October 19, 2006 4:00 AM PDT

Zombies try to blend in with the crowd

Hackers are trying harder to make their networks of hijacked computers go unnoticed.

Cybercrooks are moving to new Web-based techniques to control the machines they have commandeered, popularly referred to as "zombies." Before, they used to send orders via Internet chat services, but with that method, they ran the risk of inadvertently revealing the location of the zombies and themselves.

"All the good guys are being challenged here. (Hackers are) saying: 'You're spotting my traffic. I am going to try and hide it a little better,'" said Rob Fleischman, the chief technology officer at Simplicita, a Denver-based security start-up that helps Internet service providers deal with infected computers on their networks.

The change in tactics makes it harder to identify zombies on a network, and it becomes tougher for security professionals to use the hackers' own tools to spy on them. In addition, the switch to Web-based control increases the threat of zombies to enterprises and other organizations, as that method can't be blocked as easily as the previous technique.

"If you're a bad guy, this is pretty good news. If you're a good guy, I wouldn't say it is bad news, but it is a challenge," said Jose Nazario, a senior software engineer at Arbor Networks, which sells network analysis products. Nazario has done extensive research into zombies, the results of which he presented at last week's Virus Bulletin conference.

Life of a zombie
Hijacked computers have become one of the most serious security problems on the Internet. Malicious remote-control code turns a computer into a zombie via security holes in software, a worm, or a Trojan horse. It then runs silently in the background, letting an attacker send commands to the system, unbeknownst to its owner.

Zombies are the most prevalent threat to Windows PCs, according to a Microsoft report released earlier this year. A security tool downloaded alongside Microsoft's patches removed at least one version of malicious remote-control software from about 3.5 million PCs between January 2005 and March 2006, it said.

Criminals make money by networking their zombies into a "botnet". They put these networks to work mounting denial-of-service attacks against online businesses in extortion schemes; hosting faked Web sites used in phishing scams; and relaying spam. Attackers also often load adware and spyware onto compromised systems, earning a kickback from the makers of these programs or reselling the private data of their victims.

"Hackers know that there is a giant haystack of Web traffic, and if they hide their command-and-control there, it is harder to spot."
--Rob Fleischman, CTO, Simplicita

In fighting botnets, investigators found it was relatively easy to identify zombies because of how they communicate with their masters. Most botnets today are controlled via Internet Relay Chat, or IRC, a still-active chat network that is a relic of the early days of the Net.

IRC lets hackers control their bots in real time. As soon as a computer is infected, it connects to a specific chat server and channel, and awaits its commands. But the benefit for the good guys is that they can lurk in the chat rooms, spy on the hackers, and sometimes even identify them. Furthermore, IRC uses its own network protocol.

"IRC is not as common as other protocols," Fleischman said. "It does not blend in. It has a certain signature. You can use technologies to spot it."

Internet service providers already block traffic to the IRC servers used by zombies, and many organizations use network shields, such as firewalls and intrusion detection systems, to block IRC traffic altogether. This prevents a compromised PC on a specific network from contacting its command-and-control center.

These countermeasures have not gone unnoticed in hacker circles. In a classic game of cat and mouse, miscreants are moving command-and-control channels for their botnets away from IRC and onto the Web. There, the zombies will blend in with regular Web traffic, which can't simply be blocked.

"These bots look like people browsing the Web," Fleischman said. "The brilliance here--and I hate to compliment the botmasters--is that they know that there is a giant haystack of Web traffic, and if they hide their command-and-control there, it is harder to spot."

Instead of connecting to an IRC server, newly compromised PCs connect to one or more Web sites to check in with the hackers and get their commands. These Web sites are typically hosted on hacked servers or computers that have been online for a long time. Attackers upload the instructions for download by their bots.

CONTINUED: Threat to business networks…
Page 1 | 2

See more CNET content tagged:
zombie, Jose Nazario, IRC, hacker, traffic


Join the conversation!
Add your comment
There are a billion honeypots out there
Every privately owned PC is a possible honeypot. The chalenge is to coordinate all these so that information can be collected from all of them.

Whan people discover that their computer has been compromised they are most likely to agree to help in counter action. The problem is to find ways to approach them and have them cooperate in using their computer to obtain info that can lead to the real person behind the virus in their PC.

Law enforcement agencies should be more active in coordinating the effort to collect this evidence. When your home is broken into, you invite them to collect evidence that might lead to the thief. The same should happen when your computer is broken into. That doesn't rule volunteers out. However, most people would be more confident in letting someone collect evidence on their premises if that someone has an official status.

A lot of spam is sent using botnets to do the delivery. Perhaps it is not the worst use of botnets, but it leaves a lot of footprints in the form of email headers leading to compromised PCs. Coordination between postmasters can help identify most of these, and then analysis of many of these infected machines might lead further back to their operators. Spam also leaves a trail of money: there are people who paid for the services, and if they paid someone to use stolen resources to send their ads, they are accoplices. If they are faced with criminal charges for the illegal factors in activity they paid for, they would happily cooperate and lead to the real criminals who operate these. Starting with spam and going back would lead to the people who operate the infrastructure that allows not just spamming. Spam is only one of their sources of income.
Posted by hadaso (468 comments )
Reply Link Flag
Its not that simple.
Its really not that simple. Most people are not sophisticated techinically to know their system has been compromised. More frequently than I would like to see, I find users without firewalls, without a good anti-spyware app like webroot spysweeper, or a good antivirus program that has up-to-date definitions. And even if they do find out their system is a zombie, they want it cleaned so they can get back to work, not set aside to be a digital double agent.

The police? Most do not have the time, skills or materials to mount a CSI-style investigation of an infected PC.

At a Federal level? I think they are busy with terror threats. Postmasters? Not really their job. They have their hands full keeping spammer blacklists up to date and just keeping mail working.

The people paying for the spam would deny knowing how the email was sent and feign shocked indignation to discover a contractor had mishandled their email. Of course that contractor would be fired, and a new one would be hired to spam... I mean distribute... their email.
Posted by Amigoid (12 comments )
Link Flag
You can still track them....
They can run, but they can't hide.

If the feds want to fork over some cash and if google was willing to cooperate, you can catch the bot herders.

Its not rocket science...


Posted by dargon19888 (412 comments )
Reply Link Flag
Just start calling them Vistabots....
Because with the vulnerabilities already found and cached by the blackhats for commercial use Vista is going to be a boon to the Bot arrays.
Posted by fred dunn (793 comments )
Reply Link Flag
Another Underappreciated Aspect of the Vistapocalypse
Posted by Sumatra-Bosch (526 comments )
Link Flag
If ISP's keep 90-day records...
The problem would be resolved easily.

Posted by wbenton (522 comments )
Reply Link Flag
it is problem but not a big one
For SOHO market there is no problem you can spot unwanted connections if you have even average firewall with logging capabilities. For corporation it is more complex because of amount of traffic which is going trough they firewalls - but they (at least in the theory) should have better equipment and proper staff to handle that.
Posted by oldsailor432 (2 comments )
Reply Link Flag
90% are consumers directly connected...
to the internet without a wired router between them and their broadband connection or using an unsecured Wireless Access Point.

Most enterprises can and do detect Bot activity.

You'd be surprised how many windows machines have null shares hanging out on the internet or blank admin passwords like the default Windows XP Home Bot Edition.
Posted by fred dunn (793 comments )
Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.