An Update on Zombies

Stephen DeAngelis

October 30, 2008

October is the month known for witches, ghouls, ghosts, and skeletons because it ends with the holiday of Halloween. It seems like a good time to do an update on Zombies and bots. I first did a post on “bots” back in November 2006 [Bots and Network Security] and wrote a post about Zombies in January 2007 [Zombie Computer Threat Increasing]. It appears that things haven’t gotten any better since then [“A Robot Network Seeks to Enlist Your Computer,” by John Markoff, New York Times, 20 October 2008]. Markoff begins his tale of terror in Redmond, WA.

“In a windowless room on MIcrosoft’s campus here, T. J. Campana, a cybercrime investigator, connects an unprotected computer running an early version of Windows XP to the Internet. In about 30 seconds the computer is ‘owned.’ An automated program lurking on the Internet has remotely taken over the PC and turned it into a ‘zombie.’ That computer and other zombie machines are then assembled into systems called ‘botnets’ — home and business PCs that are hooked together into a vast chain of cyber-robots that do the bidding of automated programs to send the majority of e-mail spam, to illegally seek financial information and to install malicious software on still more PCs.”

I must admit that the speed at which the computer was “owned” surprised me. I shouldn’t be surprised. Bots are ubiquitous. They never sleep and they move at the speed of light. Markoff continues his tale.

“Botnets remain an Internet scourge. Active zombie networks created by a growing criminal underground peaked last month at more than half a million computers, according to shadowserver.org, an organization that tracks botnets. Even though security experts have diminished the botnets to about 300,000 computers, that is still twice the number detected a year ago. The actual numbers may be far larger; Microsoft investigators, who say they are tracking about 1,000 botnets at any given time, say the largest network still controls several million PCs. … Microsoft’s Internet Safety Enforcement Team … is tackling a menace that in the last five years has grown from a computer hacker pastime to a dark business that is threatening the commercial viability of the Internet.”

Businesses, including mine, go to great lengths to try and protect their computers and networks. CIOs continuously warn employees about the dangers lurking on the Internet and they recommend that they take precautions both at work and at home. Markoff continues:

“Any computer connected to the Internet can be vulnerable. Computer security executives recommend that PC owners run a variety of commercial malware detection programs, like Microsoft’s Malicious Software Removal Tool, to find infections of their computers. They should also protect the PCs behind a firewall and install security patches for operating systems and applications. Even these steps are not a sure thing. Last week Secunia, a computer security firm, said it had tested a dozen leading PC security suites and found that the best one detected only 64 out of 300 software vulnerabilities that make it possible to install malware on a computer.”

The problem is not that smart people aren’t continually researching ways to defeat the menace — they are. The problem is that those on the “dark side” are also employing smart people to defeat the countermeasures being developed by the smart people trying to defend the Internet.

“Botnet attacks now come with their own antivirus software, permitting the programs to take over a computer and then effectively remove other malware competitors. Mr. Campana said the Microsoft investigators were amazed recently to find a botnet that turned on the Microsoft Windows Update feature after taking over a computer, to defend its host from an invasion of competing infections. Botnets have evolved quickly to make detection more difficult. During the last year botnets began using a technique called fast-flux, which involved generating a rapidly changing set of Internet addresses to make the botnet more difficult to locate and disrupt. Companies have realized that the only way to combat the menace of botnets and modern computer crime is to build a global alliance that crosses corporate and national boundaries. … The International Botnet Taskforce … conference, which is held twice a year, [is attended by] more than 175 members of government and law enforcement agencies, computer security companies and academics [to] discuss the latest strategies, including legal efforts.”

The effort has to be international because networks and hackers know no national boundaries. If legal action is going to be pursued against perpetrators, it must be enforced globally.

“Although the Microsoft team has filed more than 300 civil lawsuits against botnet operators, the company also relies on enforcement agencies like the F.B.I. and Interpol-related organizations for criminal prosecution. Last month the alliance received support from new federal legislation, which for the first time specifically criminalized the use of botnets. Many of the bots are based in other countries, however, and Mr. Campana said there were many nations with no similar laws. ‘It’s really a sort of cat-and-mouse situation with the underground,’ said David Dittrich, a senior security engineer at the University of Washington Applied Physics Laboratory and a member of the International Botnet Taskforce. ‘Now there’s profit motive, and the people doing stuff for profit are doing unique and interesting things.'”

Despite all the bad news, Markoff reports that the Microsoft team believes progress is being made.

“Microsoft’s botnet hunters, who have kept a low profile until now, are led by Richard Boscovich, who until six months ago served as a federal prosecutor in Miami. Mr. Boscovich, a federal prosecutor for 18 years, said he was optimistic that despite the growing number of botnets, progress was being made against computer crime. Recent successes have led to arrests. ‘Every time we have a story that says bot-herders get locked up, that helps,’ said Mr. Boscovich, who in 2000 helped convict Jonathan James, a teenage computer hacker who had gained access to Defense Department and National Air and Space Administration computers. To aid in its investigations, the Microsoft team has built elaborate software tools including traps called ‘honeypots’ that are used to detect malware and a system called the Botnet Monitoring and Analysis Tool. The software is installed in several refrigerated server rooms on the Microsoft campus that are directly connected to the open Internet, both to mask its location and to make it possible to deploy software sensors around the globe.”

Markoff notes that Microsoft is willing to spend a lot of money on countering botnets and malware because it can affect the company’s bottom line.

“In 2003 and 2004 Microsoft was deeply shaken by a succession of malicious software worm programs with names like ‘Blaster’ and ‘Sasser,’ that raced through the Internet, sowing chaos within corporations and among home computer users. Blaster was a personal affront to the software firm that has long prided itself on its technology prowess. The program contained a hidden message mocking Microsoft’s co-founder: ‘billy gates why do you make this possible? Stop making money and fix your software!!’ The company maintains that its current software is less vulnerable, but even as it fixed some problems, the threat to the world’s computers has become far greater. Mr. Campana said that there had been ups and downs in the fight against a new kind of criminal who could hide virtually anywhere in the world and strike with devilish cleverness. ‘I come in every morning, and I think we’re making progress,’ he said. At the same time, he said, botnets are not going to go away any time soon.”

In a new twist, the same fine folks that are bringing you malware are now selling “fake” anti-malware software. As a result, you actually pay them to place malware on your computer [“Antiviral ‘Scareware’ Just One More Intruder,” by John Markoff, New York Times, 30 October 2008]. Markoff reports:

“How much money can criminals make scaring naïve computer users? Try $5 million a year. That is how much a marketing associate of one Russian operation appears to be earning from its sales of fake antivirus software through an elaborate scheme that relies on e-mail spam and indirectly controlling thousands of unprotected PCs, according to internal company files posted online by a Russian hacker. The company is Bakasoftware, a clandestine effort based somewhere in Russia that markets what it claims is an antivirus program strictly to English-speaking computer users. The program, whose name has recently been updated from Antivirus XP 2008 to Antivirus XP 2009, lodges itself on a victim’s computer and then begins generating a series of pop-up messages warning that the user’s computer is infected. If the user responds to the warnings, he is urged to buy a $49.95 program for disinfecting the machine.”

Five million dollars is a drop in the bucket compared to the enormous cost of malware events. It is estimated that organizations experience an average of 5 malware events per year, with that number rising to 10 events per year for organizations with more than 5,000 desktop computers. In 2006, malware damage worldwide cost businesses $13.3 billion, up from $3.3 billion in 1997. These costs are likely to continue to rise, even during the current economic downturn. Making the Internet more resilient is important because the global economy resides in large part within networks. That is why international cooperation in this area remains crucial.