Imagine that the Internet is a city. It would undoubtedly be the most remarkable and diverse city on the planet, but it would also be incredibly seedy and dangerous. You could find the world's most comprehensive libraries there alongside X-rated theaters.
Inside this city, you would also discover that not everyone is who they seem to be -- even yourself. You might find out that you've been misbehaving, although you don't remember it. Like the unwitting agent in "The Manchurian Candidate," you discover you've been doing someone else's bidding, and you have no idea how to stop it.
Inside this city, you would also discover that not everyone is who they seem to be -- even yourself. You might find out that you've been misbehaving, although you don't remember it. Like the unwitting agent in "The Manchurian Candidate," you discover you've been doing someone else's bidding, and you have no idea how to stop it.
A zombie computer is very much like the agent in "The Manchurian Candidate." A hacker secretly infiltrates an unsuspecting victim's computer and uses it to conduct illegal activities. The user generally remains unaware that his computer has been taken over -- he can still use it, though it might slow down considerably. As his computer begins to either send out massive amounts of spam or attack Web pages, he becomes the focal point for any investigations involving his computer's suspicious activities.
The user might find that his Internet Service Provider (ISP) has cancelled his service, or even that he's under investigation for criminal activity. Meanwhile, the hacker shrugs off the loss of one of his zombies because he has more. Sometimes, he has a lot more -- one investigation allegedly discovered that a hacker's single computer controlled a network of more than 1.5 million computers [source: TechWeb].
In this article we'll look at how hackers can commandeer your computer, why they do it and the best way to protect yourself from malicious attacks.
A Zombie by Any Other Name
Some people think the term "zombie computer" is misleading. A zombie, after all, seems to have no consciousness and pursues victims on instinct alone. A zombie computer can still behave normally, and every action it takes is a result of a hacker's instructions (though these instructions might be automated). For this reason, these people prefer the term "bot." Bot comes from the word "robot," which in this sense is a device that carries out specific instructions. A collection of networked bots is called a "botnet," and a group of zombie computers is called an "army."
Hacking a Computer
Hackers transform computers into zombies by using small programs that exploit weaknesses in a computer's operating system(OS). You might think that these hackers are cutting-edge Internet criminal masterminds, but in truth, many have little to no programming experience or knowledge. (Sometimes people call these hackers "script kiddies" because they are young and show no proficiency in writing script or code.) Investigators who monitor botnets say that the programs these hackers use are primitive and poorly programmed. Despite the ham-handed approach, these programs do what the hackers intended them to do -- convert computers into zombies.
In order to infect a computer, the hacker must first get the installation program to the victim. Hackers can do this through e-mail, peer-to-peer networks or even on a regular Web site. Most of the time, hackers disguise the malicious program with a name and file extension so that the victim thinks he's getting something entirely different. As users become savvier about Internet attacks, hackers find new ways to deliver their programs. Have you ever seen a pop-up ad that included a "No Thanks" button? Hopefully you didn't click on it -- those buttons are often just decoys. Instead of dismissing the annoying pop-up ad, they activate a download of malicious software.
Malware
Programs designed to harm or compromise a computer are called malware (as in malicious software). Malware includes a wide array of nasty batches of code that can wreak havoc to your computer, your network and even the Internet itself. Some common forms of malware that might turn your computer into a zombie include:
· Computer viruses - programs that disable the victim's computer, either by corrupting necessary files or hogging the computer's resources
· Worms - programs that spread from one machine to another, rapidly infecting hundreds of computers in a short time
· Trojan horse - a program that claims to do one thing, but actually either damages the computer or opens a back door to your system
· Rootkits - a collection of programs that permits administrator-level control of a computer; not necessarily malware on its own, hackers use rootkits to control computers and evade detection
· Backdoors - methods of circumventing the normal operating-system procedures, allowing a hacker to access information on another computer
· Key loggers - programs that record keystrokes made by a user, allowing hackers to discover passwords and login codes.
Zombie computer code usually is part of a virus, worm or Trojan horse. Zombie computers often incorporate other kinds of malware as part of its processes.
Once the victim receives the program, he has to activate it. In most cases, the user thinks the program is something else. It might appear to be a picture file, an MPEG or some other recognizable file format. When the user chooses to run the program, nothing seems to happen. For some people, this raises alarm bells and they immediately follow up with a flurry of virus and spyware scanner activity. Unfortunately, some users simply think they received a bad file and leave it at that.
Meanwhile, the activated program attaches itself to an element of the user's operating system so that every time the user turns on his computer, the program becomes active. Hackers don't always use the same segment of an operating system's initializing sequence, which makes detection tricky for the average user.
