v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
How Zombie Computers Work
By Jonathan
Strickland
·
Strickland, Jonathan. "How Zombie Computers
Work."
10 September 2007. HowStuffWorks.com. http://computer.howstuffworks.com/zombie-computer.htm,
Re-Published by Ahmed, Omeiza
20 October 2009.
Inside
this Article
- Introduction
to How Zombie Computers Work
- Hacking a
Computer
- Spam
Distribution
- Distributed
Denial of Service Attacks
- Click Fraud
- Preventing
Zombie Computer Attacks
Zombie computers are computers that have been taken over by a hacker without
the knowledge of the owner.
Imagine
that the Internet
is a city. It would undoubtedly be the most remarkable and diverse city on the
planet, but it would also be incredibly seedy and dangerous. You could find the
world's most comprehensive libraries there alongside X-rated theaters.
Inside
this city, you would also discover that not everyone is who they seem to be --
even yourself. You might find out that you've been misbehaving, although you
don't remember it. Like the unwitting agent in "The Manchurian
Candidate," you discover you've been doing someone else's bidding, and you
have no idea how to stop it.
A zombie
computer is very much like the agent in "The Manchurian Candidate."
A cracker -- a computer hacker who intends mischief or harm -- secretly
infiltrates an unsuspecting victim's computer and uses it to
conduct illegal activities. The user generally remains unaware that his
computer has been taken over -- he can still use it, though it might slow down
considerably. As his computer begins to either send out massive amounts of spam or attack Web pages, he becomes
the focal point for any investigations involving his computer's suspicious
activities.
The user
might find that his Internet Service Provider (ISP) has cancelled his
service, or even that he's under investigation for criminal activity.
Meanwhile, the cracker shrugs off the loss of one of his zombies because he has
more. Sometimes, he has a lot more -- one investigation allegedly discovered
that a cracker's single computer controlled a network of more than 1.5 million
computers [source: TechWeb].
We'll look at how crackers can commandeer your computer, why they do it and the
best way to protect yourself from malicious attacks.
Hacking a Computer
|
Malware
Programs designed to harm or
compromise a computer are called malware (as in malicious software). Malware
includes a wide array of nasty batches of code that can wreak havoc to your
computer, your network and even the Internet itself. Some common forms of
malware that might turn your computer into a zombie include:
- Computer viruses -
programs that disable the victim's computer, either by corrupting
necessary files or hogging the computer's resources
- Worms
- programs that spread from one machine to another, rapidly infecting
hundreds of computers in a short time
- Trojan horse - a program that claims to do
one thing, but actually either damages the computer or opens a back door
to your system
- Rootkits
- a collection of programs that permits administrator-level control of a
computer; not necessarily malware on its own, crackers use rootkits to
control computers and evade detection
- Backdoors - methods of circumventing
the normal operating-system procedures, allowing a cracker to access
information on another computer
- Key loggers - programs that record
keystrokes made by a user, allowing crackers to discover passwords and
login codes
Zombie
computer code usually is part of a virus, worm or Trojan horse. Zombie
computers often incorporate other kinds of malware as part of its processes.
|
Crackers transform computers into zombies by using small
programs that exploit weaknesses in a computer's operating system
(OS). You might think that these crackers are cutting-edge Internet
criminal masterminds, but in truth, many have little to no programming
experience or knowledge. (Sometimes people call these crackers "script
kiddies" because they are young and show no proficiency in writing script
or code.) Investigators who monitor botnets say that the programs these
crackers use are primitive and poorly programmed. Despite the ham-handed
approach, these programs do what the crackers intended them to do -- convert
computers into zombies.
In order
to infect a computer, the cracker must first get the installation program to
the victim. Crackers can do this through e-mail, peer-to-peer networks or even
on a regular Web site.
Most of the time, crackers disguise the malicious program with a name and file
extension so that the victim thinks he's getting something entirely different.
As users become savvier about Internet attacks, crackers find new ways to
deliver their programs. Have you ever seen a pop-up ad that included a "No
Thanks" button? Hopefully you didn't click on it -- those buttons are
often just decoys. Instead of dismissing the annoying pop-up ad, they activate
a download of malicious software.
Once the
victim receives the program, he has to activate it. In most cases, the user
thinks the program is something else. It might appear to be a picture file, an MPEG or some other
recognizable file format. When the user chooses to run the program, nothing
seems to happen. For some people, this raises alarm bells and they immediately
follow up with a flurry of virus and spyware
scanner activity. Unfortunately, some users simply think they received a bad
file and leave it at that.
Meanwhile,
the activated program attaches itself to an element of the user's operating
system so that every time the user turns on his computer, the program becomes
active. Crackers don't always use the same segment of an operating system's
initializing sequence, which makes detection tricky for the average user.
The
program either contains specific instructions to carry out a task at a
particular time, or it allows the cracker to directly control the user's
Internet activity. Many of these programs work over an Internet Relay Chat
(IRC), and in fact there are botnet communities on IRC networks where
fellow crackers can help one another out -- or attempt to steal another
cracker's botnet.
