Technology Review - Published By MIT
Technology Review  in English | en Español | auf Deutsch | in Italiano | 中文 | in India
Advertisement

Researchers Hijack a Drive-By Botnet

Continued from page 1

By Robert Lemos

Friday, October 02, 2009
smaller text tool iconmedium text tool iconlarger text tool icon

During the four months the researchers studied Mebroot, the infection network used three different domain-generation algorithms, two of which only used the day's date as an input. The last variant, however, adds a variable that cannot be easily guessed well in advance: The second characters of the day's most popular search term on Twitter.

"They (Mebroot's creators) used a variable that was not in control of the bad guys or the good guys," says Marco Cova, a UCSB student and a coauthor of the paper.

After they reverse-engineered the domain-generation algorithm, the researchers temporarily hijacked Mebroot by mirroring the steps the compromised websites take to calculate the current day's domain and registering those domains themselves. But the researchers noticed that when they registered a domain for their sinkhole servers, the Mebroot gang would react by registering future domains faster.

The researchers were also able to profile the typical victim of the network. Almost 64 percent of the visitors redirected to the researchers' servers were running Windows XP, while 23 percent were using Windows Vista. The next two most popular operating systems were Mac OS X 10.4 "Tiger" and Mac OS X 10.5 "Leopard," which accounted for 6.4 percent of all visitors.

The researchers never compromised visitors' systems. But they were able to find evidence that they had been infected by analyzing two kinds of information sent over the network. One suggested that 6.5 percent of visitors were infected with malware. The other indicated that 13.3. percent of systems had been modified by malicious or unwanted files. Moreover, more than half--about 54 percent--were running some sort of antivirus software. About 12 percent of those running the security software were also infected by malware, the researchers found.

The researchers also discovered that nearly 70 percent of those redirected by Mebroot--as classified by Internet address--were vulnerable to one of almost 40 vulnerabilities regularly used by the most popular infection toolkits designed to compromise computer systems. About half that number were vulnerable to the six specific vulnerabilities used by the Mebroot toolkit.

The research suggests that users need to update more often, says UCSB's Vigna.

"Patches are very good at reducing the exposure of the end users, but users are not very good at updating their system," he says.

Tags

computer networks hackers security websites

Related Articles

Comments
  • Happened to us
    Exactly as described!
    However, the important issue is how they compromised the website - they appear to have hacked a SQL database we used for allowing registrants to list themselves for searches. SQL seems to have been the culprit.
    Rate this comment: 12345

    fiberman
    10/02/2009
    Posts:69
    Avg Rating:
    3/5
Reply

Log In

Forgot your password?     Register »
Advertisement

Videos
Latest Videos
Changing A Cell's Biological Battery

Top Stories Of The Day

Technology Review September/October 2009

Current Issue

The TR35
Technology Review presents its ninth annual list of leading young innovators.
•  Subscribe
Save 36%
•  Table of Contents
•  MIT News
Advertisement

RSS Feeds

xml icon TR Top Stories
xml icon TR Editors' Blog
xml icon TR Video Blog
xml icon TR Video
Advertisement
Subscribe to Technology Review's daily e-mail update. Enter your e-mail address

TECHNOLOGY RESOURCES
Advertisement
MIT Massachusetts Institute of Technology © 2009 Technology Review. All Rights Reserved.