Researchers Hijack Mebroot Botnet, Study Drive-By Downloads 130
TechReviewAl writes "Researchers at the University of California at Santa Barbara hijacked the Mebroot botnet for about a month and used it to study drive-by downloading. The researchers managed to intercept Mebroot communications by reverse-engineering the algorithm used to select domains to connect to. Mebroot infects legitimate websites and uses them to redirect users to malicious sites that attempt to install malware on a victim's machine. The team, who previously infiltrated the Torpig botnet, found that at least 13.3 percent of systems that were redirected by Mebroot were already infected and 70 percent were vulnerable to about 40 common attacks."
Re:Great idea, narrowly averted (Score:3, Informative)
Read the article. They didn't gain control of the botnet.
Re:Great idea, narrowly averted (Score:5, Informative)
Yes.
They didn't exactly hijack the botnet. They just hijacked it's reproductive system. RTFA.
It spreads by a javascript which the criminals were able to inject into innocuous sites. This javascript sent visitors to an auto-generated URL which was registered by the botnet owners. This URL hosted the actual exploit which attempted to attack vulnerable visitors who landed there from the javascript. The URL changed every day, but by predicting it, the researchers were able to register domains before the botnet owners. As a result, victims of the drive-by javascript landed on the researchers' server instead of the botnet owners' servers. Needless to say, the researchers didn't attack the visitors and exploit their machines, but they did do some profiling to find out what sort of computers were hitting their server and how many of the visitors were unpatched, vulnerable boxes.
Re:Like stealing illicit drugs? (Score:4, Informative)
The law criminalizes behavior, not intent. Intent is no longer necessary to be convicted in the United States.
I'm not sure how many juries you've been on, but when I was on a jury 2 weeks ago for a criminal case the judge made it explicitly clear several times that we could only find the defendant guilty if evidence showed, beyond a reasonable doubt, that he intended to commit the crime (theft). In fact, intent is part of the definition of theft, which needs to be met in order to find someone guilty.
Civil cases are held to a lower standard, but criminal cases require "beyond a reasonable doubt". In fact, the very reason why he was found not guilty is because the prosecutor could not prove intent in a way that satisfied the indictment. It's extremely difficult to prove intent, the prosecutor was able to show intent to commit the crime several months after the crime was allegedly committed, but because of the wording of the indictment we could not find evidence of intent when the specific events happened. The prosecutor understood why we reached the verdict we did.
That sounds a little vague, I'll be happy to go into details of the trial if you're interested.
Re:70% (Score:3, Informative)
From TFA: "The next two most popular operating systems were Mac OS X 10.4 'Tiger' and Mac OS X 10.5 'Leopard,' which accounted for 6.4 percent of all visitors."
This means that exploit JavaScript code has been tuned to target vulnerabilities in Safari as well with code on the main exploit servers (the ones which initiate the drive by downloads) targeting vulnerabilities in some Apple Mac OS versions. The Mebroot gang is apparently among the more sophisticated bot net operators (i.e. they support alternative OSs or browsers). The Mac people need to learn some humility or they will be in for some nasty surprises as Windows becomes a more hardened target and Mac OS becomes more popular.
Go after the software companies (Score:5, Informative)
Often, these bot nets are designed to install software for commission. The company paying the commission should be held accountable. They can play dumb and claim that they didn't know it was being installed in this manner, sure. But it would be fairly simple to make it so the installed software makes itself known to the user. It would be fairly simple to make it easy to un-install as well.
I know there are ways around it. But, it'd be great to see the companies selling the products that are making revenue to be accountable. They are enabling it. And they know it.
Re:Like stealing illicit drugs? (Score:3, Informative)
I'm not sure how many juries you've been on, but when I was on a jury 2 weeks ago for a criminal case the judge made it explicitly clear several times that we could only find the defendant guilty if evidence showed, beyond a reasonable doubt, that he intended to commit the crime (theft). In fact, intent is part of the definition of theft, which needs to be met in order to find someone guilty
That's true of theft, and any other crime where "mens rea" is a criminal element. There are crimes of strict liability as well, and "mens rea" (a guilty mind) does not enter into guilt or innocence. (It can enter into sentencing)
Re:Really? (Score:2, Informative)
+5 Insightful really? To legally intercept and record conversations of suspected criminals in the USA you need a judge to issue a fucking warrant. I am not a lawyer but I don't think I need to be to make that statement. (Oh and please don't try and quote Patriot Act shit on this, it will just make me laugh)
No, you DON'T need a warrant to record private conversations of suspected criminals (or anybody), unless you are a government official acting in a capacity of law enforcement.