Once a
user's computer is compromised, the cracker pretty much has free reign to do
whatever he likes. Most crackers try to stay below the radar of users'
awareness. If a cracker alerts a user to his presence, the cracker risks losing
a bot. For some crackers, this isn't much of a problem since some networks
number in the hundreds of thousands of zombies. We'll look at the relationship
between zombie computers and spam.
Spam Distribution
Spam continues
to be a huge problem. It's a frustrating experience to open your e-mail and sort through
dozens of examples of junk mail. Where does all that spam come from? According
to FBI estimates, a
large percentage of it comes from networked zombie computers.
|
Crackers
sometimes turn unsuspecting victims' computers into zombie computers to
spread e-mail across the world. E-mail recipients usually can't trace the
e-mail back to its source.
|
If spam came from one centralized source, it would be relatively easy to track
it down and either demand the corresponding ISP shut down that computer's
access to the Internet or charge the user for sending out illegal spam. To get
around these pitfalls, crackers rely on zombie computers. The zombie computer becomes
a proxy, meaning the cracker is one step removed from the origin of spam
e-mails. A cracker with a large botnet can send millions of spam messages every
day.
Crackers
might set up a spam botnet to deliver a computer
virus or Trojan
program to as many computers as possible. They also can use spam to send phishing messages,
which are attempts to trick users into sharing personal information (we'll talk
more about phishing later).
When
sending out ads in spam mail, the cracker either sets up the botnet
specifically for a client or he rents it out on an hourly basis. Clients who
wish to advertise their products (and who don't care how intrusive or illegal
their advertisements might be) pay the crackers to send out e-mail to thousands
of people.
|
A
Zombie by Any Other Name
Some
people think the term "zombie computer" is misleading. A zombie,
after all, seems to have no consciousness and pursues victims on instinct
alone. A zombie computer can still behave normally, and every action it takes
is a result of a cracker's instructions (though these instructions might be
automated). For this reason, these people prefer the term "bot." Bot comes
from the word "robot," which in this sense is a device that carries
out specific instructions. A collection of networked bots is called a "botnet," and a group
of zombie computers is called an "army."
|
The majority
of e-mail recipients usually can't figure out where the spam is coming from.
They might block one source only to receive the same spam from a different
zombie in the botnet. If the e-mail includes a message that says something like
"Click here to be removed from this e-mail list," they might fall
prey to exposing their computer to even more spam. Users savvy enough to track
the e-mail back may not notice that the sender's computer is part of a larger
network of compromised machines. For someone who knows what he's doing, it's
not always impossible to figure out if a sender is a single user sending out
spam or if a cracker is controlling the computer remotely. It is, however, time
consuming.
A
zombie-computer owner might realize a cracker is controlling his machine
remotely if spam recipients write to complain about the junk mail or if his own
e-mail outbox is full of messages he didn't write. Otherwise, the owner is
likely to remain blissfully unaware that he's part of a ring of spammers. Some
users don't seem to care if their machines are being used to spread spam mail
as if it were someone else's problem and many more don't take the necessary
precautions to avoid becoming part of a botnet. We'll talk about another
vicious use of botnets -- distributed denial of service attacks.
Distributed Denial of Service Attacks
|
Script Kiddies
On May 4th, 2001, a 13-year-old
cracker used a denial of service attack to bring down GRC.com, the Web site
for Gibson Research Corporation. Ironically, GRC.com focuses on Internet
security. In 2006, police in Hanoi, Vietnam arrested a high school sophomore
for orchestrating a DDoS attack on a Web site for the Nhan Hoa Software
Company. He said the reason he did it was because he didn't like the Web site.
|
Sometimes
a cracker uses a network
of zombie computers to
sabotage a specific Web
site or server. The idea is pretty simple -- a cracker tells all the
computers on his botnet to contact a specific server or Web site repeatedly.
The sudden increase in traffic can cause the site to load very slowly for
legitimate users. Sometimes the traffic is enough to shut the site down
completely. We call this kind of an attack a Distributed Denial of Service
(DDoS) attack.
Some
particularly tricky botnets use uncorrupted computers as part of the attack.
Here's how it works: the cracker sends the command to initiate the attack to
his zombie army.
Each computer within the army sends an electronic connection request to an
innocent computer called a reflector. When the reflector receives the request,
it looks like it originates not from the zombies, but from the ultimate victim
of the attack. The reflectors send information to the victim system, and
eventually the system's performance suffers or it shuts down completely as it is
inundated with multiple unsolicited responses from several computers at once.
From the
perspective of the victim, it looks like the reflectors attacked the system.
From the perspective of the reflectors, it seems like the victimized system
requested the packets. The zombie computers remain hidden, and even more out of
sight is the cracker himself.
