Computing

Researchers Hijack a Drive-By Botnet

The team gathered data on compromised pages and the would-be victims.

By infiltrating a criminal computer network aimed at infecting visitors to legitimate websites, university researchers have gained firsthand insight into the scale and scope of so-called “drive-by downloading.” They found more than 6,500 websites hosting malicious code that redirected nearly 340,000 visitors to malicious sites.

Drive-by downloading involves hacking into a legitimate site to covertly install malicious software on visitors’ machines or redirect them to another site.

In an unpublished paper, researchers at the University of California at Santa Barbara describe a four-month study in which they connected their servers to a collection of compromised computers known as the Mebroot botnet. Among their findings, the researchers discovered that, while the seedier sites on the Internet–those hosting porn and illegal downloads–were most effective at redirecting users to a malicious download site, business sites were more common among the compromised referrers.

“Once upon a time, you thought that if you did not browse porn, you would be safe,” says Giovanni Vigna, a UCSB professor of computer science and one of the paper’s authors. “But staying away from the seedy places on the Internet is no longer an assurance of staying safe.”

First discovered by researchers in late 2007, the Mebroot network uses compromised websites to redirect visitors to centralized download servers that attempt to infect the victim’s computer. The malicious software, named for its tactic of infecting a Windows computer’s master boot record (MBR), shows signs of professional programming, including a rapid cycle of debugging, researchers say.

“It is definitely one of the most advanced and professional botnets out there,” says Kimmo Kasslin, director of security response for antivirus firm F-Secure, which is based in Helsinki, Finland.

Using a variety of methods, the criminals behind Mebroot infect legitimate Web servers with Javascript code. The code redirects visitors to a different Internet domain, which changes every day, and where a malicious server attempts to compromise their computer with a program that provides the botnet’s owners with remote control over that machine.

The custom domain generation technique is a relatively sophisticated way to foil attempts to permanently shut down the network, the researchers say. Older drive-by download schemes have redirected victims to a hard-coded Web address. Rather than a static address, the Javascript used by Mebroot generates a new address every day, similar to the domain algorithm used by another computer pest called Conficker. However, because the algorithm relies on known inputs–namely the date–domains can be precomputed, aiding the defenders. The Conficker Working Group, for example, attempted to reserve future domains at least a month in advance.

During the four months the researchers studied Mebroot, the infection network used three different domain-generation algorithms, two of which only used the day’s date as an input. The last variant, however, adds a variable that cannot be easily guessed well in advance: The second characters of the day’s most popular search term on Twitter.

“They (Mebroot’s creators) used a variable that was not in control of the bad guys or the good guys,” says Marco Cova, a UCSB student and a coauthor of the paper.

After they reverse-engineered the domain-generation algorithm, the researchers temporarily hijacked Mebroot by mirroring the steps the compromised websites take to calculate the current day’s domain and registering those domains themselves. But the researchers noticed that when they registered a domain for their sinkhole servers, the Mebroot gang would react by registering future domains faster.

The researchers were also able to profile the typical victim of the network. Almost 64 percent of the visitors redirected to the researchers’ servers were running Windows XP, while 23 percent were using Windows Vista. The next two most popular operating systems were Mac OS X 10.4 “Tiger” and Mac OS X 10.5 “Leopard,” which accounted for 6.4 percent of all visitors.

The researchers never compromised visitors’ systems. But they were able to find evidence that they had been infected by analyzing two kinds of information sent over the network. One suggested that 6.5 percent of visitors were infected with malware. The other indicated that 13.3. percent of systems had been modified by malicious or unwanted files. Moreover, more than half–about 54 percent–were running some sort of antivirus software. About 12 percent of those running the security software were also infected by malware, the researchers found.

The researchers also discovered that nearly 70 percent of those redirected by Mebroot–as classified by Internet address–were vulnerable to one of almost 40 vulnerabilities regularly used by the most popular infection toolkits designed to compromise computer systems. About half that number were vulnerable to the six specific vulnerabilities used by the Mebroot toolkit.

The research suggests that users need to update more often, says UCSB’s Vigna.

“Patches are very good at reducing the exposure of the end users, but users are not very good at updating their system,” he says.

Uh oh–you've read all five of your free articles for this month.

Insider Online Only

$19.95/yr US PRICE

Computing

From the latest smartphones to advances in quantum computing, the hardware behind today's digital age is rapidly changing.

You've read of free articles this month.