Zero Day of theDead

As you read this, zombie programs are flitting across the internet like apestilence to infect and drain the lifefrom innocent computer systems. Yet,for all the aggravation and grief theycause, you may never know you arepart of a global invasion of the sys-tem snatchers. Unless…

Once upon a time script kiddieswere happy simply to infect

computers with a virus and unleashan unexpected cascade of tumblingletters. But filthy lucre has corruptedthe intellectual curiosity that drovethose exploits; now there’s big mon-ey in delivering insidious programsthat hide, waiting silently for instruc-tions from distant masters.

In this underground world, infect-ed computers are called zombies.Programs that wait for commandsare bots (short for robots), and acollection of bots is a botnet.

IT analyst firm Gartner says:“Although botnets are not new, theywere previously referred to as zombienetworks, their use as a vehicle forDDoS (Distributed Denial of Service)attacks has been the biggest concern.However, organizations are now realiz-ing their impact in other forms of at-tack, for example in spam relays andas hosts for phishing web sites.”

Gartner estimates that bots generatemore than 70% of spam, and thatthrough 2007, half of internet-activefirms that do not implement preven-tion technologies will suffer service orfinancial losses due to botnet attacks.

Waspish attractions According to Thorsten Holz, co-founder of the German Honeynet

c o v e r s t o r y

36In

fosecu

rity Tod

ayM

arch/April 2006

William Knightwilliam@wordsafari.co.uk

Project, there are thousands of bot-nets and millions of zombie comput-ers.“It is hard to give exact numberssince we see only a limited amountof them,” he says.“We observed acouple of hundred botnets and esti-mate that several million zombiecomputers are out there.”

The Honeynet Project is a non-prof-it organization dedicated to improv-ing the security of the internet byproviding cutting-edge research forfree.The project uses deliberately vul-nerable machines to study the move-ment and influence of malware onthe internet. Like wasps to a picnic,so malware is attracted to unprotect-ed computers.“The mean time tocompromise for un-patched Windows2000 systems in my network is lessthen 10 minutes,” says Holz.

Botnets can contain tens of thou-sands of compromised machines.Abotnet with only 1000 bots can causea great deal of damage due to theircombined bandwidth.A thousandhome PCs with an average upstreamof 128kbit/s can provide more than100Mbit/s. If they are set to work in aDDoS attack, flooding enterprise net-works with bogus requests, this isenough bandwidth to create majordifficulties.

Legitimate origins Bots have been used for many years tomonitor and control Internet RelayChat (IRC) automatically. IRC is an in-formal communication medium wheresubscribers send and receive text mes-sages via a central IRC server. Messagessent are distributed to subscribers andcategorized into channels (subjects orchat rooms, based on themes). Userssubscribe to different channels depend-ing on authentication or invitation.

So far so good, but users need helpor even chastisement (for using pro-fanity, for example) and bots help fillthe need.A bot automatically re-sponds to events while appearing tobe a normal user on the channel.Thebot may protect the channel fromabuse, allow privileged users access

to special features, log events, provideinformation, or host games.A quizprogram is a typical example. Sourcecode for bots is freely available (forexample, www.energymech.net orwww.eggheads.org).

While there are many legitimate us-es, bots and botnets add an extra di-mension to malware security. RichardFord, research professor at ComputerSciences’ Florida Institute ofTechnology, says botnets are “a greatillustration of the maxim ‘your insecu-rity makes my system insecure’.”

You can be damaged by botnetswithout being infected, he says, andyet defensive strategies currently con-centrate on endpoints—preventingindividual infections—not on the bot-net itself, and not on the fact we con-tribute to each others’ security.

Ford likes an insect metaphor: youcan squash one ant but it makes nodifference. It is only when you de-stroy the queen you know you aresafe.“If we don’t kill the centre of the‘colony’ we’re simply engaged in awar of attrition with an enemy whoalways has the upper hand,” he says.

Yet he cannot say for certain howa botnet might be destroyed,“Killingthe colony might require attackingmachines you don’t own, this opensa whole bunch of difficult legalquestions.”

