Zombies and targeted attacks – a challenge to overcome?
12 May 2006
One of the most prevalent and fastest increasing threats against IT security is the rise of zombie computers and botnets. Not only do they spread extremely fast, they are also able to do immense damage that can easily lead to large costs.
Today there is big money in delivering insidious programs that hide and wait silently for instructions from distant masters. Computers that are infected by such hidden programs are often called zombies. Programs that wait for commands are called bots (short for robots), and a collection of such bots is a botnet.
The propagation of zombies and botnets has increased with tremendous speed during the last year and months. Additionally the bot creators’ targets and ways to attacks have also changed. While earlier botnets have been used mainly to perform Distributed-Denial-of-Service- Attacks (DDoS attacks), today’s botnets are smaller and more targeted. They are used to perform a variety of attacks and scams, such as spamming, sniffing, keylogging and many more...
Gartner estimates that bots generate more than 70 % of all spam, and that through 2007, half of the Internet-active firms that do not implement prevention technologies will suffer service or financial losses due to botnet attacks. According to resent research there are thousands of botnets and millions of zombie computers around the world. Botnets can contain tens of thousands of compromised machines. A botnet with only 1000 bots can cause a great deal of damage due to their combined power.
One of the reasons why botnets is so dangerous is because the users can be damaged or hit by an attack even if they are not infected themselves.
Here are some documented uses of botnets:
- Distributed Denial of Service attacks:
Botnes flood a company’s servers with thousands of requests until the servers are unable to respond. Higher-level protocols can be used for specific attacks, such as running search queries in bulletin boards or recursive HTTP floods. - Spamming:
Attackers are able to send bulk unsolicited commercial email (spam). Some bots also harvest email addresses as targets for sending phishing emails. - Sniffing Traffic:
Sniffers are used mostly to seek sensitive information like usernames and passwords. If a machine is compromised by multiple bots, sniffers can gather security keys of the other botnets for a hostile takeover of those. - Keylogging:
Most bots contain keyloggers and filtering mechanisms (e.g." I am interested only in key sequences close to the keyword paypal.com") to steal passwords and other secret information that may be protected by virtual private network or encrypted connections. - Spreading new malware:
Most bots implement mechanisms to download and execute files via HTTP or FTP. - Click fraud:
Using Google’s AdSense, companies can display targeted advertisements on their websites and earn money for each visitor that clicks on the advert. Botnets can automatically and repeatedly click on such advertisements, fraudulently increasing the click count. - Attacking IRC networks
IRC networks are flooded by service requests or thousands of channel-joins from the botnet. The victim’s IRC network is brought down (see also DDoS attacks above). - Identity theft
Phishing emails are generated and sent by bots via their spamming mechanism. The bots may host fake websites that pretend to be eBay, PayPal, or a bank, and sensitive data may be harvested. Keylogging and traffic sniffing can also be used for identity theft (see above).
