Researchers say malware cultural problem

Malware is fundamentally a cultural problem, according to an octet of academics who hijacked control of a malicious computer network, or botnet,  for 10 days earlier this year.

“[T]he victims of botnets are often users with poorly maintained machines that choose easily guessable passwords to protect access to sensitive sites,” the group observed in a paper that is scheduled to be presented next month in Chicago at the ACM Computer and Communications Security Conference.

“This is evidence that the malware problem is fundamentally a cultural problem,” reasoned the paper’s authors, Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna.

         “Even though people are educated and understand well concepts such as the physical security and the necessary maintenance of a car, they do not understand the consequences of irresponsible behavior when using a computer,” they explained. “Therefore, in addition to novel tools and techniques to combat botnets and other forms of malware, it is necessary to better educate the Internet citizens so that the number of potential victims is reduced.”

During their botnet escapade, the researchers also discovered that the size of botnets can be misrepresented if too simply analyzed. “[A] naïve evaluation of botnet size based on the count of distinct IPs yields grossly overestimated results,” they found.

They also discovered how difficult it was to report problems once they were uncovered.

         “[W]e learned that interacting with registrars, hosting facilities, victim institutions, and law enforcement is a rather complicated process,” the researchers wrote.

“In some cases,” they continued, “simply identifying the point of contact for one of the registrars involved required several days of frustrating attempts.”

“We are sure that we have not been the first to experience this type of confusion and lack of coordination among the many pieces of the botnet puzzle,” they acknowledged. “However, in this case, we believe that simple rules of behavior imposed by the US government would go a long way toward preventing obviously-malicious behavior.”

Botnets, also known as zombie networks, consist of computers infected with malware, usually a Trojan, that gives control of the machines to a cracker operating from a remote location. The malnets can be used for a number of purposes, including spreading spam and filching sensitive personal information.

          “Botnets,” the researchers noted, “are the primary means for cyber-criminals to carry out their nefarious tasks, such as sending spam mails], launching denial-of-service attacks, or stealing personal data such as mail accounts or bank credentials.”

“This reflects the shift from an environment in which malware was developed for fun, to the current situation, where malware is spread for financial profit,” they added.

The UCSB researchers targeted a bot net created with the Torpig Trojan, which is designed to harvest information, such as bank account and credit card information from an infected computer. During the 10 days that the researchers controlled the botnet, they report that they were able to identify 1.2 million IP addresses contacting the command and control server used by the group to operate the malnet. Those addresses could be tagged to more than 180,000 infections which produced almost 70GB of data during the experimental period.

A distinctive characteristic of Torpig discovered by the researchers is that it appears to be used as a “Malware As A Service” vehicle. They explained that Torpig DLLs are marked with a “build” type in their header field. The build doesn’t seem related to feature sets in the libraries, they reasoned, because all builds of the Tropjan behave in the same way. Yet, build type information is transmitted in all communication with the malware’s control and command server, including in the submission header and in each data item contained in the body of the submission.

          “[T]he most convincing explanation of the build type is that it denotes different ‘customers’ of the Torpig botnet, who, presumably, get access to their data in exchange for a fee,” the bot detectives deduced. “If correct, this interpretation would mean that Torpig is actually used as a ‘malware service’, accessible to third parties who do not want or cannot build their own botnet infrastructure.”

Password information gathered by the botnet was also analyzed by the researchers. They discovered that 28 percent of the malware’s victims reused their credentials for accessing 368,501 websites. In additon, in a test of password strength, they found that of 173,686 passwords nicked by the malnet,  56,000 were cracked in 65 minutes with a commonly used password breaker called John the Ripper; another 14,000 just 10 minutes later. “Thus,” they wrote, “in less than 75 minutes, more than 40% of the passwords were recovered.”