Fighting a virus with a virus, more or less

April 25, 2008

It’s been said before, and is worth saying again: yes, es and worms can be highly destructive things. That they are not more destructive, however, is a testament only to the fact that as brilliant as hackers and virus programmers might be, there are substantially more brilliant people working for the “good guys.”

And here’s one more example of that principle in action.

The research team reverse-infiltrated Storm by deliberately allowing the to infect a series of honeypots. Once infected, the honeypots become launch points for the researcher’s own payload. Along the way, the team was able to estimate the number of infected systems by actively tracking activity rather than passively observing the total amount of flowing out of a single botnet.

The research team’s paper (PDF) goes into considerable detail and gives specific information on how the team analyzed, monitored, and penetrated Storm’s structure. Their own counter-attack, however, is elegant in its simplicity. By publishing their own set of false commands at the appropriate time, the group was able to prevent the “legitimate” commands from being received.

Being able to prevent the Storm botnet from actually carrying out its own updates is impressive, but the real strength of this research lies in its proof that botnets have weaknesses of their own that security firms can potentially exploit.

Hey…if it works in medical research, why not see if the digital analog is possible?

Update: Welcome, WebElf readers!

Posted by Kenneth Filed in Computers, The Interwebs
Tags: , , ,