Reverse-engineering computer crime pays off

Research at the International Computer Science Institute in San Francisco and UC-San Diego has come up with a new method of reverse-engineering botnets, one of the top organized Internet crime tools of our time.

One member of the team was Andreas Pitsillidis (right), a Cypriot Ph.D candidate at UCSD.

The paper is called Botnet Judo.. It will be presented in March at an Internet Society conference.

Botnets fool spam filters by making subtle changes in messages. But these are driven by a template contained in the bot’s code.

The idea of Botnet Judo is to let a PC be invaded by a bot program, then analyze the spam messages sent by the bot in order to reverse-engineer its template.

Through reverse-engineering, Botnet Judo can decode the template that is generating the spam. Once the template is distributed through security software the botnet is helpless, until the template is changed. (That’s why it’s judo, and not boxing.)

Updating a botnet is just like patching any program, and someday we can trace those updates back to their source.

Reverse-engineering, decoding what a program says based on its output, has long been popular in industrial espionage and even in Search Engine Optimization. The Conficker Working Group was able to disarm that worm, in part, through the use of reverse engineering.

That group, and the collaboration that produced Botnet Judo, are also examples of another key way to fight online crime, which is to organize. The Conficker group was formed last year by a coalition of anti-virus companies and the government, and working together a lot of damage was averted.

Thus both computer criminals and crime-fighters have techniques and organizational structures in common. But there remains this key difference, as one pro described it to me a few years ago.

The good guys have to protect every possible opening. The criminal has to find just one.

Pitsillidis’ web page makes no mention of his personal life, but his professional prospects look excellent.