Computer Crime Research Center


Zombie networks fuel cybercrime

Date: November 04, 2004
By: Will Knight

IN JUNE, the websites of Google, Yahoo and Microsoft disappeared for hours when their servers were swamped with hundreds of thousands of simultaneous webpage requests that they couldn't possibly service. It sounds a tough attack to orchestrate, but executing it couldn't have been simpler. A hacker kicked off the assault by typing a simple command into an internet chat room. That command awakened dormant software "bots" that had been planted in tens of thousands of PCs around the world with the help of computer viruses. When the bots read the command in an internet chat room they were monitoring, they began firing a blizzard of page requests at the servers hosting the company sites. Result: the servers effectively got tongue-tied trying to service the requests, and had to go offline until the attack ceased. This modus operandi is fuelling a growing crime wave against e-commerce in which these networks of bots, dubbed botnets, are increasingly being offered for hire by hacking groups. Want to take down a commercial rival's website? Or how about spamming, perhaps sending out letters "phishing" for people's passwords and bank account details? And gambling sites that need a continuous web presence to make money are a favourite target for botnet-based blackmail. The distributed denial of service (DDOS) attack on Yahoo, Microsoft and Google was especially effective because it targeted one of their web-hosting companies, Akamai Technologies in Cambridge, Massachusetts. But Akamai is far from alone in falling prey to botnet sabotage.

For instance, just last week, UK online betting firm Blue Square fell victim to a botnet-based blackmail attempt. And an executive at a satellite TV firm in Massachusetts has been charged with hiring several botnets to disrupt the websites of three rivals, costing one of their web-hosting firms $1 million. The case marks a watershed: "It's the first time we have prosecuted individuals for the mercenary use of botnets," says Frank Harrill of the FBI's cybercrime squad in Los Angeles. "But it won't be the last." While DDOS attacks are nothing new, they used to have a limited impact. A group of hackers would agree on a time to simultaneously contact the target web server manually, but they could rarely conscript enough attacking PCs to overwhelm every channel of a major-league website. But botnets make it a piece of cake to orchestrate distributed attacks from a vast ad hoc network. You could call it disorganised crime. So how does an innocent PC become part of a botnet? First, a computer virus installs a "back door" program that leaves an internet port on a PC open. Both SoBig and MyDoom employed this tactic. The hacker then probes PCs connected to the net to look for open ports and, when they find one, they install a bot on its hard drive. Security experts call these bot-loaded PCs "zombies", since the hacker can wake them from the dead on command. Because bots can be placed on any number of PCs, and chat rooms provide a useful central location from which to control them, there is no technical limit to the size of a botnet, says Viki Navratilova, a systems administrator at the University of Chicago.

And the Internet Relay Chat protocol that chat rooms run is a very convenient means of command and control, says David Dittrich, a systems administrator at the University of Washington in Seattle, because it allows the person who runs the chat room to communicate with all members (or bots) simultaneously. In January, attacking botnets typically comprised around 2000 innocent computers. But by May that had risen to more than 60,000, according to the latest research from e-security firm Symantec Antivirus. Fuelling this is the increase in always-on broadband connections, which makes it much more likely that a large number of zombies will be logged onto a chat room at any one time. The botnet controllers are cashing in. Eavesdropped chat-room exchanges reveal that a DDOS attack appears to cost between $500 and $1500, with smaller botnet attacks priced between $1 and $40 per zombie harnessed. "It's such a reliable way to make money that hackers don't need day jobs," says Navratilova. To detect zombies active in their networks, systems administrators check for telltale "master-slave" traffic.

"If you see 10 of your computers receiving the same data from a computer in Romania, and then rapidly trying to contact a large site, like a government one, you know your computers have become zombies," says Dittrich. Once a zombie is found, the bot inside can be dissected to find the address of the controlling chat room so it can be taken down and the controller traced. But hackers are now covering their tracks by encrypting the chat-room address or by making the bots corrupt their own program code when extracted. "It's kind of like cockroaches. You spray in the kitchen behind the wall but they find other ways to survive. You only get rid of some," says Navratilova.

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2004-12-16 05:25:58 - how about a hand for people who use others... law obiding citizen
2004-11-23 17:24:38 - silly rabbit, tricks are for kids you... researchguy
2004-11-04 14:06:36 - i like the people who do it. were not so bad random person
Total 3 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo