Forgot your password?
typodupeerror
Security IT

Researchers Hijack Mebroot Botnet, Study Drive-By Downloads 130

Posted by ScuttleMonkey
from the hijack-and-inject-vaccine dept.
TechReviewAl writes "Researchers at the University of California at Santa Barbara hijacked the Mebroot botnet for about a month and used it to study drive-by downloading. The researchers managed to intercept Mebroot communications by reverse-engineering the algorithm used to select domains to connect to. Mebroot infects legitimate websites and uses them to redirect users to malicious sites that attempt to install malware on a victim's machine. The team, who previously infiltrated the Torpig botnet, found that at least 13.3 percent of systems that were redirected by Mebroot were already infected and 70 percent were vulnerable to about 40 common attacks."
This discussion has been archived. No new comments can be posted.

Researchers Hijack Mebroot Botnet, Study Drive-By Downloads

Comments Filter:
  • 70% (Score:3, Funny)

    by matt4077 (581118) on Monday October 05, 2009 @03:37PM (#29648595) Homepage
    Isn't IE marketshare about 70%? What a coincidence!
    • Re: (Score:3, Informative)

      by CodeBuster (516420)

      From TFA: "The next two most popular operating systems were Mac OS X 10.4 'Tiger' and Mac OS X 10.5 'Leopard,' which accounted for 6.4 percent of all visitors."

      This means that exploit JavaScript code has been tuned to target vulnerabilities in Safari as well with code on the main exploit servers (the ones which initiate the drive by downloads) targeting vulnerabilities in some Apple Mac OS versions. The Mebroot gang is apparently among the more sophisticated bot net operators (i.e. they support alternative

      • Re:70% (Score:5, Funny)

        by tsm_sf (545316) on Monday October 05, 2009 @04:38PM (#29649407) Journal
        I've never really understood the whole Mac vs. WIndows debate, and it's even more pointless now that you can have Mac, Win, and Linux running on the same box at the same time. Now, vi vs. emacs is a legitimate jihad.

        ((vi is better))
        • ((vi is better))

          VI VI VI is the number of the beast!

          • ((vi is better))

            VI VI VI is the number of the beast!

            I thought it was vi vi vi - editor of the beast

        • Re: (Score:3, Funny)

          by chiguy (522222)

          Now, vi vs. emacs is a legitimate jihad. ((vi is better))

          Sure, that's because you haven't figured out elisp. It should be

          (setq vi better)
          or
          (setq is-vi-better (better vi emacs))

      • Re: (Score:3, Informative)

        Uhhh no.

        The article doesn't state which OSes were infected, just how many users were directed to the point of infection.

        Mebroot doesn't infect OS X.

      • Re:70% (Score:4, Informative)

        by camperslo (704715) on Monday October 05, 2009 @07:19PM (#29651533)

        This means that exploit JavaScript code has been tuned to target vulnerabilities in Safari as well

        No, it means that the infected websites redirected visitors including Mac users. They were victims of redirection only at that point. It's the sites that people got redirected to that did the actual user-machine infecting. The article only says that six vulnerabilities were targeted but it doesn't say which. Mebroot (Master Boot Record Rootkit) is Windows based and isn't new.

        "Using a variety of methods, the criminals behind Mebroot infect legitimate Web servers with Javascript code. The code redirects visitors to a different Internet domain, which changes every day, and where a malicious server attempts to compromise their computer with a program that provides the botnet's owners with remote control over that machine."

        I'm not an expert, but the Mebroot description at F-Secure appears to show Windows systems as the target. Of course other mutations could potentially be created to target vulnerabilities on OS X or other platforms, but once in it couldn't just install the same Windows rootkit.
        (below from F-Secure, not article)
        http://www.f-secure.com/weblog/archives/00001393.html [f-secure.com]

        The actual site hosting the exploit code utilizes the following exploits:

                  Microsoft Data Access Components (MDAC) Function vulnerability (MS06-014)
                  AOL SuperBuddy ActiveX Control Code Execution vulnerability (CVE-2006-5820)
                  Online Media Technologies NCTsoft NCTAudioFile2 ActiveX Buffer Overflow (CVE-2007-0018)
                  GOM Player "GomWeb3" ActiveX Control Buffer Overflow (CVE-2007-5779)
                  Microsoft Internet Explorer WebViewFolderIcon setSlice (CVE-2006-3730)
                  Yahoo! JukeBox datagrid.dll AddButton() Buffer Overflow
                  DirectAnimation.PathControl KeyFrame vulnerability (CVE-2006-4777)
                  Microsoft DirectSpeechSynthesis Module Remote Buffer Overflow

        from article:
        "The researchers also discovered that nearly 70 percent of those redirected by Mebroot--as classified by Internet address--were vulnerable to one of almost 40 vulnerabilities regularly used by the most popular infection toolkits designed to compromise computer systems. About half that number were vulnerable to the six specific vulnerabilities used by the Mebroot toolkit."

