Intelligent Machines

Raising a Botnet in Captivity

Researchers created their own, imprisoned, network of zombie computers to better learn how to take down those at large on the Internet.

To catch a criminal, sometimes you have to think like one.

So researchers on the trail of cybercrooks that use armies of infected computers, known as botnets, to send out spam e-mail or to attack websites are building botnets of their own. Fortunately, the new approach is being tested using a high-powered computing cluster that is safely isolated from the Internet.

“We set up what we thought would be the closest to a botnet in the wild,” says Pierre-Marc Bureau, a researcher with computer security firm ESET, part of the project led by a team at Ecole Polytechnique de Montreal with collaborators at Nancy University, France, and Carlton University, Canada. “To our knowledge, this is the first such realistic experiment,” he says.

Over 3,000 copies of Windows XP were installed on a cluster of 98 servers at Ecole Polytechnique. Each virtual computer system was wrapped in software that linked it up to the others as if it were an individual computer connected to the Internet or a local network. Every system was also infected with the Waledac worm, a piece of now well understood and largely vanquished software that at the start of 2010 was estimated by Microsoft to control hundreds of thousands of computers and to send out 1.5 billion spam messages a day.

The team mimicked the control structure needed to take charge of a Waledac botnet, in which a central command-and-control server sends orders to a handful of bots that then spread those instructions to other machines.

In recent years, researchers have developed techniques to eavesdrop on live botnet communications and even to inject messages into these communications. Building a complete botnet in an experimental environment allows much more freedom, though, says Bureau. “When you experiment on a live botnet, you may provoke a bad reaction from its owner that harms infected machines,” he explains, and then “you are also potentially controlling the machines of innocent users, which has ethical and legal problems.”

Having their own botnet also gave the researchers the luxury of being able to observe it inside and out as it operated normally or was attacked by someone trying to disable the network, and also to run multiple trials that yielded statistically significant results.

It was, Bureau says, something of a challenge to convince the owner of a cluster worth around $1 million that installing malware onto it was a good idea.

“In order to be allowed to run this experiment, we had to take serious precautions to make sure it would never leak,” says Bureau. Many other computers at the host university were no doubt running versions of Windows much like those used in the experiment. The cluster was physically disconnected from the wider network, and everything had to be loaded onto it using DVDs rather than by connecting to another computer, even for a short time.

One result of the experiments was an insight into the challenges of running a botnet, says Bureau. Experts had noticed that the encryption used to secure messages between individual bots and the command-and-control server was weak and assumed its designers were bad coders. In fact, it was likely an intentional design decision, says Bureau. “We found our command-and-control server quickly overwhelmed by the load of the cryptography. We understood that they had made certain decisions because of the heavy demands of a large botnet.”

The team also tried out a “Sybil attack,” which involves adding fake bots to the network to influence its behavior. Experiments showed that this approach could stop the botnet from sending out spam altogether.

Thorsten Holz, who leads research on botnets and malware at Ruhr University Bochum, Germany, agrees that a captive botnet is a useful research tool. “It’s a controlled environment where you can do anything,” he says.

Holz was part of a team that injected messages into the control network of the Storm worm, a widespread predecessor to Waledac, to study its behavior. Interpreting the results were complicated by the fact that groups at Georgia Tech and the University of California, San Diego, were doing the same thing. “We were all seeing messages appear that had been injected by the other research groups,” says Holz. “It became a playground for injection strategies, and that complicated our results.”

A captive botnet will never be exactly like one at large in the wild, says Holz. “The drawback is that you cannot emulate everything,” he says. A typical Waledac botnet would contain 50,000 - 100,000 infected computers, as against the 3,000 in the experiment. A real botnet’s behavior would also be shaped by the patterns of traffic on the Internet from other sources, something not captured by the simulation.

Bureau says he hopes to see and do more such experiments—for example, to reveal the workings of less well understood malware. “Now we have proved it is possible for the first time, I hope to see the computing resources made available to do more.”

Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.
Subscribe today

Uh oh–you've read all five of your free articles for this month.

Insider Premium

$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Plus.

  • Insider Plus {! !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

You've read of free articles this month.