UCSB Researchers Hijacked the Mebroot Botnet

October 12, 2009

A research team lead by Prof. Kevin Almeroth, Christopher Kruegel, and
Giovanni Vigna, at the University of California at Santa Barbara hijacked
the Mebroot botnet for about a month and used it to study drive-by
downloading. Drive-by downloading involves hacking into a legitimate site
to covertly install malicious software on visitors’ machines or redirect
them to another site.

The researchers managed to intercept Mebroot communications by
reverse-engineering the algorithm used to select domains to connect to. The
team, who previously infiltrated the Torpig botnet, found that at least 13.3
percent of systems that were redirected by Mebroot were already infected and
70 percent were vulnerable to about 40 common attacks. Among their
findings, the researchers discovered that, while the seedier sites on the
Internet–those hosting porn and illegal downloads–were most effective at
redirecting users to a malicious download site, business sites were more
common among the compromised referrers. The detail is published in MIT
Technology Review
and and featured by KCLU.