Researchers Hijack a Drive-By Botnet

The team gathered data on compromised pages and the would-be victims.

By infiltrating a criminal computer network aimed at infecting visitors to legitimate websites, university researchers have gained firsthand insight into the scale and scope of so-called "drive-by downloading." They found more than 6,500 websites hosting malicious code that redirected nearly 340,000 visitors to malicious sites.

Credit: Technology Review

Drive-by downloading involves hacking into a legitimate site to covertly install malicious software on visitors' machines or redirect them to another site.

In an unpublished paper, researchers at the University of California at Santa Barbara describe a four-month study in which they connected their servers to a collection of compromised computers known as the Mebroot botnet. Among their findings, the researchers discovered that, while the seedier sites on the Internet--those hosting porn and illegal downloads--were most effective at redirecting users to a malicious download site, business sites were more common among the compromised referrers.

"Once upon a time, you thought that if you did not browse porn, you would be safe," says Giovanni Vigna, a UCSB professor of computer science and one of the paper's authors. "But staying away from the seedy places on the Internet is no longer an assurance of staying safe."

First discovered by researchers in late 2007, the Mebroot network uses compromised websites to redirect visitors to centralized download servers that attempt to infect the victim's computer. The malicious software, named for its tactic of infecting a Windows computer's master boot record (MBR), shows signs of professional programming, including a rapid cycle of debugging, researchers say.

"It is definitely one of the most advanced and professional botnets out there," says Kimmo Kasslin, director of security response for antivirus firm F-Secure, which is based in Helsinki, Finland.

Story continues below

Using a variety of methods, the criminals behind Mebroot infect legitimate Web servers with Javascript code. The code redirects visitors to a different Internet domain, which changes every day, and where a malicious server attempts to compromise their computer with a program that provides the botnet's owners with remote control over that machine.

The custom domain generation technique is a relatively sophisticated way to foil attempts to permanently shut down the network, the researchers say. Older drive-by download schemes have redirected victims to a hard-coded Web address. Rather than a static address, the Javascript used by Mebroot generates a new address every day, similar to the domain algorithm used by another computer pest called Conficker. However, because the algorithm relies on known inputs--namely the date--domains can be precomputed, aiding the defenders. The Conficker Working Group, for example, attempted to reserve future domains at least a month in advance.