Researchers create botnet to learn how it works

A team of researchers in Canada recently released results of a study in which they created a botnet strictly for experimental purposes. The simulation allowed the researchers at Ecole Polytechnique de Montreal, with collaborators at Nancy University in France, and Carlton University in Ottawa, to observe the botnet’s behavior while keeping it from infecting other machines.

Botnets are complex and large distributed systems consisting of several thousands, and in some cases, millions of computers often exploited by criminals for nefarious activity such as sending out spam, launching denial-of-service attacks, or installing spyware (Also see Zeus botnet targets holiday shoppers).

“Practically all internet users have experienced the ill effects of botnets, whether by receiving large volumes of spams daily, having their confidential information stolen, lost access to critical Internet services,” the researchers state in a summary of the results.

More about botnets

• What a botnet looks like
• The botnet hunters
• Report: Rustock still top dog among spam botnets
• With botnets everywhere, DDoS attacks get cheaper

In order to gain more insight into what the researchers called “one of the most worrying computer security threats” the experiment recreated an isolated version of the Waledac botnet. Waledac, which was taken down by Microsoft earlier this year, at one point consisted of an estimated 70,000-90,000 infected computers and was responsible for as much as 1.5 billion spam messages a day.

For the research, approximately 3,000 copies of Windows XP were loaded onto a cluster of 98 servers at Ecole Polytechnique. Nodes were infected with the Waledac worm by loading it onto them from DVDs, instead of connecting to other machines. Researchers noted the infected network was disconnected from any other network at all times.

The machines in the network created for the experiment communicated with one another in the same way computers in a distributed computing system would, with a command-and-control server that sends instructions to some machines, which then continue to send those instructions on to other machines. This is how a botnet is able to increasingly add more zombie computers to its network.

The goal was to gather information about the botnet in order to understand as much as is possible about its architecture and modes of operation. Among the things the team looked was the bot’s communication protocols and message formats, the authentication process for gaining access to the botnet, and its command-and-control architecture. Researchers also launched what they called a ‘sybil’ attack against the botnet, in which they added bots to the network to see how it would impact it. They found the attack was successful due to characteristics of the home-made P2P protocol the network uses for command and control.

“Because the IP address of a bot needs not be unique (bots are primarily identified by their 16-byte ID), it is possible to generate large number of sybils — with unique IDs but with the same IP address —whilst using few machines, thus making this attack relatively easy to mount,” the results read.

The attack managed to stop the botnet from sending out spam within an hour, researchers said.