and frustration is understood well--but a simplistic, arrest-em-all (or kill-em-all) attitude isnt a practical, useful response to the threat.
If you want to do something useful to combat the villains, update your PC. Update your mother's and your neighbor's PC. Get them to run automatic updates--show them how. Teach them. Keep their antivirus software update. Use common sense when browsing the internet.
And, as for the flu, wash your hands. Stay home from work when you are sick. If you got to sneeze or cough, cover your mouth (preferably with the crook of your elbow).
I think dmm is referring to the original creator of the bots. Somebody created these bots and released them into the World Wide Web before it starts spreading like wild fire.
There are laws that will send them to prison if they were caught. However, it is difficult to bring down international crook or any crook for that matter. The internet anonymity and the bots modus operandi as explained in the article and by Kcase above made it very complex to identify those that are responsible.
Until scientists come up with an immunization for computer bots, the logical option is to follow Kcase prescriptions.
Uhhh, why doesn't someone write a botnet to hijack and update, scan and repair all the computers people are not updating ? :)
B
You wouldn't dare, no matter how cool, powerful, good looking and rich it would make you... plus I think creating such a killer(literally) app would stop male pattern baldness!
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
This document is part of the “How-To Guide for Most Common Measurements” centralized resource portal. This tutorial provides a detailed guide for measurement and device considerations to take temperature measurements using thermocouples. Get an introduction to thermocouples, which are inexpensive sensing devices widely used with PC-based data acquisition systems. Also review some specific thermocouple examples and learn how thermocouples work and ways to integrate them into a data acquisition measurement system.
View full PDF >
Listen to story > 
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
fiberman
186 Comments
Happened to us
Exactly as described!
However, the important issue is how they compromised the website - they appear to have hacked a SQL database we used for allowing registrants to list themselves for searches. SQL seems to have been the culprit.
Reply
kcasey
12 Comments
Re: Happened to us
Probably wasnt "SQL" per se but rather the application code used to read/write from SQL that allowed them to succeed in their attack--typically this would be thru what's known as a SQL injection attack. If SQL was directly exposed to the internet (instead of thru application code), that would have been the height of foolhardiness.
Ask you app code developers to read OWASP's top ten list of vulnerabilities--SQL injection is an easy to prevent, but often made blunder made by inexperienced/unaware developers. And there are plenty of test tools designed to detect whether application code is vulnerable to SQL injection--so plan on testing for vulnerabilities too or you're likely to be a victim of drive-by attacks.
Reply