Security Sentinel:

No wonder we're in trouble

By Toni McConnel
iApplianceWeb
(07/31/05, 12:54:52 PM GMT)

Zombie networks, or “botnets”, are groups of computers that are controlled remotely by an unauthorized person who has taken over the computers using malware (malicious software), typically a Trojan horse that opens up an IRC (Internet relay chat) channel to receive commands from the controlling attacker. 

IRC channels are hosted on IRC servers around the world, and messages are broadcast to everyone listening to that channel. Thus a cracker can use an IRC channel to monitor an entire network of zombie computers.  The cracker can then use the infected PCs to send spam or launch denial of service (DDoS) attacks. 

CipherTrust, a company that specializes in message security, keeps tabs on the number of zombie sites identified every day and publishes their findings on their website (http://www.ciphertrust.com/resources/statistics/zombie.php). In May of this year, CipherTrust researchers reported an average of 172,009 new zombies identified each day, worldwide.  You do the math.

There is money in this.  The bored, brilliant but mal-adapted teenager or college student—who five years ago amused himself by writing viruses instead of doing his homework—is older now, and he long ago realized that he could use these same skills to make big money, with little risk of being caught.  Invading and co-opting other people’s computers is no longer simply malicious mischief—it’s a lucrative business.

Recently, security researchers identified a massive, well-coordinated hacker attack using three different Trojans to hijack PCs and create botnets.  The three Trojans communicate with each other as they infect a machine, disable anti-virus software and leave a back door open for future invasion.

The first Trojan to attack is Win32.Glieder.AK, or Glieder, which attempts to sneak past anti-virus protection and sets up the machine for use as a zombie. On Windows 2000 and Windows XP machines, Glieder attempts to disable the Internet Connection Firewall and the Security Center service, which was introduced with Windows XP Service Pack 2. The Trojan then downloads another Trojan,  Win32.Fantibag.A (Fantibag), which blocks the infected machine from communicating with anti-virus vendors. It even blocks access to Microsoft’s Windows Update, so victims cannot get help.

Finally, a third Trojan called Win32.Mitglieder.CT, or Mitglieder, puts the hijacked machine under the complete control of the attacker, making it a “zombie” and part of a botnet.  The computer can now be used for mailing spam, DDoS attacks, or to log keystrokes—one way of capturing personal information that can be used for identity theft.

Virus detection software relies principally on a technique that is about 20 years old: every time a new virus is identified, a sample is taken, from which a "signature" is computed and added to a master list. What the anti-virus software does when it checks your system is to look for any of the signatures on its list.  Obviously, it can’t identify viruses that have not yet been intercepted and analyzed.

The strategy of the 3-Trojan attack is two-fold: one is to continuously tweak the code in the Trojans so that no signature is up-to-date enough to catch it, and the other is to drastically reduce the number of attacks.  This is because when a virus or Trojan is not widespread, there is a chance it won’t be intercepted and analyzed at all.  That’s why the reports that there are far fewer zombie PCs this year are misleading, if you think it means you are in less danger of being attacked by Trojans.  There are fewer zombied computers only because it’s a dodge strategy, and because large numbers are not necessary to run an extremely effective botnet.

All this means that computers are more vulnerable than ever because the crackers have become more expert at what they do.  They are also much more organized, and work in teams.  One great strength of open source software is that instead of a handful of programmers working on the code, there may be thousands.  That’s why the Firefox Internet browser got so good so fast.  The same principle applies to writing Trojans. 

Recently it’s been popular with security experts to attest that zombie networks are exploited by organized crime, and this opinion gets quoted a lot by columnists and journalists, I think because it’s a bit titillating.  But so far I haven’t been able to find any evidence that this is so, unless by “organized crime” they mean ad hoc groupings of people who cooperate to steal identities or rent their botnets to spammers. 

It’s an unfortunate misuse of the term because the words “organized crime” imply a large, long-lived organization such as what used to be known as the “Mafia”.  But certainly there are networks of individuals who share information and form alliances to perpetrate a particular scam.  And certainly real organized crime may in fact be involved if there is enough money in it; I am only complaining that these claims should be backed up with hard evidence of large organized crime connections, and they aren’t.

Just as the Internet has created unlimited opportunities for networking worldwide between people of similar interests, it allows crackers to share information and work cooperatively.  The fact that the Web is still an almost lawless frontier allows the criminal element to propagate their knowledge brazenly. I had no trouble at all finding many websites that not only offer instructions on writing viruses and Trojans, but offer free code for that purpose.  Meanwhile, just about everyone argues about how the Web should be regulated, who should do the regulating, and even whether it should be regulated at all.

This brings me to the Second Annual Conference on Email and Anti-Spam held July 11-12 at Stanford University in California.  26 papers were presented at the gathering, of which 17 were specifically about SPAM.  Topics covered in the spam papers were greylisting (a system of rejecting email from unknown IPs), algorithms to identify words that spammers deliberately misspell in order to get past spam filters, how ISPs can identify spam being sent by their customers, and various spam filtering schemes. 

One paper from a team of researchers at IBM and Cornell University, titled “SMTP Path Analysis”, related how the team had developed an algorithm to trace spam messages to their sources.  Not one of the papers dealt primarily with botnets, which experts such as Sophos have estimated account for about 50% of all spam sent.

Hello?  Hello?  Anybody home?  Gee whiz, maybe you can trace a particular spam to the zombie PC of a third-grade teacher in Vermont and advise her on how to clean up the mess!  But that’s about as useful as pulling the stinger out of the arm of someone who’s been stung by a hornet.  Unless you get rid of the hornet nest, you, or someone else, is going to get stung again.

Fortunately, investigators from many security firms are digging deeper to figure out how to cut Trojans off at the pass, often using “honeypots”—websites with deliberately created vulnerabilities to attract attacks. These sites are also set up to record critical information about how the attacks are carried out. 

Meantime, discard any illusion that if you have topnotch antivirus software and a firewall, you are safe.  There are dozens of ways malware can enter your computer, including as part of legitimate software you download or even embedded in a music file.  The best policy is to avoid filesharing networks of any sort, and if you are offered free software, ask yourself why it is free.  For a detailed article on malware, its sources, and some preventive measures you can take, see the article by Adam Baratz and Charles McLaughlin on the Ars Technica site at  http://arstechnica.com/articles/paedia/malware.ars. 

Toni McConnel is executive editor of iApplianceWeb.  She is also a nature photographer and an award-winning fiction writer. You can reach her by email at Toni TechRite-Associates com.  (Fill in @ and .)