IMAGINE it. Zombie computers that are possessed by the spirits of others. Zombie computers that infect new victims in cyberspace. Zombie computers hell-bent on attacking our interests and stealing our identities.
They exist, and there is a good chance your PC is one of them. But the fightback has begun. And in a report published last week, computer scientists in Germany have revealed details of the progress that the counter-attack has made.
It makes for inspiring reading. On our behalf, programmers are coming up with ingenious ways to observe, trap and eliminate zombies. But there is also evidence that the zombies are becoming cleverer and more evasive. At stake is the security of large swathes of the internet, for the zombiesā creators are determined to hijack our PCs and use them to steal our personal details, send out spam and derail online businesses.
Advertisement
Zombies are created when hackers use a virus or worm such as MyDoom to gain remote access to a computer and deposit a piece of malicious code known as a bot. This bot instructs the computer to secretly log into an online chat room frequented by other zombies, and obey instructions issued by the chat roomās controller, usually the person who wrote the bot virus.
Bots can also be left on bogus websites, perhaps disguised as a software update that PC owners unwittingly download. They can also be inserted by existing zombies that scan the network for vulnerable computers to convert. The bots instruct PCs to do everything from stealing passwords and sending out spam, to launching random attacks on specific company servers (Āé¶¹“«Ć½, 6 November 2004, p 28).
The bot-hunting heroes are The German Honeynet Project, a group of dedicated computer experts who, as their name suggests, attempt to lure and then entrap bots and their creators. Founded by Thorsten Holz of RWTH-Aachen University, the team has released the first paper detailing exactly how they hunt, and how successful they have been ā information that will be invaluable to other researchers attempting to thwart bots and police trying to catch cybercriminals.
āThe novelty is in the analysis and the reporting of what they are doing,ā says Ralph Logan, vice-president of The Honeynet Project, a separate group of computer experts based in Houston, Texas, that also tries to understand cyber threats. Independent honeynet projects are run in France and the UK, and researchers from each often collaborate. āI donāt think anyone has detailed that much information about how they work,ā agrees Viki Navratilova, a network security expert at the University of Chicago.
Holz and his team have built their own army of fake zombie computers, which they use to infiltrate the networks and chat rooms frequented by real zombie computers and their creators. To make a fake zombie Holz uses a Linux computer running code written by Holzās colleague Georg Wicherski. Called Mwcollect2, the code emulates vulnerable operating systems including Windows 2000 and XP. These act as the honeypot, attracting and ātrappingā malicious bot programs. The computer typically becomes infected with a new bot within minutes, says Holz.
āThe total number of zombie computers worldwide is close to 600 million and thatās a conservative estimateā
But Mwcollect2 also enables the Honeynet team to monitor how bots operate. When a bot hosted by the fake zombie computer tries to enter a chat room, say, the Linux computer records the passwords and logins the bot uses to join, the nicknames it uses when inside ā for example, a country name followed by a number ā and the IP address of the chat room controllerās server.
The Honeynet team then use this information, and a software package called Drone, to create spy bots that act like the real thing. These spy bots are sent back into enemy territory, to log in and out of chat rooms and download any new malicious code that the controller is instructing his or her bots to fetch. In that way, the Honeynet team knows exactly what the hackers are up to.
Going undercover isnāt easy though. Unlike real bots, spy bots are designed not to infect other machines, attack online servers or send out spam. And that reluctance to cause harm can give a spy bot away. Holz says a number of his spy bots have been rumbled. Usually they are just banned from a chat room, but on one occasion a hacker being monitored retaliated by launching an attack on The German Honeynet Projectās servers. Now Holz routes his spies through proxy servers, so their origin cannot be traced, a trick spammers use to hide their tracks.
Holz has so far spied on over 160 bots, some individually controlling 50,000 zombie computers. His conservative estimate is that up to a million computers are controlled by the bots he has observed, but the total number of zombies worldwide is likely close to 600 million.
That runs contrary to a report published this week by Symantec, the antivirus software company with headquarters in Cupertino, California. Symantec says the number of bot-infected PCs has fallen six-fold in the past six months. But that could be because āthe bots may be becoming less chattyā, says Symantecās Jonah Paransky. In short, they are talking less to avoid being spotted.
Both Symantec and Holz have also noticed a new level of sophistication in how zombie computers are controlled. Instead of doing the job from a single server, controllers are creating bots operating from several servers, each of which controls smaller networks of zombie computers.
The aim appears to be to make such networks less conspicuous. Holz also says bot controllers are beginning to trade their creations, while others are trying to steal rivalsā zombie computers. āThere is no doubt bots are becoming more sophisticated and focused on financial gain,ā Paransky says.
Some systems administrators say The German Honeynet Project is a great way to find out what bots are out there. āThis work is really valuable,ā says Johannes Ullrich of the SANS Internet Storm Center in Quincy, Massachusetts. āThis is the only way to find these details.ā
But Navratilova says that for most systems administrators maintaining a system that gets infected every three minutes by a new bot is too time-consuming. āIt sounds like a full-time job. A honeynet would be nice if someone else built it and collected the information.ā
She also points out that honeynets themselves could unwittingly participate in organised crime if hackers find a way to exploit them. Although they are designed to prevent their fake zombie computers from sending spam and launching DOS attacks, āno system is entirely secureā, she says.