Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

The researchers analyzed 15 messages they’d collected by monitoring a MegaD bot: Seven commands sent from the control servers and eight responses from the bot. The Dispatcher tool analyzed the bot as it ran on the virtual machine and automatically detected the point at which the program decrypted commands but had not yet encrypted its responses.

Network administrators can also use the Dispatcher tool to infiltrate the botnet. MegaD clients typically will check to see if they can send e-mail, so as to become a useful cog in a spamming campaign. Because the researchers block all outgoing mail traffic, however, the client would normally send a message to the controlling server saying that its mail test failed. But the researchers modified the message en route, responding instead with the code for a successful spamming test.

“Normally, it would have sent a message saying that it can’t spam,” UC Berkeley’s Caballero says. “We [instead] actually got the spam template, so we could see what sort of spam it would send out.”

Tools such as Dispatcher could expand what is currently a small number of researchers that regularly reverse engineer botnets, says Joe Stewart, senior security researcher for SecureWorks, a network security firm. “It would solve a problem that the world has–having enough people to analyze botnets,” he says. “There are only so many people who can do reverse engineering on botnets. You have a cadre of enthusiasts who could use this to help them.”

Stewart adds, however, that experienced researchers don’t yet need such automated tools for analyzing most malware. While more complicated botnets can take weeks to reverse engineer, run-of-the-mill malware encountered by most companies and organizations is no problem at all. More than 90 percent of all botnets use easy-to-break encryption to protect their communications, making manual techniques relatively easy and fast.

“Not every (bot master) needs the MegaD-type encryption,” Stewart says. “I just don’t think it is worth their time, not with the effect we are having on them now, which is minimal.”

Yet botnets will continue to evolve, says UC Berkeley’s Song. “Botnet programs are becoming more complicated,” she says. “They are using various obfuscation techniques and so on. So maybe manual analysis can work for now, but in the future, we will need better tools.”

1 comment. Share your thoughts »

Credit: Technology Review

Tagged: Computing, Communications, security, software, hackers, botnet, code, network security

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me