Eavesdropping on a botnet

A security researcher deliberately infected a PC with a botnet worm, then monitored it via a network proxy that caught all of its communications with the botmaster that had enslaved it. The machine was hijacked into sending mountains of spam from "dozens of IP addresses and using forged sender addresses," "advertising everything from pornography to fake Rolex watches and pharmaceuticals."

"I have two machines here running in an isolated network. I infect one with the malware, and I have the other machine pretending to be the entire Internet," he explained.

The second machine, known as a sandnet, is a custom-made tool for analyzing malware in an environment that is isolated, yet provides a virtual Internet for the malware to interact with.

"I can sit back and see all the interaction up to point where it [the infected machine] joins botnet's control channel. Then I can take that information, go outside and replicate it. I can see what the real server is doing to get an entire picture of the operation," Stewart said.


(via /.)