Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

“In order to be allowed to run this experiment, we had to take serious precautions to make sure it would never leak,” says Bureau. Many other computers at the host university were no doubt running versions of Windows much like those used in the experiment. The cluster was physically disconnected from the wider network, and everything had to be loaded onto it using DVDs rather than by connecting to another computer, even for a short time.

One result of the experiments was an insight into the challenges of running a botnet, says Bureau. Experts had noticed that the encryption used to secure messages between individual bots and the command-and-control server was weak and assumed its designers were bad coders. In fact, it was likely an intentional design decision, says Bureau. “We found our command-and-control server quickly overwhelmed by the load of the cryptography. We understood that they had made certain decisions because of the heavy demands of a large botnet.”

The team also tried out a “Sybil attack,” which involves adding fake bots to the network to influence its behavior. Experiments showed that this approach could stop the botnet from sending out spam altogether.

Thorsten Holz, who leads research on botnets and malware at Ruhr University Bochum, Germany, agrees that a captive botnet is a useful research tool. “It’s a controlled environment where you can do anything,” he says.

Holz was part of a team that injected messages into the control network of the Storm worm, a widespread predecessor to Waledac, to study its behavior. Interpreting the results were complicated by the fact that groups at Georgia Tech and the University of California, San Diego, were doing the same thing. “We were all seeing messages appear that had been injected by the other research groups,” says Holz. “It became a playground for injection strategies, and that complicated our results.”

A captive botnet will never be exactly like one at large in the wild, says Holz. “The drawback is that you cannot emulate everything,” he says. A typical Waledac botnet would contain 50,000 - 100,000 infected computers, as against the 3,000 in the experiment. A real botnet’s behavior would also be shaped by the patterns of traffic on the Internet from other sources, something not captured by the simulation.

Bureau says he hopes to see and do more such experiments—for example, to reveal the workings of less well understood malware. “Now we have proved it is possible for the first time, I hope to see the computing resources made available to do more.”

0 comments about this story. Start the discussion »

Credit: Technology Review

Tagged: Computing, security, hackers, malware, spam, cyber security, botnet, viruses

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me