Researchers at TippingPoint Technologies' Digital Vaccine Laboratories have found a way to infiltrate and seize control of one of the world's largest spam-spewing botnets, a breakthrough that has ignited an intense debate over the ethics of "cleaning" infected computers.
Cody Pierce and Pedram Amini, two high-profile software security researchers, cracked into the Trojan powering Kraken-a 400,000-strong botnet of infected computers-by reverse-engineering the encryption routines and figuring out the communication structure between the botnet owner and the hijacked computers.
Once they got a clear understanding of the inner workings of Kraken, the duo found that the infected computers were trying to connect to a master C&C (command and control) server by systematically generating subdomains from various dynamic DNS (Domain Name System) resolver services.
This meant the researchers could predict where the bots would be connecting upon reboot, Pierce said in an interview. "We basically have the ability to create a fake Kraken server capable of overtaking a redirected zombie," Pierce said.
"By reverse-engineering the list of names and successfully registering some of the subdomains Kraken is looking for, we can emulate a server and begin to infiltrate the network zombie by zombie. Stated simply, Kraken-infected systems worldwide start to connect to a server we control," Amini said in a document explaining the reverse engineering process.
The TippingPoint DVLabs team monitored Kraken connections for seven days and during that time the fake Kraken server received more than 1.8 million requests from infected systems worldwide, mostly from home broadband users in the United States, the United Kingdom, Spain and Central America.