The list
of DDoS attack victims includes some pretty major names. Microsoft suffered an
attack from a DDoS called MyDoom. Crackers have targeted other major Internet
players like Amazon, CNN, Yahoo and eBay. The DDoS names range from mildly
amusing to disturbing:
- Ping of Death - bots create
huge electronic packets and sends them on to victims
- Mailbomb - bots send a massive
amount of e-mail,
crashing e-mail servers
- Smurf Attack - bots send
Internet Control Message Protocol (ICMP) messages to reflectors, see above
illustration
- Teardrop - bots send pieces of
an illegitimate packet; the victim system tries to recombine the pieces
into a packet and crashes as a result
Once an
army begins a DDoS attack against a victim system, there are few things the
system administrator can do to prevent catastrophe. He could choose to limit
the amount of traffic allowed on his server, but this restricts legitimate
Internet connections and zombies alike. If the administrator can determine the
origin of the attacks, he can filter the traffic. Unfortunately, since many
zombie computers disguise (or spoof) their addresses, this isn't always easy to
do.We'll look at some other ways crackers use zombie computers.
Click Fraud
Some
crackers aren't interested in using zombie computers to send spam or
cripple a particular target. Many take control of computers as a method of phishing,
which is where a cracker tries to uncover secret information, particularly
identification information. Crackers might steal your credit card
information or search through your files for other sources of profit. The
cracker might use a key
logging program to track everything you type, then use it to
discover your passwords and other confidential information.
Sometimes
crackers will use zombie computers in ways that don't directly harm the victim
of the initial attack or even the ultimate target, though the end goal is still
pretty sneaky and unethical.
You've
probably seen or even participated in several Internet-based polls. Perhaps
you've even seen one where the results seemed unusual or counter-intuitive,
particularly when it comes to a contest. While it's entirely possible the poll
wasn't ever attacked, crackers have been known to use zombie computers to
commit click fraud.
Click fraud refers to the practice of setting up a botnet to repeatedly click
on a particular link. Sometimes, crackers will commit click fraud by targeting
advertisers on their own Web sites. Since Web advertisers usually pay sites a
certain amount of money for the number of clicks an ad gets, the cracker could
stand to earn quite a few dollars from fraudulent site visits.
Zombie
computers and the crackers responsible for them are pretty scary. You could end
up being the victim of identity theft
or unknowingly participate in an attack on an important Web site. It's
important to learn how to protect yourself from crackers as well as what you
should do if you find out your computer has been compromised. We'll look at
what security measures you should employ to prevent your computer from becoming
a zombie.
Preventing Zombie Computer Attacks
You
don't want your computer
to become a zombie,
so what do you do to prevent it? The most important thing to remember is that
prevention is an ongoing process -- you can't just set everything up and expect
to be protected forever. Also, it's important to remember that unless you employ
common sense and prudent Internet habits, you're courting disaster.
|
Spam Statistics
Here are some sobering spam
statistics from the 2007 Symantic Internet Security Threat Report:
- Between July 1 and Dec. 31, 2006, 59 percent of all
monitored e-mail traffic was spam.
- Spam written in English makes up 65 percent of all
spam.
- The United States is the origin of 44 percent of all
the world's spam.
- Ten percent of all e-mail zombies are in the United
States, making the U.S. the zombie computer capital of the world.
- One out of every 147 blocked spam e-mails contained
some kind of malicious code.
|
Antivirus
software is an absolute necessity. Whether you purchase a commercial package
like McAfee VirusScan or download a free program like AVG Anti-Virus Free
Edition, you need to activate it and make sure your version remains current.
Some experts say that to be truly effective, an antivirus package would need to
update on an hourly basis. That's not practical, but it does help stress the
importance of making sure your software is as up to date as possible. For more
information, read our article on How Computer Viruses Work.
Install
spyware scanners to search for malicious spyware. Spyware includes programs
that monitor your Internet habits. Some go even further, logging your
keystrokes and recording everything you do on your computer. Get a good
anti-spyware program like Ad-Aware from Lavasoft. Like the antivirus software,
make sure the program stays up to date. To learn more, read our article on How Spyware Works.
Install
a firewall to protect your home network.
Firewalls can be part of a software package or even incorporated into some
hardware like routers or modems. To learn more about firewalls, be sure to read
our article on How
Firewalls Work.
You
should also make sure that your passwords are difficult or impossible to guess,
and you shouldn't use the same password for multiple applications. This makes
remembering all those passwords a pain, but it gives you an added layer of
protection.
If your
computer has already been infected and turned into a zombie computer, there are
only a few options open to you. If you have access to tech support who can work
on your computer for you, that would be the best option. If not, you can try to
run a virus removal program to kill the connection between your computer and
the cracker. Unfortunately, sometimes the only option you have is to erase
everything on your computer and reload its operating system, then starting from
scratch. You should make backup disks of your hard drive on a regular basis
just in case. Remember to scan those files with an antivirus program to make
sure none of them are corrupted.
Your computer is a great resource.
Sadly, crackers think the same thing -- they want to make your computer their
own resource. If you practice careful Internet habits and follow the tips we've
described on this page, your chances of your computer remaining secure are very
good.
