Tracking the Master

    Christina Aushana/Guardian
    Christina Aushana/Guardian

    You’ve seen it before: a humble request from distressed Dutch citizen Romeo Ormskerk, promising you “in absolute trust in god” he’ll place $25 million in your bank account. After all, you — a responsible college student — are as trustworthy a business partner as any.

    But no matter how many car bombs and insurgents threaten Ormskerk, he may have just posed an even greater threat to your computer.

    Here at UCSD, a team at the Collaborative Center for Internet Epidemiology and Defenses — led by computer science and engineering associate professor Stefan Savage — has been working to halt the latest trends in cybercrime. They were recently granted $7 million from the U.S. Navy to continue conducting the cutting-edge research on botnets they began in 2008.

    This research enabled them to figure out something no one had been able to determine before: exactly how many people receive a specific spam e-mail, click on a link within it, and ultimately purchase that pill promising to make him longer and wider – or whatever product the e-mail was attempting to sell.

    The latest criminal tool in 21st century drive-by downloads, a botnet is a network (“net”) of computers (“bot”) controlled by a spammer called the “bot master.” Once you download a virus, usually with an accidental mouse click, it sends out spam to all other computers in your network. All without leaving a trace back to the bot master.

    According to Savage, when the botnet concept emerged online in the early ’90s, it was only designed to send self-perpetuating insults via e-mail. However, most spammers were soon “blacklisted” by anti-spam campaigns and filters or blocked from sending outgoing mail. They needed a new outlet to continue their attacks – one where they themselves wouldn’t be the target.

    “The people writing worms, viruses, and malicious software and the people who send spam got together,” said Savage. “It was like, when you infect these machines, instead of doing nothing, why don’t you set up a relay so I can send my e-mail through one of your machines. So, all this e-mail will not come from me. Instead, it will appear like 10 messages from the infected machines.”

    And that was the beginning of the cybercrime renaissance. Upon the success of these spammers, botnets became a hot commodity on the underground cybermarket.

    “It’s cheap,” Savage said. “The going rate for an individual [computer] is not more than a few dollars. Most are probably just pennies. So, you can get 1,000 computers for fairly cheap.”

    According to Savage, buying infected computers is just like any other commodity market.

    “You just go online, and you can buy compromised machines all over the world. ‘I want computers in Uruguay; I want computers in Spain.’ People try to send more spam during Christmas.”

    As botnets evolved, large networks of compromised computers could be used for credit-card theft, identity theft and online extortion. Due to vague laws and differing international definitions regarding cybercrime, botnets are still a relatively new worldwide phenomenon that remains mysterious to cyber-police like Savage.

    One botnet, named Storm Worm (for the popular subject line: “230 dead as storm batters Europe.”), infected computers from December 2006 to early 2008. It became the world’s largest network of infected computers within three months of its inception, infecting over an estimated one million computers nationwide, including several computers at UCSD. Though the Worm was used mainly to send spam, particularly for small pharmaceutical companies, it functioned much like peer-to-peer file-sharing networks such as BitTorrent and Kazaa.

    However, Muir College senior Brandon Enright, a security analyst at UCSD’s Administrative Computing and Telecommunications, said that these worms weren’t dangerous.

    “These were not the harmful botnets. The [ACMS] — the people who work on your computers — love the Worm because it’s easy to identify, and allows them to easily clean student computers.”

    Although the Storm Worm only infected a handful of UCSD computers, Enright wanted to stop the botnets from returning to campus for good. He was able to reverse-engineer a “crawler” — a computer program that harvests e-mail addresses from spam — to quickly track down computers in the infected network.

    After developing his program, Enright obtained a copy of the malware in order to look further into how its protocol worked. After that, he was able to create a program that could infiltrate this specific variant Worm’s protocol.

    “I gave it one host, and it asked other computers to tell me about their neighbors. So, I contacted those [computers] and asked them to tell me about their neighbors. Eventually, I get a list of every single infected computer on the network.”

    But the crawler was by no means perfect. The Heisenbot Uncertainty Principle states that there is always a certain amount of error within a crawler’s estimated numbers, due to the large volume of computers on the network.

    “It’s like a street, where at any point and time there can be multiple cars entering and leaving,” Enright said. “It’s like [the game] telephone, where you ask a bunch of cars to tell me about the car next to them. But, by the time it gets back to me, the car that one of the other cars mentioned might not be there anymore.”

    After learning of Enright’s list of infected computers that Enright found with his crawler, Savage invited the student to work with his team of researchers.

    “The [infected computers] need some way of communicating back to [the bot master], so we try to understand how the command control works,” Savage said. “That way, we can monitor what the botnets are being told to do — what they are saying they have done.”

    The team has now switched its main focus toward the economics of cybercrime, putting an emphasis on spam e-mails.

    “We were able to confuse about 1 percent of the botnets,” Savage said. “So, 1 percent of botnets were confused into sending an e-mail with a Web link which pointed to [Web sites] that we control. We were able to answer the question no one has answered before: How many people get the mail, click on the link and then go to the site and buy?”

    The team monitored the Storm botnet in computers they purposely infected for about 20 days last year. Within that time period, they estimated that a spammer selling generic drugs for a hired pharmacy could make approximately $3 million to $4 million a year through spam e-mails alone.

    By gaining more specific knowledge of spammer profits, Savage hopes to understand the cost benefits behind cybercrime and find ways to combat it. Understanding these business models, he says, will make it easier to fight cybercrime from an insider’s perspective.

    “We’re trying to understand things from the criminal’s point of view,” Savage said. “It’s hard to decide the right way to combat something if you don’t know the weaknesses, like the bottlenecks in [spammer profits] and what effects them.”

    Although Savage is focusing primarily on cybercrime economics, he’s found some techniques to infiltrate botnets along the way.

    “One of the interests in the Department of Defense is the strategic threat,” Savage said. “They would like to find a way that, if they were infected with a botnet, they can infiltrate it and shut it off, or see what information it could have taken. So we can try to build tools and automate the shutdown process, and test it in a way that’s safe.”

    However, Savage insists that UCSD will never go so far as to take the war on cybercrime completely into its own hands.

    “We will never be an operational organization that will shut off botnets,” Savage said. “There’s a whole bunch of legal issues with that. What we’re working on is the technology to infiltrate and, if duly authorized, to shut down.”

    Ultimately, Savage said his team hopes to work toward the prevention of organized crime networks of the future.

    “[Spam and cybercrime] are definitely profitable,” Enright said. “It’s basically your 21st century mafia.”

    Readers can contact Jasmine Ta at [email protected].

    Screen shot 2009-10-26 at 11.57.06 AM

    More to Discover
    Donate to The UCSD Guardian
    Our Goal

    Your donation will support the student journalists at University of California, San Diego. Your contribution will allow us to purchase equipment, keep printing our papers, and cover our annual website hosting costs.

    Donate to The UCSD Guardian
    Our Goal