Kaspersky: Target zombie servers too

Russian antivirus tsar, Eugene Kaspersky, says Australian ISPs should not only cut off malware-infected personal computers but also infected web servers run by businesses.
Written by Liam Tung, Contributing Writer on

Russian antivirus tsar Eugene Kaspersky says Australian ISPs should not only cut off malware-infected personal computers but also infected web servers run by businesses.

Eugene Kaspersky

Eugene Kaspersky
(Credit: Kaspersky Lab)

"In many countries ISPs cut off computers that are infected," Kaspersky told ZDNet.com.au. "In Russia I know that they do it. It's better to isolate them."

Australia's plan to introduce such a scheme under a new e-security code of conduct has been held up as privacy issues raised by the Privacy Commissioner are nutted out. While an existing scheme run by the Australian Communications and Media Authority (ACMA) exists, it is only voluntary. The proposed scheme would also be voluntary; however, a process for disconnecting machines would be written into the code.

Kaspersky said the scheme should include infected web servers, since these have also become a tool for botnet operators to expand zombie fleets. "If a device behaves in the wrong way, whether it's a PC or a web server, it should be cut off. Yes, of course," he said.

The antivirus company's chief malware analyst, Vitaly Kamluk, pointed out that web servers have already been used to automate the process of harvesting PCs. The Gumblar trojan, which caught the attention of security companies last May after being first noticed in March, relied on 70,000 compromised web servers to harvest PCs.

"[The web servers] were split into groups. Some redirected users to infected web pages. Also, those infected hosts were legitimate hosts that were infected. Others were just used to check whether a server had been cleaned, and then reinfected them," Kamluk told ZDNet.com.au. "It was the first time we've seen anything go from five servers to 70,000 servers within a few months.

"This is automation of the old way of doing things. Before, the bad guys did this manually and previously used standard Windows tools to go through each account and check whether log-ins and passwords are valid. Now they're trying to automate this process, independent of humans."

Kamluk said the technique had been copied by the creators of a trojan with the prefix "GNU GPL". The trojan has no relation to the actual open source project it appears to be named after.

Kamluk described the scheme under consideration by Australia as a "walled garden" approach, whereby it's possible to isolate an infected machine. "It can be very effective for big infections such as Conficker where you're dealing with millions of machines," he said.

The Conficker botnet had grown to such an extent in the early stages of 2009 that it became the target of a coordinated effort by at least 50 organisations last year to halt its growth. The working group's participants included Microsoft, the Internet Corporation for Assigned Names and Numbers and Kaspersky, amongst others.

Conficker's network of infected machines still exists, said Kamluk; however, it currently lacks a command centre. Its command centre at the height of its activity had been dynamically generated, selected from a list of 150 or so URLs that were tested for connectivity. If a particular URL was successful, it was registered and used as the command centre, and later dropped if it became unsuitable.

Not all malware-infected computers need to be cut off, according to Kamluk. "Only those which pose a risk to other machines on the internet should be disconnected, or where there is a channel which connects the infected host to the command centre, which allows it to send spam or a DDoS," he said. "If it is a malware which is active in the network sense, then it should be disconnected. If it is just ad-ware which shows pop-ups or a blocker, or scareware, perhaps it's not that high a risk to [warrant] disconnecting the machine."

But while Australia ponders the privacy implications of such a scheme, Kaspersky himself, as he has previously argued, said countries should go a step further and adopt passport-like schemes for access to the internet. Partial implementation of such a scheme have been implemented in the Netherlands, said Kaspersky, where ISPs are required to store basic information about the connection to support police enquiries.

Other examples include in some Eastern European countries, where banks have required customers use digital cards in order to access online banking services. "Some banks have started to distribute digital cards to get access to your bank account," he said. "You have to get the reader, insert the card into the reader, and then insert a code and then you get secure access to the bank."

He said where this has been implemented banking malware is not a problem.

Liam Tung attended Kaspersky's media conference as a guest of the company.

Editorial standards