Raising a Botnet In Captivity

holy_calamity writes "Technology Review reports that researchers installed 3000 copies of Windows XP on a high performance cluster at a Canadian university and set loose the Waledac botnet on them. It's the first time researchers have built and operated their own botnet as a strategy to better understand those at large on the internet. Doing it inside an experimental computing cluster removes the legal and ethical complications of experimenting with live botnets that control innocent users' machines."

Real environments

[Anonymous Coward]

I'm not quite sure why they chosen to do that; where is the fun in running a botnet in a simulated environment? Wouldn't it be much better to do it in real environment?

Re:Real environments

[GameboyRMH]

Terminal stupidity?

How to catch a virus:

1. Install/buy a new PC with Windows 7, now more secure than ever!

2. Install the usual apps, like the ever popular Adobe Reader, Flash, and Java RE, maybe even Firefox because it's faster and more secure! Also make sure you have an AV, whether it's AVG or the 1-year subscription to Norton or McAffee that came with your PC.

3. Using the new super-secure IE8 browser (or even Firefox) at any time when the number of zero-day/unfixed exploits for it or any of the apps you installed in step 2 is greater than zero, browse your legitimate website of choice.

4. A malicious ad with brand-new and/or metamorphic code exploits one or more of the apps mentioned in steps 2-3 and pwns your user account with no user interaction required. In some cases it may exploit a vulnerability in Windows itself and infect your whole machine.

5. Congratulations! You're a botnet peer!

Yes, terminal stupidity.

[r00t]

Us non-stupid users run OpenBSD on sparc64, Linux on PA-RISC, or FreeBSD on IA-64.

Note: do not browse the web with telnet unless you want to get pwn3d. It has everything to do with **terminal** stupidity, as in ESC [ evilness.

Re:

[easyTree]

I'm not quite sure why they chosen to do that

I guess it's one more string to their bow. Now they're able to offer students experience with botnets - ready for the real world where they can go on to become some of the best botnet authours around :D

PS. I'm sure you can do better than seven banner ads per eight-paragraph page. Please try harder.

Re:

[easyTree]

Hi

Would you be kind enough to use the contact page on my website to send me a private message:
  * http://www.419eater.com/ [419eater.com]

Thanks :D

Re:

[GameboyRMH]

I wonder if these guys are using some kind of app that "broadcasts" spam onto a number of different commenting systems, including Slashdot, the worst place on the Internet to spam.

Obligatory XKCD

[NickFortune]

http://xkcd.com/350/ [xkcd.com]

Re:

[chichilalescu]

do you think they're going to cite him when they publish their results?

Re:

[Pharago]

this is the first thing i thought upon reading the article :)

Re:

[oiron]

Really, what else is one to think?

I wonder if they actually have a graph display...

Re:

[camperdave]

http://xkcd.com/350/ [xkcd.com]

That may have been what gave them the idea in the first place.

Were they..

[Anonymous Coward]

licensed copies?

Re:Were they..

[AndGodSed]

Where They...

*Puts on Sunglasses*

Licensed Copies?

YYYEEAAAAHHHHHhhhhh!

Re:

[fahlenkp]

At a large University, Windows XP licenses are trivally cheap. I believe at my last job $5. If you tell them you are running an experiment like this, it is even cheaper. People give M$ a bad rap on licensing. A lot of times it is cheaper than Red Hat when you have a number of computers.

Re:

[AHuxley]

XP would be fine for this as the University has paid for "MS XP" for all over a set time.
MS has learned from this "friendly" era and now likes the idea of a 24/7 on site computer system to count the "number of computers" using MS products and then count much more $ flowing back.
The bad rap on licensing is getting more real, the past was just playing 'nice' to get MS products on site.
A real fun study would be some pretty 'graph' of total cost of ownership/longterm rental/cleanup/admin teams for 3000 copie

Re:

[X0563511]

You should learn what a MAK [wikipedia.org] is for.

Re:

[tibit]

They most likely have a volume site license, and they didn't have to do anything special -- just installed it and that's it. 100% legal.