Private citizens can record whatever the hell they want, unless there are specific laws against it. Some states require every party to consent to recording conversations. Many do not.
Re:70% (Score:3, Informative)
Uhhh no.
The article doesn't state which OSes were infected, just how many users were directed to the point of infection.
Mebroot doesn't infect OS X.
Re:Like stealing illicit drugs? (Score:1, Informative)
They didn't actually take control of the botnet. They predicted what domain would be registered one day by the botnet owners (there's an algorithm they use to pick domains to connect to) and registered it ahead of them. They then waited to see what machines connected so they could tell who was getting attacked by this. No takeovers of the machines, no theft of the botnet's services. Just data mining.
Re:70% (Score:4, Informative)
This means that exploit JavaScript code has been tuned to target vulnerabilities in Safari as well
No, it means that the infected websites redirected visitors including Mac users. They were victims of redirection only at that point. It's the sites that people got redirected to that did the actual user-machine infecting. The article only says that six vulnerabilities were targeted but it doesn't say which. Mebroot (Master Boot Record Rootkit) is Windows based and isn't new.
"Using a variety of methods, the criminals behind Mebroot infect legitimate Web servers with Javascript code. The code redirects visitors to a different Internet domain, which changes every day, and where a malicious server attempts to compromise their computer with a program that provides the botnet's owners with remote control over that machine."
I'm not an expert, but the Mebroot description at F-Secure appears to show Windows systems as the target. Of course other mutations could potentially be created to target vulnerabilities on OS X or other platforms, but once in it couldn't just install the same Windows rootkit.
(below from F-Secure, not article)
http://www.f-secure.com/weblog/archives/00001393.html [f-secure.com]
The actual site hosting the exploit code utilizes the following exploits:
Microsoft Data Access Components (MDAC) Function vulnerability (MS06-014)
AOL SuperBuddy ActiveX Control Code Execution vulnerability (CVE-2006-5820)
Online Media Technologies NCTsoft NCTAudioFile2 ActiveX Buffer Overflow (CVE-2007-0018)
GOM Player "GomWeb3" ActiveX Control Buffer Overflow (CVE-2007-5779)
Microsoft Internet Explorer WebViewFolderIcon setSlice (CVE-2006-3730)
Yahoo! JukeBox datagrid.dll AddButton() Buffer Overflow
DirectAnimation.PathControl KeyFrame vulnerability (CVE-2006-4777)
Microsoft DirectSpeechSynthesis Module Remote Buffer Overflow
from article:
"The researchers also discovered that nearly 70 percent of those redirected by Mebroot--as classified by Internet address--were vulnerable to one of almost 40 vulnerabilities regularly used by the most popular infection toolkits designed to compromise computer systems. About half that number were vulnerable to the six specific vulnerabilities used by the Mebroot toolkit."
For things that have been fixed, I think Mac users are generally a bit better about having OS and browser updates. Of course, like everyone else, they can still reduce significantly reduce risk by disabling browser functionality except when needed (as with NoScript and Firefox).
I'm concerned updates in other applications may be missed not only by users, but even developers.
VLC promptly was updated for some vulnerabilities in underlying ffmpeg code, but users aren't always good about keeping VLC up to date (the older version for OS X 10.4 got an update as well as the current release.
There are a many video conversion, dvd assembly and other programs built on Windows and OS X using ffmpeg behind the scenes. In some cases the developers make little or no mention of it (LGPL/GPL compliance is a problem too). These programs don't seem to be getting the newer ffmpeg builds that address the problems.
http://secunia.com/advisories/36805 [secunia.com]
Video of the Tech Talk by these Researchers Here (Score:5, Informative)
Re:arrest them (Score:2, Informative)
It's not a crime. It's a specious theory that the code the botnet authors utilize might somehow be viewed by the court as a technical measure that effectively controls access to or ability to copy a work, and that the researchers did circumvent those controls under 1201(a)(1)(A) of the DMCA.
The belief that the malware can be considered a "publication" is in doubt. The software is non-creative, non-beneficial.
But you have forgotten (j) Security Testing. - (2) Permissible acts of security testing. - Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to engage in an act of security testing, if such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986.
And also, S1204(b) (b) Limitation for Nonprofit Library, Archives, Educational Institution, or Public Broadcasting Entity.â" Subsection (a) shall not apply to a nonprofit library, archives, educational institution, or public broadcasting entity (as defined under section 118 (g).[1]
Also, failure to register as required by S 407(a), has an effect: 1208 S 408(f)(4)... If you don't register the work within 3 months of publication, you lose the right to most infringement actions, except a 106A(a) infringement (infringement of author's right to attribution and integrity).
So by failing to register, the author loses a lot of rights.