October 19, 2006 4:00 AM PDT
Zombies try to blend in with the crowd
- Related Stories
Worm sparks rise in zombie PCsAugust 22, 2006
Police arrest suspected bot herdersJune 27, 2006
Online threats outpacing law crackdownsJune 15, 2006
Microsoft: Zombies most prevalent Windows threatJune 12, 2006
California man pleads guilty to bot attackMay 5, 2006
Blue Security attack linked to blog crashesMay 4, 2006
AOL IM bot cloaked in encryptionMay 1, 2006
Skype could provide botnet controlsJanuary 25, 2006
Bots may get cloak of encryptionNovember 14, 2005
'Bot herders' may have controlled 1.5 million PCsOctober 21, 2005
ISPs versus the zombiesJuly 19, 2005
Hacking for dollarsJuly 6, 2005
Zombie PCs being sent to steal IDsMarch 14, 2005
Alarm growing over bot softwareApril 30, 2004
Cybercrooks are moving to new Web-based techniques to control the machines they have commandeered, popularly referred to as "zombies." Before, they used to send orders via Internet chat services, but with that method, they ran the risk of inadvertently revealing the location of the zombies and themselves.
"All the good guys are being challenged here. (Hackers are) saying: 'You're spotting my traffic. I am going to try and hide it a little better,'" said Rob Fleischman, the chief technology officer at Simplicita, a Denver-based security start-up that helps Internet service providers deal with infected computers on their networks.
The change in tactics makes it harder to identify zombies on a network, and it becomes tougher for security professionals to use the hackers' own tools to spy on them. In addition, the switch to Web-based control increases the threat of zombies to enterprises and other organizations, as that method can't be blocked as easily as the previous technique.
"If you're a bad guy, this is pretty good news. If you're a good guy, I wouldn't say it is bad news, but it is a challenge," said Jose Nazario, a senior software engineer at Arbor Networks, which sells network analysis products. Nazario has done extensive research into zombies, the results of which he presented at last week's Virus Bulletin conference.
Life of a zombie
Hijacked computers have become one of the most serious security problems on the Internet. Malicious remote-control code turns a computer into a zombie via security holes in software, a worm, or a Trojan horse. It then runs silently in the background, letting an attacker send commands to the system, unbeknownst to its owner.
Zombies are the most prevalent threat to Windows PCs, according to a Microsoft report released earlier this year. A security tool downloaded alongside Microsoft's patches removed at least one version of malicious remote-control software from about 3.5 million PCs between January 2005 and March 2006, it said.
Criminals make money by networking their zombies into a "botnet". They put these networks to work mounting denial-of-service attacks against online businesses in extortion schemes; hosting faked Web sites used in phishing scams; and relaying spam. Attackers also often load adware and spyware onto compromised systems, earning a kickback from the makers of these programs or reselling the private data of their victims.
In fighting botnets, investigators found it was relatively easy to identify zombies because of how they communicate with their masters. Most botnets today are controlled via Internet Relay Chat, or IRC, a still-active chat network that is a relic of the early days of the Net.
IRC lets hackers control their bots in real time. As soon as a computer is infected, it connects to a specific chat server and channel, and awaits its commands. But the benefit for the good guys is that they can lurk in the chat rooms, spy on the hackers, and sometimes even identify them. Furthermore, IRC uses its own network protocol.
"IRC is not as common as other protocols," Fleischman said. "It does not blend in. It has a certain signature. You can use technologies to spot it."
Internet service providers already block traffic to the IRC servers used by zombies, and many organizations use network shields, such as firewalls and intrusion detection systems, to block IRC traffic altogether. This prevents a compromised PC on a specific network from contacting its command-and-control center.
These countermeasures have not gone unnoticed in hacker circles. In a classic game of cat and mouse, miscreants are moving command-and-control channels for their botnets away from IRC and onto the Web. There, the zombies will blend in with regular Web traffic, which can't simply be blocked.
"These bots look like people browsing the Web," Fleischman said. "The brilliance here--and I hate to compliment the botmasters--is that they know that there is a giant haystack of Web traffic, and if they hide their command-and-control there, it is harder to spot."
Instead of connecting to an IRC server, newly compromised PCs connect to one or more Web sites to check in with the hackers and get their commands. These Web sites are typically hosted on hacked servers or computers that have been online for a long time. Attackers upload the instructions for download by their bots.
11 commentsJoin the conversation! Add your comment