Re:

[Tacvek]

True enough, although the costs of volume licenses can be absurdly cheap.

Microsoft also has quite a few different licensing programs beyond the standard Volume licensing one. For example they have at least one program for Academic Institutions where you pay per product per staff member, rather than per product per installed computer. For example, the Microsoft Enrollment for Education Solutions program works like that.

point being?

[internet-redstar]

... and they discovered it's utterly uselessness?

Re:

[BSAtHome]

it is called Windows Genuine Advantage...

Re:

[GameboyRMH]

XP is still by far the most popular OS, and Windows 7 has much better security so it probably has a much smaller percentage of infected machines than XP, on top of its smaller market share. So using an all-XP environment isn't that unrealistic.

Shouldn't they use a bigger sandbox.

[PDX]

After effects, more research needed. Cylon sentience attained on the first day. They keep it running until Tricia Helfer steps out of their 3D printer.

Re:

[ColdWetDog]

They keep it running until Tricia Helfer steps out of their 3D printer.

Why the hell would you stop then?

Really?

[yerktoader]

This is the FIRST time a botnet has been studied in captivity? Did they need an excuse? A hall pass?

Anyone got a good reason why it took this long to study a botnet in captivity when researchers have been able to purchase these tools on black hat sites for as long as they have? Otherwise I call shenanigans. [ebaumsworld.com] Red tape, bureaucracy, what have you.

Re:

[Anonymous Coward]

I have personally built clusters to test out viruses and botnets. In fact, I'd be willing to bet that almost every single botnet is born in an environment like this. 3000? that's just a waste of money. I wrote my own personal botnet (for late night take overs to run automated tests) using a collection of VMs (6) on my desktop. Once it felt good I just installed it somewhere. What do they really hope to gain by watching the same thing happen 3000 times?

What a waste of resources, hope they at least made

Re:

[AHuxley]

Could be some fine print in the 'for edu use only' bulk discount?
You get to study using the OS, not so much study the workings of the OS?

Re:

[gnapster]

...isn't a botnet without a 'net connection just a worm?

Not if the controlling computer of the botnet is on the same virtual network. They might even introduce virtual servers so they can try out DDoS attacks.

Re:

[pinkushun]

This project, which started some 7 years ago, was delayed while waiting for the 3000 XP PC's to catch up with automatic updates.

Re:

[owlstead]

Quickly, somebody mod this up! I want to see how this ends before I need to restart my computer - it just finished downloading them automatic updates.

Re:

[JMonty42]

This definitely isn't the first time this has been done. Maybe it's the first time anybody has done it with an unnecessarily large cluster of 3000 (all infected) computers. I also think this study is flawed and mostly pointless. First of all, command and control-style botnets are getting easier and easier to mitigate. The real threat is from peer-to-peer botnets. The most useful research taking place as of late is not being done in a closed environment cut off from the rest of the world on a botnet that

Re:

[dbIII]

Until relatively recently MS had never heard of clusters so doing this would have been a huge time wasting pain. It probably is one of the first times this has been done at such a scale. Even now it's a case of "ok, so I can cluster MS Windows now - but WTF can I run that can make use of it being a cluster?". Without the software to run on the things they are rare.

Re:

[metageek]

profit

Dissection Vs. Observation

[Anonymous Coward]

I think it's interesting that our software mechanisms have become so advanced that we can't dissect them to understand what they are doing, we have to observe them in their environments to understand how they work or perhaps they just couldn't be bothered to sink resources into better analysis techniques of bytecode...

They aren't really studying the problem

[FlapHappy]

It would be far more beneficial to (almost) everyone if they studied the people involved in creating botnets in captivity. If not for the legal issues involved with that idea...

Re:

[pinkushun]

A corroborative study would involve PC users, in captivity, with such expert tests as: flashing ads promoting free stuff, click to clean your infected PC, and chatting with horny single females in your area (now!).

The question remains

[Creon04]

"It was [...] something of a challenge to convince the owner of a cluster worth around $1 million that installing malware onto it was a good idea." The question remains: is he referring to Waledac or Windows xp?