Researchers Compromise ‘Mebroot’ Botnet to Analyze Drive-by Download Attacks
Security researchers at the University of California, Santa Barbara, compromised the Mebroot botnet and kept it under their control for nearly 30 days to analyze drive-by download attacks. The attacks, which involve hijacking of authentic websites, help to secretly plant malware on visitors' computers or divert them on unintended websites.
While experimenting, the researchers were able to intercept Mebroot communications after the algorithm (for choosing domains to establish links with) was successfully reverse-engineered. They then tracked down over 6,500 websites where malicious code had been concealed. The study further suggested that 340,000 Internet users had actually contacted infection from these malicious codes.
In an unpublished paper, researchers at UCSB give details of an analysis conducted over four months. They actually established a link between their servers and the Mebroot botnet, an army of compromised PCs. Consequent to this linkage, it became evident that while the websites serving illegal and porn downloads proved most successful in diverting visitors to a malware downloading site, the hijacked sites making references were business sites.
Giovanni Vigna, a UCSB computer science professor and co-author of the unpublished study paper, states that there was a time when anyone not browsing pornographic content was safe, but that is no longer true now, as reported by Technology Review on October 2, 2009.
According to the researchers, the Mebroot botnet, which was first discovered in late 2007, employs compromised websites for diverting users to centrally controlled servers, which download malware and infect those users' PCs. The malware, which infects the MBR (Master Boot Record) of Windows computers, displays evidences of its skilled programming ability like rapid debugging, the researchers elucidated.
Kimmo Kasslin, Director of security response for F-Secure, an antivirus company, commented - the Mebroot was surely an extremely professional and sophisticated botnet, as reported by Technology Review on October 2, 2009.
» SPAMfighter News - 22-10-2009