Zombies try to blend in with the crowd

Cybercrooks are moving to new Web-based techniques to control the machines they have commandeered, popularly referred to as "zombies." Before, they used to send orders via Internet chat services, but with that method, they ran the risk of inadvertently revealing the location of the zombies and themselves.

"All the good guys are being challenged here. (Hackers are) saying: 'You're spotting my traffic. I am going to try and hide it a little better,'" said Rob Fleischman, the chief technology officer at Simplicita, a Denver-based security start-up that helps Internet service providers deal with infected computers on their networks.

The change in tactics makes it harder to identify zombies on a network, and it becomes tougher for security professionals to use the hackers' own tools to spy on them. In addition, the switch to Web-based control increases the threat of zombies to enterprises and other organizations, as that method can't be blocked as easily as the previous technique.

"If you're a bad guy, this is pretty good news. If you're a good guy, I wouldn't say it is bad news, but it is a challenge," said Jose Nazario, a senior software engineer at Arbor Networks, which sells network analysis products. Nazario has done extensive research into zombies, the results of which he presented at last week's Virus Bulletin conference.

Life of a zombie
Hijacked computers have become one of the most serious security problems on the Internet. Malicious remote-control code turns a computer into a zombie via security holes in software, a worm, or a Trojan horse. It then runs silently in the background, letting an attacker send commands to the system, unbeknownst to its owner.

Zombies are the most prevalent threat to Windows PCs, according to a Microsoft report released earlier this year. A security tool downloaded alongside Microsoft's patches removed at least one version of malicious remote-control software from about 3.5 million PCs between January 2005 and March 2006, it said.

Criminals make money by networking their zombies into a "botnet". They put these networks to work mounting denial-of-service attacks against online businesses in extortion schemes; hosting faked Web sites used in phishing scams; and relaying spam. Attackers also often load adware and spyware onto compromised systems, earning a kickback from the makers of these programs or reselling the private data of their victims.

In fighting botnets, investigators found it was relatively easy to identify zombies because of how they communicate with their masters. Most botnets today are controlled via Internet Relay Chat, or IRC, a still-active chat network that is a relic of the early days of the Net.

IRC lets hackers control their bots in real time. As soon as a computer is infected, it connects to a specific chat server and channel, and awaits its commands. But the benefit for the good guys is that they can lurk in the chat rooms, spy on the hackers, and sometimes even identify them. Furthermore, IRC uses its own network protocol.

"IRC is not as common as other protocols," Fleischman said. "It does not blend in. It has a certain signature. You can use technologies to spot it."

Internet service providers already block traffic to the IRC servers used by zombies, and many organizations use network shields, such as firewalls and intrusion detection systems, to block IRC traffic altogether. This prevents a compromised PC on a specific network from contacting its command-and-control center.

These countermeasures have not gone unnoticed in hacker circles. In a classic game of cat and mouse, miscreants are moving command-and-control channels for their botnets away from IRC and onto the Web. There, the zombies will blend in with regular Web traffic, which can't simply be blocked.

"These bots look like people browsing the Web," Fleischman said. "The brilliance here--and I hate to compliment the botmasters--is that they know that there is a giant haystack of Web traffic, and if they hide their command-and-control there, it is harder to spot."

Instead of connecting to an IRC server, newly compromised PCs connect to one or more Web sites to check in with the hackers and get their commands. These Web sites are typically hosted on hacked servers or computers that have been online for a long time. Attackers upload the instructions for download by their bots.

As a result, protection mechanisms, such as blocking IRC traffic, will fail. This could mean that zombies, which so far have mostly been broadband-connected home computers, will be created using systems on business networks.

"The trend to Web-based command and control is really about protecting the command-and-control center and hiding traffic from network administrators," said Randy Abrams, director of technical education at Eset, a security software company. "Web traffic is ubiquitous. IRC channels are well-known and relatively easily located and shut down."

Nazario agreed. "Part of the motivation is the idea of deeper penetration into juicier networks that allow Web-based traffic relatively unfiltered, but don't allow IRC," he said.

At the same time, zombie fighters lose an important capability to identify and spy on botmasters. Security professionals have been able to track hackers by crafting software tools mimicking a bot, and by signing in to IRC networks used to control botnets. On those same networks, the miscreants often also talk to co-conspirators.

"It is like talking to your friends over instant message," Nazario said.

Additionally, botnet operators can sometimes be identified by their Internet Protocol, or IP, address when they sign on to their own IRC server, he said. In the past year or so, law enforcement agencies have been able to arrest several botmasters.

The morphed threat requires work on the part of security people, Nazario said. "We have to speak a whole different language now," he said. "We have to learn new command instructions and new communication mechanisms that each of these bot families uses."

Security providers have found some ways to find and fight the new-style zombies. ISPs and businesses could block the individual Web addresses used by the malicious programs. In the near future, blacklists of such addresses will likely be compiled, experts said.

"You certainly can't just block all outbound Web traffic," Nazario said. "But if you have identified a certain Web server and it is not used for something else, you can go and block just that IP address."

Honeypot lures
To track the activity of bot masters, security professionals have to rely more on their honeypots, which are computers set up for the purpose of being infected, Fleischman said. This gives them the malicious code to dissect and identify the control servers, he said.

Also, a honeypot computer might be used as a control server, which means the attacker can be monitored and possibly identified when logging in, Fleischman said. "Botmasters hate the honeypot technique. They have a thousand bots, and they don't know which one is owned by a good guy," he said.

Individual organizations could invest in technology to more closely monitor Web traffic and spot traffic patterns that indicate bot activity. "But a lot of people don't want to look through that haystack," Fleischman said. "There might be more of a financial investment to scan that. The infrastructure cost is going to be higher."

Arbor identifies about 600 new botnets each day. Only a small number of botnets today, less than 1 percent, according to Arbor, use Web-based command and control. However, that number is likely to increase, as developers for the underground perfect the technique.

While the zombie fighters have to adjust to the new tactics of their adversaries, the battle has not been lost.

"The first variants of Web bots may have thrown people for a loop," said Adam Meyers, a security expert at consulting firm SRA International. "As new command-and-control mediums emerge, the good guys will adapt their containment and investigatory techniques."

The defense industry is always reacting to the bad guys, Nazario agreed. "They always make the first move and we counteract," he said. "That said, the good guys control the infrastructure, so we ultimately have the last word. If we don't like what they're doing, we can shut them down."