# Attack of the PC Zombies!



## mimo2005 (Oct 2, 2004)

Attack of the PC Zombies!

Mon Oct 25, 3:00 AM ET 

Michael Desmond 

It's stuff to make your blood run cold. You've just closed Microsoft Outlook when your system suddenly reboots without warning. When Windows comes back up, everything seems normal, but then you notice...changes. Your Internet Explorer home page might be different, or certain Web sites may not load at all. Soon, you may notice an unusual amount of disk activity or unexplained sluggishness from your mouse.


Congratulations, your computer has just been hijacked.


In the time it takes to glance at a JPEG image on a Web page, your PC can fall victim to an insidious attack that turns computers into mindless drones, dedicated to performing malicious acts on behalf of remote hosts. In the past, infected computers, known as "zombies," would receive instructions to send a blizzard of data to a specific Web address or Internet server. Called a distributed denial of service attack, these infections have marshaled hundreds or even thousands of PCs to bring down even the most well-fortified servers and Web sites.


If your PC seems sluggish, if your hard drive spins when you're not accessing it, or if your Internet connection is active when it shouldn't be, you may have a zombie PC on your hands. Best-case scenario is that it will merely affect the way your system operates; in the worst case, your system is unwittingly used to launch attacks that can be traced back to you. Either way, see the accompanying article, "Zombie Repellant," to learn how to protect yourself.


Over the past six months, zombie networks have evolved into something more capable and dangerous--so-called botnets, which is short for robot networks. Like zombie PCs, systems in a botnet are infected with a virus that allows a remote server to command them over an Internet connection. But where zombie PCs perform a single task--flooding a target with bits--systems in a botnet are dynamic. They can be programmed and updated to engage in all sorts of malicious activity.


"I think it's really an indication of the originators of these threats becoming more sophisticated," says Oliver Friedrichs, senior manager for Symantec Security Response. "The trend today is for these bots to be used for more duplicitous purposes, like phishing attacks and spamming in general."


Not only are attacks getting more sophisticated, but they are also growing at an alarming rate. The Symantec Internet Security Threat Report revealed in September that the number of active bot systems on the Internet has skyrocketed, from 2,000 systems in January 2004 to 30,000 systems in June. Organizations like the Internet Storm Center at the SANS Institute are making new botnet discoveries almost daily.


Unfortunately, it's becoming harder and harder not to end up an unwitting accomplice to a zombie PC attack. Symantec warns that the time between when a company discovers a vulnerability in its PC protection software and when a hacker concocts a virus to exploit that vulnerability is less than six days. Some software companies, which shall remain nameless, can take weeks or months to patch their products.

Criminal Intent

Perhaps most disconcerting is the changing shape of the threat. Botnets are being employed for financial gain--driving e-mail spam offers, enabling phishing scams that lure users into divulging private information, and capturing financial and account information using keystroke loggers and other techniques. Botnets are even being employed in extortionist rackets. Internet gambling house Blue Square suffered a massive distributed denial of service attack earlier this year, after failing to respond to an e-mail demand for money. A lot of this activity is coming out of Eastern Europe, far beyond the reach of U.S. regulatory and law enforcement organizations.


"There is a much more insidious and criminal aspect to these bots than there has been in the past," Friedrichs says. "Over the last couple of decades, viruses and worms were not being written for monetary gain. Now we're seeing new types of attacks that are clearly for much more insidious intent, in terms of gaining financial details, bank account information, and user names and passwords for financial institutions."


In fact, the proven effectiveness of botnets has helped create a healthy black market for infected machines, says Friedrichs. "We're starting to hear that individuals who deploy these botnets are actually selling them. So if I deployed a botnet of several thousand systems, someone would be willing to buy that from me. There really is incentive now to deploy botnets."


What's the value of a network of compromised machines? Spammers use botnets to send millions of e-mail messages from thousands of PCs across the globe, without fear of detection. And because the spam originates from so many different points, ISPs find it difficult to cut off the flow of unsolicited traffic. Ultimately, users may find their e-mail privileges revoked once the bot software has triggered outbound data thresholds. But that leaves ISPs no closer to shutting down the offending spam server or any other PCs in the botnet.

Open-Ended Threat

Matt Nealy, an independent security consultant with Miskatonic Research, has seen more than his share of botnet-related infections and exploits. His concern is that the open-ended nature of botnet infections--allowing updated virus software to be downloaded to a PC at any time--makes system recovery difficult or even impossible.


"The big thing about bots is, once it phones home, you really don't know what it has done to your system. And finding out what has been done can be very difficult," Nealy says. "The approach that I've been taking has been using Windows Recovery--if you know when the infection occurred, you can go back beyond that point. But there comes a time when you need to say that so much damage has been done that it's best to just start over."


Even finding out if your PC is infected may be difficult, Nealy says. He points out that botnet virus writers can monitor antivirus vendor Web sites to see if their latest exploit has been addressed with an updated virus signature. The authors can then tweak the existing virus code and test it on popular antivirus programs until they come up with code that can slip by undetected. From there, it's a simple matter to stream the updated code down to the active botnet.


"These threats have become more sophisticated in terms of hiding themselves in your system," Friedrich says. "They can masquerade as different software. They can hide themselves in a running service."


So what can you do? Your best bet is to avoid getting infected in the first place. That means running antivirus, anti-spyware, and firewall software. Firewall software that monitors outbound traffic can alert you that your PC is misbehaving.


In addition, make sure your system is patched and up to date, since many botnet exploits rely on flaws in Windows, Internet Explorer, and other popular software to slip into your system. With the proper precautions, a zombie PC won't seem as frightening as a ghoul at your front door.


----------

