Computer Security Researchers Take Control of a Botnet

We got wind today of a research project out of the University of California Santa Barbara (UCSB) that took over one of the most notorious botnets, Mebroot.

In an article on the takeover of the Mebroot botnet, the scope of the Mebroot problem is revealed: They found more than 6,500 websites hosting malicious code that redirected nearly 340,000 visitors to malicious sites.

Mebroot gained notoriety for taking over legitimate web sites and infecting those sites with malicious javascript code.

The idea behind such an attack was for the cybercriminal botnet operators to have a massively distributed network for attacking PCs visiting a range of legitimate websites, and thus for it to be much, much harder to stop and much, much more likely to be a stable place for them to get more end users' PCs to do their real bidding: cybercrime.

"'Once upon a time, you thought that if you did not browse porn, you would be safe,' says Giovanni Vigna, a UCSB professor of computer science and one of the paper's authors.

"'But staying away from the seedy places on the Internet is no longer an assurance of staying safe.'"

So the botnet worked like this:

1. Take over legimate websites
2. Infect these legimate websites with hidden malicious javascript that redirects visitors going to the legitimate sites to illegitimate websites where
3. End users' PCs are then infected via a drive-by-download that silently takes over the visitors computer
4. Use these end users' infected PCs to perform their cybercrimes (i.e. credit card theft, password theft, bank fraud, identity theft, etc.)

The article closes with this not-so-surprising detail:

"The researchers also discovered that nearly 70 percent of those redirected by Mebroot--as classified by Internet address--were vulnerable to one of almost 40 vulnerabilities regularly used by the most popular infection toolkits designed to compromise computer systems.

"About half that number were vulnerable to the six specific vulnerabilities used by the Mebroot toolkit.

"The research suggests that users need to update more often, says UCSB's Vigna.

"'Patches are very good at reducing the exposure of the end users, but users are not very good at updating their system,' he says."

The notion of patching more frequently is one we've covered in our site numerous times, and it's a message that warrants repeating regularly.

Why computer users, regardless of whether or not they're running the latest antivirus firewall software or not, don't do so is puzzling.

Updating your OS is an extremely simple process and is well worth the few minutes of time it takes in most cases. (Even when it takes longer, it's still worth it vs. the consequences of not doing so, and having your computer be more susceptible to takeover.

Here's how:

1. Open Internet Explorer
2. Click 'Tools' in the upper menu
3. Click 'Windows Update'
4. Click Express Update (or Custom Update to get full details on what you're updating
5. Install any updates that Microsoft recommends

 Typically, you'll have to reboot after this. Then do it again, as some updates cannot be installed concurrently with others, so sometimes a couple of update cycles are needed.