To catch a criminal, sometimes you have to think like one.
So researchers on the trail of cybercrooks that use armies of infected computers, known as botnets, to send out spam e-mail or to attack websites are building botnets of their own. Fortunately, the new approach is being tested using a high-powered computing cluster that is safely isolated from the Internet.
“We set up what we thought would be the closest to a botnet in the wild,” says Pierre-Marc Bureau, a researcher with computer security firm ESET, part of the project led by a team at Ecole Polytechnique de Montreal with collaborators at Nancy University, France, and Carlton University, Canada. “To our knowledge, this is the first such realistic experiment,” he says.
Over 3,000 copies of Windows XP were installed on a cluster of 98 servers at Ecole Polytechnique. Each virtual computer system was wrapped in software that linked it up to the others as if it were an individual computer connected to the Internet or a local network. Every system was also infected with the Waledac worm, a piece of now well understood and largely vanquished software that at the start of 2010 was estimated by Microsoft to control hundreds of thousands of computers and to send out 1.5 billion spam messages a day.
The team mimicked the control structure needed to take charge of a Waledac botnet, in which a central command-and-control server sends orders to a handful of bots that then spread those instructions to other machines.
In recent years, researchers have developed techniques to eavesdrop on live botnet communications and even to inject messages into these communications. Building a complete botnet in an experimental environment allows much more freedom, though, says Bureau. “When you experiment on a live botnet, you may provoke a bad reaction from its owner that harms infected machines,” he explains, and then “you are also potentially controlling the machines of innocent users, which has ethical and legal problems.”
Having their own botnet also gave the researchers the luxury of being able to observe it inside and out as it operated normally or was attacked by someone trying to disable the network, and also to run multiple trials that yielded statistically significant results.
It was, Bureau says, something of a challenge to convince the owner of a cluster worth around $1 million that installing malware onto it was a good idea.
“In order to be allowed to run this experiment, we had to take serious precautions to make sure it would never leak,” says Bureau. Many other computers at the host university were no doubt running versions of Windows much like those used in the experiment. The cluster was physically disconnected from the wider network, and everything had to be loaded onto it using DVDs rather than by connecting to another computer, even for a short time.
One result of the experiments was an insight into the challenges of running a botnet, says Bureau. Experts had noticed that the encryption used to secure messages between individual bots and the command-and-control server was weak and assumed its designers were bad coders. In fact, it was likely an intentional design decision, says Bureau. “We found our command-and-control server quickly overwhelmed by the load of the cryptography. We understood that they had made certain decisions because of the heavy demands of a large botnet.”
The team also tried out a “Sybil attack,” which involves adding fake bots to the network to influence its behavior. Experiments showed that this approach could stop the botnet from sending out spam altogether.
Thorsten Holz, who leads research on botnets and malware at Ruhr University Bochum, Germany, agrees that a captive botnet is a useful research tool. “It’s a controlled environment where you can do anything,” he says.
Holz was part of a team that injected messages into the control network of the Storm worm, a widespread predecessor to Waledac, to study its behavior. Interpreting the results were complicated by the fact that groups at Georgia Tech and the University of California, San Diego, were doing the same thing. “We were all seeing messages appear that had been injected by the other research groups,” says Holz. “It became a playground for injection strategies, and that complicated our results.”
A captive botnet will never be exactly like one at large in the wild, says Holz. “The drawback is that you cannot emulate everything,” he says. A typical Waledac botnet would contain 50,000 - 100,000 infected computers, as against the 3,000 in the experiment. A real botnet’s behavior would also be shaped by the patterns of traffic on the Internet from other sources, something not captured by the simulation.
Bureau says he hopes to see and do more such experiments—for example, to reveal the workings of less well understood malware. “Now we have proved it is possible for the first time, I hope to see the computing resources made available to do more.”