The program either contains specific instructions to carry out a task at a particular time, or it allows the hacker to directly control the user's Internet activity. Many of these programs work over an Internet Relay Chat (IRC), and in fact there are botnet communities on IRC networks where fellow hackers can help one another out -- or attempt to steal another hacker's botnet.
Once a user's computer is compromised, the hacker pretty much has free reign to do whatever he likes. Most hackers try to stay below the radar of users' awareness. If a hacker alerts a user to his presence, the hacker risks losing a bot. For some hackers, this isn't much of a problem since some networks number in the hundreds of thousands of zombies.
Spam Distribution
Spam continues to be a huge problem. It's a frustrating experience to open your e-mail and sort through dozens of examples of junk mail. Where does all that spam come from? According to FBI estimates, a large percentage of it comes from networked zombie computers.
Hackers sometimes turn unsuspecting victims' computers into zombie computers to spread e-mail across the world. E-mail recipients usually can't trace the e-mail back to the hacker.
If spam came from one centralized source, it would be relatively easy to track it down and either demand the corresponding ISP shut down that computer's access to the Internet or charge the user for sending out illegal spam. To get around these pitfalls, hackers rely on zombie computers. The zombie computer becomes a proxy, meaning the hacker is one step removed from the origin of spam e-mails. A hacker with a large botnet can send millions of spam messages every day.
Hackers might set up a spam botnet to deliver a computer virus or Trojan program to as many computers as possible. They also can use spam to send phishing messages, which are attempts to trick users into sharing personal information (we'll talk more about phishing later).
When sending out ads in spam mail, the hacker either sets up the botnet specifically for a client or he rents it out on an hourly basis. Clients who wish to advertise their products (and who don't care how intrusive or illegal their advertisements might be) pay the hackers to send out e-mail to thousands of people.
The majority of e-mail recipients usually can't figure out where the spam is coming from. They might block one source only to receive the same spam from a different zombie in the botnet. If the e-mail includes a message that says something like "Click here to be removed from this e-mail list," they might fall prey to exposing their computer to even more spam. Users savvy enough to track the e-mail back may not notice that the sender's computer is part of a larger network of compromised machines. For someone who knows what he's doing, it's not always impossible to figure out if a sender is a single user sending out spam or if a hacker is controlling the computer remotely. It is, however, time consuming.
A zombie-computer owner might realize a hacker is controlling his machine remotely if spam recipients write to complain about the junk mail or if his own e-mail outbox is full of messages he didn't write. Otherwise, the owner is likely to remain blissfully unaware that he's part of a ring of spammers. Some users don't seem to care if their machines are being used to spread spam mail as if it were someone else's problem and many more don't take the necessary precautions to avoid becoming part of a botnet.
Distributed Denial of Service Attacks
Sometimes a hacker uses a network of zombie computers to sabotage a specific Web site or server. The idea is pretty simple -- a hacker tells all the computers on his botnet to contact a specific server or Web site repeatedly. The sudden increase in traffic can cause the site to load very slowly for legitimate users. Sometimes the traffic is enough to shut the site down completely. We call this kind of an attack a Distributed Denial of Service (DDoS) attack.
Some particularly tricky botnets use uncorrupted computers as part of the attack. Here's how it works: the hacker sends the command to initiate the attack to his zombie army. Each computer within the army sends an electronic connection request to an innocent computer called a reflector. When the reflector receives the request, it looks like it originates not from the zombies, but from the ultimate victim of the attack. The reflectors send information to the victim system, and eventually the system's performance suffers or it shuts down completely as it is inundated with multiple unsolicited responses from several computers at once.
From the perspective of the victim, it looks like the reflectors attacked the system. From the perspective of the reflectors, it seems like the victimized system requested the packets. The zombie computers remain hidden, and even more out of sight is the hacker himself.
The list of DDoS attack victims includes some pretty major names. Microsoft suffered an attack from a DDoS called MyDoom. Hackers have targeted other major Internet players like Amazon, CNN, Yahoo and eBay. The DDoS names range from mildly amusing to disturbing:
· Ping of Death - bots create huge electronic packets and sends them on to victims
· Mailbomb - bots send a massive amount of e-mail, crashing e-mail servers
· Smurf Attack - bots send Internet Control Message Protocol (ICMP) messages to reflectors, see above illustration
· Teardrop - bots send pieces of an illegitimate packet; the victim system tries to recombine the pieces into a packet and crashes as a result.
