October 19, 2006 4:00 AM PDT

Zombies try to blend in with the crowd

(continued from previous page)

As a result, protection mechanisms, such as blocking IRC traffic, will fail. This could mean that zombies, which so far have mostly been broadband-connected home computers, will be created using systems on business networks.

"The trend to Web-based command and control is really about protecting the command-and-control center and hiding traffic from network administrators," said Randy Abrams, director of technical education at Eset, a security software company. "Web traffic is ubiquitous. IRC channels are well-known and relatively easily located and shut down."

Nazario agreed. "Part of the motivation is the idea of deeper penetration into juicier networks that allow Web-based traffic relatively unfiltered, but don't allow IRC," he said.

"We have to learn new command instructions and new communication mechanisms that each of these bot families uses."
--Jose Nazario, senior software engineer, Arbor Networks

At the same time, zombie fighters lose an important capability to identify and spy on botmasters. Security professionals have been able to track hackers by crafting software tools mimicking a bot, and by signing in to IRC networks used to control botnets. On those same networks, the miscreants often also talk to co-conspirators.

"It is like talking to your friends over instant message," Nazario said.

Additionally, botnet operators can sometimes be identified by their Internet Protocol, or IP, address when they sign on to their own IRC server, he said. In the past year or so, law enforcement agencies have been able to arrest several botmasters.

The morphed threat requires work on the part of security people, Nazario said. "We have to speak a whole different language now," he said. "We have to learn new command instructions and new communication mechanisms that each of these bot families uses."

Security providers have found some ways to find and fight the new-style zombies. ISPs and businesses could block the individual Web addresses used by the malicious programs. In the near future, blacklists of such addresses will likely be compiled, experts said.

"You certainly can't just block all outbound Web traffic," Nazario said. "But if you have identified a certain Web server and it is not used for something else, you can go and block just that IP address."

Honeypot lures
To track the activity of bot masters, security professionals have to rely more on their honeypots, which are computers set up for the purpose of being infected, Fleischman said. This gives them the malicious code to dissect and identify the control servers, he said.

Also, a honeypot computer might be used as a control server, which means the attacker can be monitored and possibly identified when logging in, Fleischman said. "Botmasters hate the honeypot technique. They have a thousand bots, and they don't know which one is owned by a good guy," he said.

Individual organizations could invest in technology to more closely monitor Web traffic and spot traffic patterns that indicate bot activity. "But a lot of people don't want to look through that haystack," Fleischman said. "There might be more of a financial investment to scan that. The infrastructure cost is going to be higher."

Arbor identifies about 600 new botnets each day. Only a small number of botnets today, less than 1 percent, according to Arbor, use Web-based command and control. However, that number is likely to increase, as developers for the underground perfect the technique.

While the zombie fighters have to adjust to the new tactics of their adversaries, the battle has not been lost.

"The first variants of Web bots may have thrown people for a loop," said Adam Meyers, a security expert at consulting firm SRA International. "As new command-and-control mediums emerge, the good guys will adapt their containment and investigatory techniques."

The defense industry is always reacting to the bad guys, Nazario agreed. "They always make the first move and we counteract," he said. "That said, the good guys control the infrastructure, so we ultimately have the last word. If we don't like what they're doing, we can shut them down."

Previous page
Page 1 | 2

See more CNET content tagged:
zombie, Jose Nazario, IRC, hacker, traffic


Join the conversation!
Add your comment
There are a billion honeypots out there
Every privately owned PC is a possible honeypot. The chalenge is to coordinate all these so that information can be collected from all of them.

Whan people discover that their computer has been compromised they are most likely to agree to help in counter action. The problem is to find ways to approach them and have them cooperate in using their computer to obtain info that can lead to the real person behind the virus in their PC.

Law enforcement agencies should be more active in coordinating the effort to collect this evidence. When your home is broken into, you invite them to collect evidence that might lead to the thief. The same should happen when your computer is broken into. That doesn't rule volunteers out. However, most people would be more confident in letting someone collect evidence on their premises if that someone has an official status.

A lot of spam is sent using botnets to do the delivery. Perhaps it is not the worst use of botnets, but it leaves a lot of footprints in the form of email headers leading to compromised PCs. Coordination between postmasters can help identify most of these, and then analysis of many of these infected machines might lead further back to their operators. Spam also leaves a trail of money: there are people who paid for the services, and if they paid someone to use stolen resources to send their ads, they are accoplices. If they are faced with criminal charges for the illegal factors in activity they paid for, they would happily cooperate and lead to the real criminals who operate these. Starting with spam and going back would lead to the people who operate the infrastructure that allows not just spamming. Spam is only one of their sources of income.
Posted by hadaso (468 comments )
Reply Link Flag
Its not that simple.
Its really not that simple. Most people are not sophisticated techinically to know their system has been compromised. More frequently than I would like to see, I find users without firewalls, without a good anti-spyware app like webroot spysweeper, or a good antivirus program that has up-to-date definitions. And even if they do find out their system is a zombie, they want it cleaned so they can get back to work, not set aside to be a digital double agent.

The police? Most do not have the time, skills or materials to mount a CSI-style investigation of an infected PC.

At a Federal level? I think they are busy with terror threats. Postmasters? Not really their job. They have their hands full keeping spammer blacklists up to date and just keeping mail working.

The people paying for the spam would deny knowing how the email was sent and feign shocked indignation to discover a contractor had mishandled their email. Of course that contractor would be fired, and a new one would be hired to spam... I mean distribute... their email.
Posted by Amigoid (12 comments )
Link Flag
You can still track them....
They can run, but they can't hide.

If the feds want to fork over some cash and if google was willing to cooperate, you can catch the bot herders.

Its not rocket science...


Posted by dargon19888 (412 comments )
Reply Link Flag
Just start calling them Vistabots....
Because with the vulnerabilities already found and cached by the blackhats for commercial use Vista is going to be a boon to the Bot arrays.
Posted by fred dunn (793 comments )
Reply Link Flag
Another Underappreciated Aspect of the Vistapocalypse
Posted by Sumatra-Bosch (526 comments )
Link Flag
If ISP's keep 90-day records...
The problem would be resolved easily.

Posted by wbenton (522 comments )
Reply Link Flag
it is problem but not a big one
For SOHO market there is no problem you can spot unwanted connections if you have even average firewall with logging capabilities. For corporation it is more complex because of amount of traffic which is going trough they firewalls - but they (at least in the theory) should have better equipment and proper staff to handle that.
Posted by oldsailor432 (2 comments )
Reply Link Flag
90% are consumers directly connected...
to the internet without a wired router between them and their broadband connection or using an unsecured Wireless Access Point.

Most enterprises can and do detect Bot activity.

You'd be surprised how many windows machines have null shares hanging out on the internet or blank admin passwords like the default Windows XP Home Bot Edition.
Posted by fred dunn (793 comments )
Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.