“In order to be allowed to run this experiment, we had to take serious precautions to make sure it would never leak,” says Bureau. Many other computers at the host university were no doubt running versions of Windows much like those used in the experiment. The cluster was physically disconnected from the wider network, and everything had to be loaded onto it using DVDs rather than by connecting to another computer, even for a short time.
One result of the experiments was an insight into the challenges of running a botnet, says Bureau. Experts had noticed that the encryption used to secure messages between individual bots and the command-and-control server was weak and assumed its designers were bad coders. In fact, it was likely an intentional design decision, says Bureau. “We found our command-and-control server quickly overwhelmed by the load of the cryptography. We understood that they had made certain decisions because of the heavy demands of a large botnet.”
The team also tried out a “Sybil attack,” which involves adding fake bots to the network to influence its behavior. Experiments showed that this approach could stop the botnet from sending out spam altogether.
Thorsten Holz, who leads research on botnets and malware at Ruhr University Bochum, Germany, agrees that a captive botnet is a useful research tool. “It’s a controlled environment where you can do anything,” he says.
Holz was part of a team that injected messages into the control network of the Storm worm, a widespread predecessor to Waledac, to study its behavior. Interpreting the results were complicated by the fact that groups at Georgia Tech and the University of California, San Diego, were doing the same thing. “We were all seeing messages appear that had been injected by the other research groups,” says Holz. “It became a playground for injection strategies, and that complicated our results.”
A captive botnet will never be exactly like one at large in the wild, says Holz. “The drawback is that you cannot emulate everything,” he says. A typical Waledac botnet would contain 50,000 - 100,000 infected computers, as against the 3,000 in the experiment. A real botnet’s behavior would also be shaped by the patterns of traffic on the Internet from other sources, something not captured by the simulation.
Bureau says he hopes to see and do more such experiments—for example, to reveal the workings of less well understood malware. “Now we have proved it is possible for the first time, I hope to see the computing resources made available to do more.”