But if you can’t shut them down,making sure your neighbour’s ma-chines are not used to launch an attackis also difficult.Their security arrange-ments may be, legitimately, less bullet-proof than your own.The internet willalways be a hotchpotch of machineswith different vulnerabilities, and thereis no way of forcing a ‘duty of care’ onthe whole world, says Jon Fell, partnerat IT law firm Pinsent Masons.

But according to Fell, the US doc-trine of ‘attractive nuisance’, may applyto IT users that fail to keep their sys-tems secure and thus unwittingly par-ticipate in acts that damage others.

“The example usually given,” saysFell,“is that of a child who sees a

37In

fosecu

rity Tod

ayM

arch/April 2006

co

ve

rs

to

ry

Documented uses of botnetsfrom the Honeynet Project Distributed Denial-of-Service AttacksBotnets flood a company’s servers withthousands of data requests until the serversare unable to respond. Higher-level proto-cols can be used for specific attacks, suchas running search queries on bulletinboards or recursive HTTP floods.

SpammingAttackers are able to send bulk unsolicitedcommercial email (spam). Some bots alsoharvest email addresses to send phishingemails.

Sniffing Traffic Sniffers are used mostly to seek sensitiveinformation like usernames and pass-words. If a machine is compromised bymultiple bots, sniffers can gather securitykeys of the other botnets for a hostiletake over.

Keylogging Most bots contain keyloggers and filteringmechanisms (e.g. “I am interested only inkey sequences near the keywordpaypal.com.”) to steal passwords and othersecret data that may be protected by virtualprivate network or encrypted connections.

Spreading new malware All bots implement mechanisms to down-load and execute files via HTTP or FTP.Botnets can launch mail viruses. The Wittyworm is suspected to have been startedfrom a botnet.

Click fraud Using Google’s AdSense, companies candisplay targeted advertisements on theirwebsites and earn money for each visitorthat clicks on the advert. Botnets can auto-matically and repeatedly click on these ad-vertisements, fraudulently increasing theclick count.

Attacking IRC Chat Networks IRC networks are flooded by service re-quests or thousands of channel-joins fromthe botnet. The victim IRC network isbrought down as with DDoS attacks.Manipulating online polls and games Online polls/games are rather easy to ma-nipulate with botnets. Since every bot hasa distinct IP address, every vote has thesame validity as a vote cast by a real per-son. Online games are manipulated in asimilar way.

Identity theft Phishing emails are generated and sent bybots via their spamming mechanism. Thebots host multiple fake websites that pre-tend to be eBay, PayPal, or other bank, andharvest the sensitive data. Keylogging andtraffic sniffing can also be used for identitytheft.

swimming pool in a garden, entersthe pool and subsequently drowns.Ahomeowner could be liable for thedeath if he had failed to take suffi-cient precautions to prevent such anevent, for example, by installing fenc-ing around the pool.

“There is certainly a risk that anparty who fails to take sufficient stepsto keep hackers from entering theirsystems could be found negligent ifthe hackers disrupt others via his sys-tem,” he says.

But the risk is small, he says.“Todate there have not been any casesdecided on this point. Even a businesswhose lax security allows a hacker tolaunch attacks via its systems may es-cape liability.”

And recent analysis of the doctrinesuggests that by itself it will not beenough to launch a successful casefor damages.“The person who suffersloss is in the wrong category,” says

Fell.“They haven’t been attracted tothe computer in the first place.”

That leaves legal recourse difficultto pursue, undermining reasons to in-vest in protection. None the less,modifying a system without a user’sexpress permission remains punish-able by up to five years under sectionthree of the UK’s Computer MisuseAct (CMA) 1990.

Detective Inspector Chris Simpsonis with the Economic and SpecialistCrime Directorate of the MetropolitanPolice Computer Crime Unit (CCU).Speaking at (ISC)2 Secure Londonevent, he said:“If an individual is con-cerned in any one of the following:authoring the malicious code behindthe botnet; managing the botnet itselfor being responsible for funding orinitiating its creation, that personcould potentially be convicted as partof a conspiracy to commit offencesunder the Computer Misuse Act.”

