Experimental botnet reveals long sought answers

Is there a better way of analyzing the ins and outs of a botnet than making one yourself? The answer to that question was negative for ESET’s researcher Pierre-Marc Bureau and the rest of a team at Ecole Polytechnique de Montreal.

Aided by colleagues from Nancy University in France and Carlton University in Canada, they used a cluster of 98 servers, installed some 3,000 copies of Windows XP on as many virtual systems, linked them among themselves and infected them with the well-known Waledac worm.

They also simulated the control structure of a Waledac botnet – a C&C server that controls a small number of bots, which in turn send orders to the rest.

A botnet such as this allowed the researchers to use some techniques that they would be loath to use on a live botnet because of questionable legality and ethical issues tied to the controlling of other people’s machines without their knowledge.

They were also able to perform multiple and different attacks against it – a move that wouldn’t be kindly met by the owners of a live one and might provoke them into wreaking havoc on the zombie machines.

One of the attacks used that has shown very positive results was a “Sybil attack” – an attack that consists of inserting fake bots into the botnet in order to effect changes in its behavior, and which resulted in the botnet stopping sending out spam.

Technology Review reports that they also managed to get the answers to some questions that have been bugging them for a while. For example: Why do botnet masters use weak encryption for the communication between bots and the C&C center?

Testing the used of stronger encryption resulted in the C&C server being overwhelmed with the complexity of the demand – and this was a botnet of only 3,000 machines. Very large botnets have to use WEAK encryption for the C&C server to be able to handle the requests.

Of course, since this botnet wasn’t connected to any other network or the Internet, the researchers couldn’t really see how it would be influenced by patterns of traffic coming from it, so answers pertaining to that will have to wait to be answered another time. But even though limited by a number of things, this experiment has proven to be most successful, and Bureau thinks it would be ideal setting for studying the workings of other, less understood malware.




Share this