Skip to main content

Infiltrate Botnets

Infiltrate Botnets

Jacobs School computer scientists infiltrated the Storm botnet - an infamous spam-sending network of infected and remotely controlled computers. To reach just one person willing to buy blackmarket pharmaceuticals, Storm had to send, on average, 12 million spam emails, the researchers discovered. Sneaking into the Storm botnet and collecting spam conversion information is just part of the computer scientists' larger effort to understand online crime from a global perspective.

When you think like an online criminal, you see that spam is cheap, that getting your URLs blacklisted is not a big deal, and that software programs with "perfect security defenses" would not stop botnets.

"Our work brings awareness to the fact that trying to filter spam is not the only approach to dealing with the problem," says Geoffrey Voelker, a computer science professor who, together with computer science professor Stefan Savage, is leading the effort to leverage the Jacobs School's expertise in systems, networking, and security to identify cracks in the online crime world's global facade. This project is linked to UCSD's Center for Networked Systems.

Despite the 12,000,000-to-1 spam conversion rate, a single Storm spam campaign yielded between $7,000 and $9,000 per day in 2008, estimated the Jacobs School researchers who performed this work in collaboration with Vern Paxson and Christian Kreibich from the International Computer Science Institute at UC Berkeley.

"I have a long list of reasons why we are not going to win on the technical side of spam, e-crime or identity theft," said Savage. "Almost everything about the landscape favors the bad guys, and it is very easy for them to change. You put in a huge investment to secure one aspect and they change. It costs them almost nothing."

Instead, computer science professors, students and researchers - including Chris Kanich and Kirill Levchenko are following the money.

"What surprised me is how sophisticated these operations are. Making money in spam requires not only a way to send spam, but also Web hosting companies and DNS registrars that ignore abuse complaints, online pharmacy operators, and so on. These all point to a sophisticated criminal ecosystem," said Kirill Levchenko, who recently earned his computer science Ph.D. at the Jacobs School, where he is now a postdoctoral researcher.

Infiltrating Storm enabled the computer scientists to intercept outgoing commands and adjust them so that the botnet generated spam with links to dummy sites run by the researchers.

"Collecting data for the spam conversion study was the most exciting part so far," said Ph.D. student Chris Kanich. "We were working on this botnet that we didn't control. The botmaster could change the way things work, or find out that we'd infiltrated their botnet at any time."

One of the next steps for the computer scientists is to investigate the relationships between the various players in online crime, including the illegal pharmaceutical Web sites that pay spammers a commission for directing buyers to their sites, the credit card processors, the product fulfillment groups, and the drug manufacturers.

"We are trying to come up with empirical means to draw a CSIlike picture of how it all works," said Savage.

A new $7 million grant from the Office of Naval Research will help to fund the computer scientists' efforts to better understand the underlying technical issues that revolve around botnet measurement and infiltration.

Print Article