Zombies aren’t just for horror flicks. There are hundreds of thousands of zombies on the Internet today, coupled into “botnets” that are harnessed by their malevolent overlords to wreak havoc.
The havoc typically involves Distributed Denial of Service (DDoS) type attacks but can also be used to scan other computers and steal personal information.
Killing the zombies, raising them from the ranks of the undead and smashing the botnets is not an easy task, but it is being done, thanks to the work of diligent security researchers.
Lexington, Mass.-based Arbor Networks is among those driving the proverbial silver bullet into the heart of the botnets. The company recently helped smash a botnet operating against sites based in the Netherlands.
Jose Nazario, software and security engineer at Arbor Networks, said that in late February, Arbor received a report of a particular botnet among a set of botnets reports for the previous night. Arbor Networks had been actively monitoring botnet activity for several months at that point.
“We do this to identify the attack sources, to work with others to shut them down, and to attempt to improve the general state of Internet security,” Nazario told internetnews.com.
Arbor Networks began tracking the botnet by gaining entry to the IRC network it was using and logging activity.
At the time when Arbor had found it, the authors were busy telling the machines that had connected to download another piece of software and then to leave the IRC bot network. The machines, it turned out, were being “herded” to a new network.
“We suspect that the botnet operators knew that their original network had been discovered and were busy setting up a new one,” Nazario said. “Such ‘herding’ tactics are not uncommon in the botnet world; operators will migrate the bots around to new servers, new channels, all in an effort to maintain their network and to avoid detection.”
The new botnet was “decoded” on March 1, 2006, and was linked to a number of DDoS attacks against broadband sites hosted in the Netherlands. Arbor Networks contacted the Dutch Computer Emergency Response Team (CERT) on March 2 with the intelligence it gathered and disabled the botnet.
Nazario noted that disabling the botnet was relatively easy.
Arbor Networks had substantial logs of the activities and used them to articulate a case to Dutch CERT officials who in turn, shared it with a security-conscious ISP in the Netherlands. The ISP immediately shut down the network and worked with the users who were infected to clean up their systems that had joined the botnet.
“In short, with such cooperative and knowledgeable people working with us, we found it was very easy to shut down this particular botnet,” Nazario said.
FaceTime Security Labs is also hunting botnets and recently discovered a pair with nearly 150,000 attached hosts in its army of the undead.
“We had a tip-off from an individual known as RinCe,” Chris Boyd, security research manager at FaceTime, told internetnews.com. “With his assistance, we were able to map the activities of these groups in great detail. From there, it was a case of analyzing all the files, making the right connections, finding compromised servers and gathering more data.”
One of the botnets that FaceTime identified is allegedly being used to scan systems for personal financial information. Instant messaging (IM) is one of the attack vectors that the FaceTime-identified botnet is taking advantage of. The botnet recruited new zombies by way of an infected file transferred via IM.