May 25, 2005 1:18 PM PDT

Experts: Zombies ousting viruses

Virus authors are choosing not to create global epidemics--infections of the type caused by Melissa or Blaster--because that distracts them from their core business of creating and selling zombie networks, according to antivirus experts.

Speaking at the AusCERT conference in Australia's Gold Coast on Tuesday, Eugene Kaspersky, founder of Kaspersky Labs, said that the influence of organized crime on the malicious software industry has led to a change of tactics. Instead of trying to create viruses and worms that infect as many computers as possible, authors of malicious software are instead trying to infect 5,000 or 10,000 computers at a time to create personalized zombie armies.

"Do I need a million computers to send spam? No. To do a DDoS attack, 5,000 or 10,000 PCs is more than enough. That is why virus writers and hackers have changed their tactics of infection--they don't need a global epidemic," said Kaspersky.

Zombie networks are groups of computers that have been infected by malware that allows the author to control the infected PC and use it to send spam or launch DDoS (distributed denial of service) attacks.

According to Kaspersky, organized criminals are advertising zombie computers for rent on underground newsgroups and Web pages. When they receive an order for a certain-size army, they set about trying to infect computers using infected e-mail attachments or socially engineered spam with links to malicious Web pages. As soon as they infect enough computers to fulfill the order, they stop using that particular piece of malicious software.

"Say the virus author needs 5,000 infected computers. They put the Trojan on a Web page and wait for 5,000 machines to be infected, then they remove the Trojan because that is enough," Kaspersky explained. "When they get a new request for another zombie network, they release a new Trojan. They are able to control the number of infected computers."

Adam Biviano, senior systems engineer at antivirus company Trend Micro, agrees. He said that by infecting a relatively small number of computers, the malicious software has a better chance of flying "under the radar" and not being spotted by antivirus companies.

"It makes sense to have a discreet number of PCs under your control and be able to sell that on," said Biviano, adding, "With 5,000 PCs under your control--none of which are being destroyed or showing actual qualifiable damage as a result--you will fit under the radar, probably make some money and you probably won't get arrested."

Kaspersky said that to fight this new tactic, antivirus companies have to be more thorough, scouring Web pages and e-mail attachments for new and obscure pieces of malicious software to ensure as few Trojans as possible escape.

"Before releasing the new infected code, (virus writers) test it using antivirus scanners and they don't release the new Trojan or worm if it is detected. I believe that if only 1,000 machines are infected, antivirus companies will never receive the infected file. That is why antivirus companies have to collect data reactively and get samples as quickly as possible," said Kaspersky.

Vincent Gullotto, vice president of McAfee AVERT (Anti-virus Emergency Response Team), said that antivirus companies are responding to the new threat by proactively seeking out new forms of malicious software.

"It is standard for us, Kaspersky, Symantec and some of the other prominent antivirus companies to scour the Web in many different ways. We go out looking for (malicious software) with a very aggressive search and we do passive searches, where we have machines that are just sitting around waiting to get attacked. When we see a machine getting attacked, we grab a sample rather quickly so we can add it to our database," said Gullotto.

Munir Kotadia reports for ZDNet Australia.


Join the conversation!
Add your comment
Armies of millions of zombie PCs
The fact that the virus writers are aiming at a few thousand zombie PCs in each network does not mean that they are not aiming at an army of millions of PCs at their control. Only that they divide this army into regiments, just like any other army, and then they can use as little or as many units as they need for each job, without risking all other units.

It seems that the malware business has turned pro!
Posted by hadaso (468 comments )
Reply Link Flag
What this tells me is that the ability to "track" and "see" the zombie computers is there; that they exist. Theses computers have to have something that allows them to be seen. Seems to me that any computer that is able to be recognized as a zombie is already compramised as this kind of effort would otherwise not be possible. Basicly, I asking how these people can actually know that these machines are zombies in the first place? With everything I've seen, it is increasingly becoming easier to have a situation where a user can be at they're computer not even realizing that the computer they are using is also (multitasking) doing the will of someone else. This happens all the time when a computer gets infected with most kinds of viri. So, the question then becomes: is this company able to know wether or not any particular computer is virus infected anywhere somehow by remote access through the net? Just who's computer is this that I'm on anyway? So many of these studies and facts and figures seem to be coming out that shouldn't even be possible for someone to know. So many of these home and work computers being used by people who just don't know and don't care to know anything about how the machine they use and own works and how to fix problems that do come up. In a way, it doesn't suprise me that people have such poor security that they get infected in the first place, much less giving some company the ability to know wether or not their machine is a zombie.
Posted by Prndll (382 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.