October 19, 2006 4:00 AM PDT
Zombies try to blend in with the crowd
- Related Stories
Worm sparks rise in zombie PCsAugust 22, 2006
Police arrest suspected bot herdersJune 27, 2006
Online threats outpacing law crackdownsJune 15, 2006
Microsoft: Zombies most prevalent Windows threatJune 12, 2006
California man pleads guilty to bot attackMay 5, 2006
Blue Security attack linked to blog crashesMay 4, 2006
AOL IM bot cloaked in encryptionMay 1, 2006
Skype could provide botnet controlsJanuary 25, 2006
Bots may get cloak of encryptionNovember 14, 2005
'Bot herders' may have controlled 1.5 million PCsOctober 21, 2005
ISPs versus the zombiesJuly 19, 2005
Hacking for dollarsJuly 6, 2005
Zombie PCs being sent to steal IDsMarch 14, 2005
Alarm growing over bot softwareApril 30, 2004
(continued from previous page)
As a result, protection mechanisms, such as blocking IRC traffic, will fail. This could mean that zombies, which so far have mostly been broadband-connected home computers, will be created using systems on business networks.
"The trend to Web-based command and control is really about protecting the command-and-control center and hiding traffic from network administrators," said Randy Abrams, director of technical education at Eset, a security software company. "Web traffic is ubiquitous. IRC channels are well-known and relatively easily located and shut down."
Nazario agreed. "Part of the motivation is the idea of deeper penetration into juicier networks that allow Web-based traffic relatively unfiltered, but don't allow IRC," he said.
At the same time, zombie fighters lose an important capability to identify and spy on botmasters. Security professionals have been able to track hackers by crafting software tools mimicking a bot, and by signing in to IRC networks used to control botnets. On those same networks, the miscreants often also talk to co-conspirators.
"It is like talking to your friends over instant message," Nazario said.
Additionally, botnet operators can sometimes be identified by their Internet Protocol, or IP, address when they sign on to their own IRC server, he said. In the past year or so, law enforcement agencies have been able to arrest several botmasters.
The morphed threat requires work on the part of security people, Nazario said. "We have to speak a whole different language now," he said. "We have to learn new command instructions and new communication mechanisms that each of these bot families uses."
Security providers have found some ways to find and fight the new-style zombies. ISPs and businesses could block the individual Web addresses used by the malicious programs. In the near future, blacklists of such addresses will likely be compiled, experts said.
"You certainly can't just block all outbound Web traffic," Nazario said. "But if you have identified a certain Web server and it is not used for something else, you can go and block just that IP address."
To track the activity of bot masters, security professionals have to rely more on their honeypots, which are computers set up for the purpose of being infected, Fleischman said. This gives them the malicious code to dissect and identify the control servers, he said.
Also, a honeypot computer might be used as a control server, which means the attacker can be monitored and possibly identified when logging in, Fleischman said. "Botmasters hate the honeypot technique. They have a thousand bots, and they don't know which one is owned by a good guy," he said.
Individual organizations could invest in technology to more closely monitor Web traffic and spot traffic patterns that indicate bot activity. "But a lot of people don't want to look through that haystack," Fleischman said. "There might be more of a financial investment to scan that. The infrastructure cost is going to be higher."
Arbor identifies about 600 new botnets each day. Only a small number of botnets today, less than 1 percent, according to Arbor, use Web-based command and control. However, that number is likely to increase, as developers for the underground perfect the technique.
While the zombie fighters have to adjust to the new tactics of their adversaries, the battle has not been lost.
"The first variants of Web bots may have thrown people for a loop," said Adam Meyers, a security expert at consulting firm SRA International. "As new command-and-control mediums emerge, the good guys will adapt their containment and investigatory techniques."
The defense industry is always reacting to the bad guys, Nazario agreed. "They always make the first move and we counteract," he said. "That said, the good guys control the infrastructure, so we ultimately have the last word. If we don't like what they're doing, we can shut them down."
11 commentsJoin the conversation! Add your comment