By Marlene Cimons, National Science Foundation
Today’s hackers are a different breed from those of the past. In the old days, all they wanted to do was make mischief. Now all they want to do is make money.
This means security experts no longer can depend solely on traditional defenses, such as blacklists and anti-virus software, since experienced attackers eventually find ways to get around them. Instead, cyber scientists are turning to an age-old system to help them develop a new approach.
“We are looking at the economic business model of Internet crime to try to understand ‘unprofitable,’" says Stefan Savage, professor of computer science and engineering at the University of California, San Diego. “We need to find the attackers’ economic vulnerabilities and weaknesses. It’s like trying to stop the drug trade—you need to look at every step in the pipeline to figure out the best place to disrupt it.”
Savage and his colleague, Vern Paxson, professor of electrical engineering and computer sciences at University of California, Berkeley, are principal investigators at the Collaborative Center for Internet Epidemiology and Defenses, a joint effort between University of California, San Diego and the International Computer Science Institute’s Center for Internet Research, where Paxson also is a senior scientist. The center is funded in part by the National Science Foundation, which has provided more than $1 million annually.
The center’s goal is to address the challenges posed by worms and viruses, and more recently by the proliferation of botnets, networks of computers controlled en masse by a third party. Typically unknown to the owners of the individual machines, botnets allow criminals to set up scams via spam email, selling counterfeit drugs and other products, as well as more insidious things, such as stealing credit card information or even entire identities.
“Much of today’s large scale threat is from botnets,” Savage says. “The attacker decides which machines to take over and, having taken over these machines, can control them centrally, and tell thousands, or in some cases millions, of machines what to do.”
Paxson adds: “The great ease of obtaining so many compromised machines turns them into a commodity business.”
In examining the problem of email spam, the scientists decided that the best approach to dealing with botnet spammers might be to target their economic soft spots. But first they needed to find out more about how the schemes actually work in practice, including how many people respond to them. To do that, they launched a series of ‘measurement’ studies.
“We know the bad guys pump out spam in huge numbers,” Paxson says. “People, to some degree, must reply to these spams and presumably look over a bunch of products and buy them, using credit cards. The money actually changes hands, and the product changes hands. We wanted to know how effective is spam advertising? How much spam must people send out to get people to look at their website? Sending out spam might be cheap, but it’s not completely free. It’s clear that spammers send out zillions of emails, so are they the new drug lords who have billions of dollars rolling in? Or are they losers who just get by on that plus their welfare checks? What is their revenue?”
So the researchers went undercover. Using their own computers, they infiltrated the “Storm” botnet, which emerged in early 2007, and took over hundreds of thousands of computers, and sent spam ads. The researchers then created an exact replica of one of Storm’s sales sites, and devised a way to divert about 1 percent of the botnet’s traffic to their fake site.
“There was a funny thing about the way this botnet was set up,” Savage says. “One of the innovations they came up with was to have layers of communication, rather than have all the bots talk to one central manager. They had middle management. We infiltrated that middle tier. That allowed us to see all the commands trying to be sent, and all those sent back. We were undercover in the middle tier listening to conversation between the bottom and the top—really only 1 percent, but it gave us an idea of how it worked.”