Researchers Devise Reverse Engineering Technique for Spam Botnets

Security researchers at the International Computer Science Institute in San Francisco and UC-San Diego (both USA) have devised a fresh technique which enables to reverse engineer a spam-botnet, as reported by Smartplanet on January 25, 2010.

The researchers have named the research paper as 'Botnet Judo.' According to the paper, botnets dupe anti-spam software by changing the e-mails in a subtle manner. However, these changes are done based on a template in the bot's infecting program.

The Botnet Judo allows any bot program to invade a computer following which the spam mails sent by the bot are analyzed so that its template can be reverse engineered.

The reverse engineering process would help Botnet Judo to decrypt the template, which produces the spam. After distributing the template through an anti-spam filter, the botnet would become weak until more modifications are done to the template.

Furthermore, the Botnet Judo's writers (or researchers) suggest that as their newly devised method is different from all the already available anti-spam software, it will be nice to include the method in the IT weapon store. Administrators can use it together with existing systems; it may intercept a different kind of spam, or exhibit certain new reaction against fresh threats.

However, the main hurdle is establishing a hijacked computer in a virtual and secure environment. Together with this, the Botnet Judo researchers have identified another major problem i.e. spammers hitherto have defeated all tactics of security specialists.

Commenting on the new spam blocking strategy, Michael O'Reirdan (Chairman of the Messaging Anti-Abuse Working Group) stated that it was an interesting attempt because the bots themselves were used as oracles to produce filters, as reported by Boingboing on January 25, 2010.

However, the hugesize of botnets means that even one minute delay to decode the template could enable an extremely large spam campaign, according to O'Reirdan.

Finally, the use of reverse engineering is not new for Internet crime fighters. Earlier the Conficker Working Group similarly managed to disarm Conficker through reverse engineering the worm's payload.

Related article: Researchers Urge Caution against phishing Scams

» SPAMfighter News - 2/4/2010