Which appears to leave the ownerof an infected system in the clear.

Simpson stressed the importance oftraditional approaches to informationsecurity.“People should consider howto prevent or manage infections andDDoS attacks, and also how to raiseawareness of IT security within thebusiness environment. Many of the cas-es investigated by the CCU were infi-nitely preventable, if only policy was inplace and supported by procedure andappropriate management systems,”hesaid.

Ford thinks the botnet phenomenonwill worsen.With commercial reasonsto create zombies growing stronger(see sidebar), the value of exploits thatinstall bots is rising.“If a botnet ownerwishes to expand his network, and thatnetwork makes money, it stands to rea-son that a zero-day attack has value tohim.The goal of a botnet is to spreadunder the radar, so using an unknownexploit and keeping that exploit out ofsight makes sense.”

Simpson is optimistic the CCU cancombat the growing zombie armies,even with the cross-border complica-tions inherent in investigations.

“There is extremely good co-operationbetween international law enforcementand industry. Results in the UK, US,Canada, Holland and Eastern Europeare evidence of this.” (See sidebar.)

But it is the immensity of scalethat makes a zero-day exploit sovaluable.As Simpson points out:“Inthe physical world the number ofcrimes an individual can commit islimited by their physical capacity. Incontrast, across the internet, a crimi-nal without any significant assetscan target over a billion potentialvictims.”

This rich field of potential victimsand the value of infection makes it in-evitable botmasters will try to growtheir legions of zombies.A zero-day at-tack is perfect for their diabolicalplans: use your head; make them losetheirs.•

38In

fosecu

rity Tod

ayM

arch/April 2006

co

ve

rs

to

ry

What vendors say youshould do“Companies should install software toidentify bots on their networks and closethose communication channels. Bots canuse any protocol they want to communi-cate. Stopping IRC will never be enough.”Jose Nazario, Arbor Networks’ senior se-curity advisor.

“Anti-spam applications will greatly reducethis problem but real-time blacklists becomeless useful. Companies should be backinginitiatives that counteract spam like SenderPolicy Framework (SPF).” Simon Heron,Network Box Defence Systems.

“Web browsers are probably the most fre-quently abused port of entry. It’s harder totake down Firefox than IE by spyware, soconsider switching.” Mark Stevens, chiefstrategy officer at WatchGuard

“A holistic approach to security is essen-tial. It’s no longer sufficient to rely on tra-ditional anti-virus techniques.” DavidEmm, senior technology consultant,Kaspersky Labs

“Companies should definitely be lookingto shore up their IM channels. Many ofthe hacker groups we monitor are movingaway from web page drive-bys in favourof spreading their payloads via IM.” ChrisBoyd, security research manager,FaceTime Communications.

Court in the actDecember 2004, UK and Canada A British convicts a 16-year-old Briton ofreleasing the Randex Trojan, used to relayspam. Canadian police charge another16-year-old with writing and distributingthe worm. Randex quickly infected morethan 9,000 computers.

August 2004, USOperation Cyberslam results in indictmentof Jay R Echouafni and Joshua Schichteon charges of conspiracy and causingdamage to protected computers. They al-legedly used a botnet to send bulk mailand set up DDoS attacks against spamblacklist servers.

January 2005, USJeanson James Ancheta pleads guilty toinstalling and controlling tens of thou-sands of zombie computers used forspam, DDoS and adware. Ancheta al-legedly makes over US$60,000.

October 2005, The NetherlandsDutch police arrest three people for build-ing a 100,000 PC botnet. Compromisedmachines were infected with the W32.Toxbot Trojan. Investigations surroundDDoS attacks, Paypal and eBay fraud.

February 2006, USChristopher Maxell and two juvenile ac-complices allegedly made US$100,000with pop-up adverts on compromisedcomputers. Their botnet is also suspectedof DDoS attacks of Seattle’s NorthwestHospital in January 2005.

