Researchers Compromise ‘Mebroot’ Botnet to Analyze Drive-by Download Attacks

Security researchers at the University of California, Santa Barbara, compromised the Mebroot botnet and kept it under their control for nearly 30 days to analyze drive-by download attacks. The attacks, which involve hijacking of authentic websites, help to secretly plant malware on visitors' computers or divert them on unintended websites.

While experimenting, the researchers were able to intercept Mebroot communications after the algorithm (for choosing domains to establish links with) was successfully reverse-engineered. They then tracked down over 6,500 websites where malicious code had been concealed. The study further suggested that 340,000 Internet users had actually contacted infection from these malicious codes.

In an unpublished paper, researchers at UCSB give details of an analysis conducted over four months. They actually established a link between their servers and the Mebroot botnet, an army of compromised PCs. Consequent to this linkage, it became evident that while the websites serving illegal and porn downloads proved most successful in diverting visitors to a malware downloading site, the hijacked sites making references were business sites.

Giovanni Vigna, a UCSB computer science professor and co-author of the unpublished study paper, states that there was a time when anyone not browsing pornographic content was safe, but that is no longer true now, as reported by Technology Review on October 2, 2009.

According to the researchers, the Mebroot botnet, which was first discovered in late 2007, employs compromised websites for diverting users to centrally controlled servers, which download malware and infect those users' PCs. The malware, which infects the MBR (Master Boot Record) of Windows computers, displays evidences of its skilled programming ability like rapid debugging, the researchers elucidated.

Employing various techniques, the Mebroot criminals plant malicious JavaScript on authentic Web servers to infect targeted computers. The script diverts surfers to some other Internet domain that gets replaced daily with a new one, and where their computers are compromised allowing the bot-masters to remotely control them.

Kimmo Kasslin, Director of security response for F-Secure, an antivirus company, commented - the Mebroot was surely an extremely professional and sophisticated botnet, as reported by Technology Review on October 2, 2009.

Related article: Researchers Urge Caution against phishing Scams

» SPAMfighter News - 10/22/2009