        For things that have been fixed, I think Mac users are generally a bit better about having OS and browser updates. Of course, like everyone else, they can still reduce significantly reduce risk by disabling browser functionality except when needed (as with NoScript and Firefox).

        I'm concerned updates in other applications may be missed not only by users, but even developers.
        VLC promptly was updated for some vulnerabilities in underlying ffmpeg code, but users aren't always good about keeping VLC up to date (the older version for OS X 10.4 got an update as well as the current release.

        There are a many video conversion, dvd assembly and other programs built on Windows and OS X using ffmpeg behind the scenes. In some cases the developers make little or no mention of it (LGPL/GPL compliance is a problem too). These programs don't seem to be getting the newer ffmpeg builds that address the problems.

        http://secunia.com/advisories/36805 [secunia.com]

  • by Flowstone (1638793)
    Leave it to people who exploit pcs to get sloppy enough to leave the kitchen door unlocked. Its more like carjacking a carjacker's own personal vehicle. News or no news, its a ray of sunshine that reminds us that this universe still has a balance. And it's got a sense of humor.
  • Maybe they were able to break into it because (dun dun dun) they wrote it!

    Isn't that how things work in all those lousy movies with some kind of computer virus in them.
    Or that Mac virus can infect alien computers

  • If this can be done, hijacking botnets, it should be... and then the botnet should be neutralized. Didn't anyone think of this?
    • Yes, many times, and each time it's shot down based on the liability issues around forcibly patching other people's computers without their consent.

    • Re: (Score:3, Informative)

      by John Hasler (414242)

      Read the article. They didn't gain control of the botnet.

    • Re: (Score:3, Insightful)

      by Zocalo (252965)
      I think the same idea came up when this group hijaaked the Torpig net, and quite probably on several other similar occassions. Unfortunately, that opens up a whole new can of worms, if you'll excuse the pun. Specifically, if they issue commands for a botnet to shut itself down, or try to patch a vulnerable system, then they potentially become liable for whatever might go wrong. What if that vulnerable system was responsible for something critical and hadn't been patched because the patch broke the applic
      • by catmistake (814204) on Monday October 05, 2009 @04:24PM (#29649165) Journal

        What if that vulnerable system was responsible for something critical and hadn't been patched because the patch broke the application, for instance?

        Ah, I've seen you've read the Admin Handbook: "Even if your critical system has been compromized and is a zombie in some malicious botnet, do not patch the vulnerability if the patch might compromise your critical system."

        /sarcasm yes, if it's not broken, don't fix it... then again, your definition of broken appears to be broken

        • Re: (Score:3, Insightful)

          by Zocalo (252965)
          I didn't say "don't fix the issue", just that there are occassions where you can't immediately apply a patch, no matter how desirable it might be. Sadly this scenario does happen from time to time and particularly so with enterprise applications, where "enterprise" is defined as "very expensive software with only a comparatively small number of customers and an even smaller group of developers". It's not just expensive, non-COTS applications either. Case in point Microsoft's DLL Hell v2.0 [slashdot.org] issue. Equally
    • by clone53421 (1310749) on Monday October 05, 2009 @04:17PM (#29649083) Journal

      Yes.

      They didn't exactly hijack the botnet. They just hijacked it's reproductive system. RTFA.

      It spreads by a javascript which the criminals were able to inject into innocuous sites. This javascript sent visitors to an auto-generated URL which was registered by the botnet owners. This URL hosted the actual exploit which attempted to attack vulnerable visitors who landed there from the javascript. The URL changed every day, but by predicting it, the researchers were able to register domains before the botnet owners. As a result, victims of the drive-by javascript landed on the researchers' server instead of the botnet owners' servers. Needless to say, the researchers didn't attack the visitors and exploit their machines, but they did do some profiling to find out what sort of computers were hitting their server and how many of the visitors were unpatched, vulnerable boxes.

