Zombie Computer Threat Increasing

Stephen DeAngelis

January 9, 2007

Last November I wrote about an attack on Typepad [Bots and Network Security] and the growing threat of botnets. According to a New York Times article, we are losing the war to make the Internet a safe place to surf. [“Attack of the Zombie Computers is Growing Threat,” by John Markoff, 7 January 2007]. Markoff reports:

“In their persistent quest to breach the Internet’s defenses, the bad guys are honing their weapons and increasing their firepower. With growing sophistication, they are taking advantage of programs that secretly install themselves on thousands or even millions of personal computers, band these computers together into an unwitting army of zombies, and use the collective power of the dragooned network to commit Internet crimes. These systems, called botnets, are being blamed for the huge spike in spam that bedeviled the Internet in recent months, as well as fraud and data theft. Security researchers have been concerned about botnets for some time because they automate and amplify the effects of viruses and other malicious programs.”

When Time Magazine named “You” its Person of the Year, the magazine’s editors were thinking a lot more about social networks than bot networks. The same computer that empowers you socially may also be part of secret (and growing) network spewing out spam and corruption to others. Bots are the next wave of malware that has plagued the Internet since its inception (viruses, worms, etc.).

“What is new is the vastly escalating scale of the problem — and the precision with which some of the programs can scan computers for specific information, like corporate and personal data, to drain money from online bank accounts and stock brokerages. … Last spring, a program was discovered at a foreign coast guard agency that systematically searched for documents that had shipping schedules, then forwarded them to an e-mail address in China, according to David Rand, chief technology officer of Trend Micro, a Tokyo-based computer security firm. … Although there is a wide range of estimates of the overall infection rate, the scale and the power of the botnet programs have clearly become immense. David Dagon, a Georgia Institute of Technology researcher who is a co-founder of Damballa, a start-up company focusing on controlling botnets, said the consensus among scientists is that botnet programs are present on about 11 percent of the more than 650 million computers attached to the Internet.”

Bots are primarily a problem for computers running versions of Microsoft Windows, but Markoff indicates that there have been reports of attacks against PCs running Linux as well as against Macintosh operating systems. The less careful you are when downloading things off the World Wide Web or opening attachments to emails (or the less ethical you are about using pirated software), the greater the chances that you own a Zombie Computer. Once infected, your computer can be controlled using a widely available communications system called Internet Relay Chat, or I.R.C. A Zombie Computer is a threat to yourself as well as others.

“ShadowServer, a voluntary organization of computer security experts that monitors botnet activity, is now tracking more than 400,000 infected machines and about 1,450 separate I.R.C. control systems, which are called Command & Control servers. The financial danger can be seen in a technical report presented last summer by a security researcher who analyzed the information contained in a 200-megabyte file that he had intercepted. The file had been generated by a botnet that was systematically harvesting stolen information and then hiding it in a secret location where the data could be retrieved by the botnet master. The data in the file had been collected during a 30-day period, according to Rick Wesson, chief executive of Support Intelligence, a San Francisco-based company that sells information on computer security threats to corporations and federal agencies. The data came from 793 infected computers and it generated 54,926 log-in credentials and 281 credit-card numbers. The stolen information affected 1,239 companies, he said, including 35 stock brokerages, 86 bank accounts, 174 e-commerce accounts and 245 e-mail accounts. Sensor information collected by his company is now able to identify more than 250,000 new botnet infections daily, Mr. Wesson said.”

Every expert that Markoff interviewed for his article admitted that the good guys are losing this war. The biggest battle lost is to junk email, better known as spam.

“According to the annual intelligence report of MessageLabs, a New York-based computer security firm, more than 80 percent of all spam now originates from botnets. Last month, for the first time ever, a single Internet service provider generated more than one billion spam e-mail messages in a 24-hour period, according to a ranking system maintained by Trend Micro, the computer security firm. That indicated that machines of the service providers’ customers had been woven into a giant network, with a single control point using them to pump out spam.”

Perhaps the scariest revelation provided by Markoff is the fact that the latest malware knows how to hide itself so completely that it leaves none of the telltale fingerprints that allowed previous programs to be detected and eliminated.

“The extent of the botnet threat was underscored in recent months by the emergence of a version of the stealthy program that adds computers to the botnet. The recent version of the program, which security researchers are calling ‘rustock,’ infected several hundred thousand Internet-connected computers and then began generating vast quantities of spam e-mail messages as part of a ‘pump and dump’ stock scheme. The author of the program, who is active on Internet technical discussion groups and claims to live in Zimbabwe, has found a way to hide the infecting agent in such a way that it leaves none of the traditional digital fingerprints that have been used to detect such programs. Moreover, although rustock is currently being used for distributing spam, it is a more general tool that can be used with many other forms of illegal Internet activity.”

The growth of the global economy in the information age depends on the capability to conduct secure electronic international transactions. Resiliency depends on managing the growing problem of Internet security, but the news is not good.

“Computer security experts warn that botnet programs are evolving faster than security firms can respond and have now come to represent a fundamental threat to the viability of the commercial Internet. The problem is being compounded, they say, because many Internet service providers are either ignoring or minimizing the problem. ‘It’s a huge scientific, policy, and ultimately social crisis, and no one is taking any responsibility for addressing it,’ said K. C. Claffy, a veteran Internet researcher at the San Diego Supercomputer Center. The $6 billion computer security industry offers a growing array of products and services that are targeted at network operators, corporations and individual computer users. Yet the industry has a poor track record so far in combating the plague, according to computer security researchers. … The malicious software is continually being refined by ‘black hat’ programmers to defeat software that detects the malicious programs by tracking digital fingerprints.”

By bringing this growing threat to the attention of more users, a groundswell of concern can be generated to force a more concerted effort by service providers to comb
at it. After all “You” are the Person of the Year and there is nothing more important for the resiliency of the Internet than being able to make it more secure.