Researchers seize control of one of the world's largest spam-spewing botnets, but there is disagreement about what should happen next.
Researchers at TippingPoint Technologies' Digital Vaccine Laboratories have
found a way to infiltrate and seize control of one of the world's largest
spam-spewing botnets, a breakthrough that has ignited an intense debate over
the ethics of "cleaning" infected computers.
Cody Pierce and Pedram Amini, two high-profile software security
researchers, cracked into the Trojan powering Kraken-a 400,000-strong botnet of
infected computers-by reverse-engineering the encryption routines and figuring
out the communication structure between the botnet owner and the hijacked
Once they got a clear understanding of the inner workings of Kraken, the duo
found that the infected computers were trying to connect to a master C&C
(command and control) server by systematically generating subdomains from
various dynamic DNS (Domain Name System) resolver services.
This meant the researchers could predict where the bots would be connecting
upon reboot, Pierce said in an interview. "We basically have the ability
to create a fake Kraken server capable of overtaking a redirected zombie,"
Does the emergence of botnet-fighting startups mean current anti-virus products don't cut it? Click here to read more.
"By reverse-engineering the list of names and successfully registering
some of the subdomains Kraken is looking for, we can emulate a server and begin
to infiltrate the network zombie by zombie. Stated simply, Kraken-infected
systems worldwide start to connect to a server we control," Amini said in
a document explaining the reverse engineering process.
The TippingPoint DVLabs team monitored Kraken connections for seven days and
during that time the fake Kraken server received more than 1.8 million requests
from infected systems worldwide, mostly from home broadband users in the United
States, the United
and Central America.