Once an army begins a DDoS attack against a victim system, there are few things the system administrator can do to prevent catastrophe. He could choose to limit the amount of traffic allowed on his server, but this restricts legitimate Internet connections and zombies alike. If the administrator can determine the origin of the attacks, he can filter the traffic. Unfortunately, since many zombie computers disguise (or spoof) their addresses, this isn't always easy to do.
Script Kiddies
On May 4th, 2001, a 13-year-old hacker used a denial of service attack to bring down GRC.com, the Web site for Gibson Research Corporation. Ironically, GRC.com focuses on Internet security. In 2006, police in Hanoi, Vietnam arrested a high school sophomore for orchestrating a DDoS attack on a Web site for the Nhan Hoa Software Company. He said the reason he did it was because he didn't like the Web site.
Click Fraud
Some hackers aren't interested in using zombiecomputers to send spam or cripple a particular target. Many take control of computers as a method of phishing, which is where a hacker tries to uncover secret information, particularly identification information. Hackers might steal your credit card information or search through your files for other sources of profit. The hacker might use a key logging program to track everything you type, then use it to discover your passwords and other confidential information.
Sometimes hackers will use zombie computers in ways that don't directly harm the victim of the initial attack or even the ultimate target, though the end goal is still pretty sneaky and unethical.
You've probably seen or even participated in several Internet-based polls. Perhaps you've even seen one where the results seemed unusual or counter-intuitive, particularly when it comes to a contest. While it's entirely possible the poll wasn't ever attacked, hackers have been known to use zombie computers to commit click fraud. Click fraud refers to the practice of setting up a botnet to repeatedly click on a particular link. Sometimes, hackers will commit click fraud by targeting advertisers on their own Web sites. Since Web advertisers usually pay sites a certain amount of money for the number of clicks an ad gets, the hacker could stand to earn quite a few dollars from fraudulent site visits.
Zombie computers and the hackers responsible for them are pretty scary. You could end up being the victim of identity theft or unknowingly participate in an attack on an important Web site. It's important to learn how to protect yourself from hackers as well as what you should do if you find out your computer has been compromised.
Hacker Prevention
You don't want your computer to become a zombie, so what do you do to prevent it? The most important thing to remember is that prevention is an ongoing process -- you can't just set everything up and expect to be protected forever. Also, it's important to remember that unless you employ common sense and prudent Internet habits, you're courting disaster.
Spam Statistics
Here are some sobering spam statistics from the 2007 Symantic Internet Security Threat Report:
· Between July 1 and Dec. 31, 2006, 59 percent of all monitored e-mail traffic was spam.
· Spam written in English makes up 65 percent of all spam.
· The United States is the origin of 44 percent of all the world's spam.
· Ten percent of all e-mail zombies are in the United States, making the U.S. the zombie computer capital of the world.
One out of every 147 blocked spam e-mails contained some kind of malicious code.
Antivirus software is an absolute necessity. Whether you purchase a commercial package like McAfee VirusScan or download a free program like AVG Anti-Virus Free Edition, you need to activate it and make sure your version remains current. Some experts say that to be truly effective, an antivirus package would need to update on an hourly basis. That's not practical, but it does help stress the importance of making sure your software is as up to date as possible. For more information, read our article on How Computer Viruses Work.
Install spyware scanners to search for malicious spyware. Spyware includes programs that monitor your Internet habits. Some go even further, logging your keystrokes and recording everything you do on your computer. Get a good anti-spyware program like Ad-Aware from Lavasoft. Like the antivirus software, make sure the program stays up to date. To learn more, read our article on How Spyware Works.
Install a firewall to protect your home network. Firewalls can be part of a software package or even incorporated into some hardware like routers or modems. To learn more about firewalls, be sure to read our article on How Firewalls Work.
You should also make sure that your passwords are difficult or impossible to guess, and you shouldn't use the same password for multiple applications. This makes remembering all those passwords a pain, but it gives you an added layer of protection.
If your computer has already been infected and turned into a zombie computer, there are only a few options open to you. If you have access to tech support who can work on your computer for you, that would be the best option. If not, you can try to run a virus removal program to kill the connection between your computer and the hacker. Unfortunately, sometimes the only option you have is to erase everything on your computer and reload its operating system, then starting from scratch. You should make backup disks of your hard drive on a regular basis just in case. Remember to scan those files with an antivirus program to make sure none of them are corrupted.
Your computer is a great resource. Sadly, hackers think the same thing -- they want to make your computer their own resource. If you practice careful Internet habits and follow the tips we've described on this page, your chances of your computer remaining secure are very good.
Taken from
http://www.computer.howstuffworks.com/zombie-computer.htm
Posts
No comments:
Post a Comment