    • by brainboyz (114458)

      They've been doing that for years. The trick is to disassemble them fast enough that the bot writers can't adapt the net to avoid your code. The other problem is it's actually illegal to do that because then you're hacking the infected machine to install your code: which is criminal computer trespass (not that charges are filed often, but the threat is there).

  • by dmomo (256005) on Monday October 05, 2009 @04:31PM (#29649285) Homepage

    Often, these bot nets are designed to install software for commission. The company paying the commission should be held accountable. They can play dumb and claim that they didn't know it was being installed in this manner, sure. But it would be fairly simple to make it so the installed software makes itself known to the user. It would be fairly simple to make it easy to un-install as well.

    I know there are ways around it. But, it'd be great to see the companies selling the products that are making revenue to be accountable. They are enabling it. And they know it.

    • Re: (Score:3, Interesting)

      by AlexBirch (1137019)
      You could do a civil lawsuit where the burden of proof is that it's more likely that they knew than they didn't.
    • I'm not sure how many of these "companies" have a solid US presence, but there are plenty of scummy ones like those "antivirus 2009" and the like (which fake an infection to then sell you fake antivirus software to remove it). I believe a lot of these are run by offshore outfits from Russia, etc but I wouldn't be surprised to see a bunch of local companies complicit with them as well.

      Somebody nailing them would make me a very happy person, more than when I managed to catch them trying to spoof my own site(s

    • by Thaelon (250687)

      They are enabling it. And they know it.

      Why sugar coat it like that?

      They're paying for it. And they know it.

    • by Monkier (607445) *

      How does the company paying commission make money off this? Redirecting your browser to their spammy search engine, pop up ads?

  • by hesaigo999ca (786966) on Monday October 05, 2009 @05:01PM (#29649871) Homepage Journal

    Think of all the illegal copies of windows....now imagine that overnight they were to offer a special deal for those with an illegal copy of windows. Buy a license from us for 6months at 50$
    rechargeable every 6months after that...atleast everybody and their grandmother would get the first 6 months, get their updates, be rid of 90% of viruses and problems, getting rid of 3/4 of the botnets out in the wild, and then when it came to the next 6motnhs, Microsoft would have made their money already, the people will probably revert back to being non legal, with no ill effects, except for those talked into keeping their copies legit for further patches. The people that did buy legal copies would not have anything to bitch about, as these were not legit copies and revert back to being bad people...which most owning a legit copy do not want to be branded...
    everybody wins.

  • > "Researchers...hijacked the Mebroot botnet for about a month and used it to study
    > drive-by downloading...The team, who previously infiltrated the Torpig botnet,

    now intends to infiltrate Borg-infested systems by following a Borg cube as it travels Borg territory, under the assumption they'll be ignored indefinitely as a non-threat.

  • by benjfowler (239527) on Monday October 05, 2009 @05:34PM (#29650455)

    They have some serious cojones to be messing with dangerous organised criminals. Good on 'em and I hope they keep fighting the good fight -- and not come unstuck. They are stepping on the toes of some seriously ugly, violent people.

  • by grendelb (309720) on Monday October 05, 2009 @08:48PM (#29652265)
    Richard Kemmerer, one of the authors, gave a Tech Talk at Google titled "How to Steal a Botnet and What Can Happen When You Do." The video of the talk [youtube.com] is available on YouTube.
    • by MikeURL (890801)
      Wish I could mod you up. I watched the entire lecture...fascinating. It doesn't really look like it was all that challenging to compromise the botnet. What is hard is just finding someone with the balls to do it. Not only did Richard not have law enforcement approval--he didn't even have IRB approval.

      It was also particularly telling that the FBI told him the had been wanting to do this for ages but could not get approval. I believe that because really if you watch this entire procedure there is real
  • So, The researchers were able to preregister the domains that the botnet was going to use to download software. Wouldn't it be possible to upload a patch to the website (obviously formatted such that it would be downloaded and executed by the infected machines)? I think that'd be pretty damn funny and efficient. Every infected machine patching itself at once and eliminating the virus. Some of the machines wouldn't be online at the time, but any machine not online also isn't a risk.
  • I wish these researchers would stop being pussies and destroy some of these botnets.

    Fuck the legal issues, who the hell is going to sue you for destroying a botnet?

"No problem is so formidable that you can't walk away from it." -- C. Schulz

Working...