Zombie Generation: The spreading infection

Standard online safety precautions aren't saving society from increasingly sophisticated networks of infected computers under the control of criminal hackers also known as zombies, a fact which is forcing internet bodies to stronger action.
Written by Stilgherrian , Contributor

Standard online safety precautions aren't saving society from increasingly sophisticated networks of infected computers under the control of criminal hackers also known as zombies, a fact which is forcing internet bodies to stronger action.

zombie computers

Zombie computers are becoming a plague
(A bloody keyboard image by Rainer Ebert, CC2.0 )

"If you had to identify the biggest single issue confronting the security and safety and the confidence of the internet these days, particularly in the commercial space, you could only point to zombie botnets as the major concern," Peter Coroneos, chief executive of the Internet Industry Association (IIA), told ZDNet.com.au.

"It's real, and people are worried and should be worried about this," he said.

The Storm botnet, first detected in 2007, peaked at somewhere between 160,000 and 1 million computers. In March 2008 it was believed to be responsible for more than 20 per cent of spam email globally. Botnets such as Srizbi and Kraken have comprised almost half a million computers. Srizbi was estimated to be able to send 60 billion spam emails a day.

But nothing matches Conficker.

First detected in November 2008, Conficker is by far the largest botnet ever seen. During 2009, the Conficker worm was infecting 18 million new computers per month, some 30 per cent of total global infections. At any one time, the botnet comprised between 7 and 10 million machines.

Conficker uses an unusually large number of advanced malware techniques combined with social engineering tricks to infect its hosts. So even though Microsoft issued a patch in October 2008 to fix the key vulnerability Conficker exploits, the worm continues to spread.

"The alarming thing about the whole zombie botnet phenomenon, and more generally just the modus operandi of the malware perpetrators, is that they're becoming so sophisticated in what they're doing," Coroneos said.

"They are themselves investing tens of millions of dollars in research and development in ways to defeat the traditional tools and antivirus and anti-spam and anti-spyware software."

"That's very scary," he said, because the usual online safety messages about behaviour change won't work in the face of these attacks.

Traditional methods failing

Users are told to keep antivirus software up-to-date. But that won't protect them when, as Verizon Business forensics chief Mark Goudie told ZDNet.com.au, 70 per cent of the malware they discover on compromised corporate systems can't be detected by antivirus software.

They're told to visit only "trustworthy" websites. But that won't protect them when, as AusCERT general manager Graham Ingram told Crikey last August, "One of the top 20 traffic sites in this country was infected with malware over about a six-week period." Or when, as happened in 2007, the Sydney Opera House website was serving out malware.

They're told to check for the padlock icon in the web browser, to confirm that SSL encryption is connecting them securely to the right website. But that won't protect them when one particularly clever piece of malware can inject extra HTML code into specific internet banking web pages, adding extra data entry fields to the bank's online forms. That additional data is transmitted straight back to the criminals, but the browser's padlock icon is still showing things to be safe.

They're told not to run unknown software. But that won't protect them when, as in the case of Conficker, the worm wears a clever disguise.

"In the Windows options menu that appears when inserting a USB device, [Conficker] has disguised the option to run the program (activating the malware) as the option to open the folder to see the files," wrote antivirus vendor PandaLabs. Users simply want to see the contents of a memory stick, but they're actually running the worm and infecting their computers.

A problem that could get worse

Today's youth are even less in the know about online security, and the new laptops being distributed to high school students as part of the Federal Government's Digital Education Revolution might create their own problems.

According to "Greyhat Yin" (not his real name), who recently completed Year 12 at a Sydney private school but who is also employed by his former school as a network administrator, current online safety messages in schools are "very broad".

"It's sort of, just, you know, try not to click on things, but then again people are still going to click on things or download things," he told ZDNet.com.au, comparing the practical value of the information to the Cold War-era Duck and Cover training film.

"There are people out there who are careful and that do the right thing, but yeah, there's people who just click on anything, they see something cute they install it."

"Yin" warns that school networks need an in-depth defence, not just a wall around the perimeter. A laptop infected at home could well infect a school network, especially if the network is only designed to protect against external network threats.

"If a machine is infected from outside on an unsecured network, say in a café or in their own home, if it's a worm or a virus, definitely once inside the school's network, yes, it can spread and possibly cause some problems."

Even if computers are locked down, curious teenagers will look for ways around the restrictions.

Nathan Lee, a 15-year-old from Allawah in Sydney's southern suburbs, found an easy way to upgrade his permissions on the government-supplied Lenovo netbook, install new software and access the school's file server.

"All I needed to do was right-click on a program and run as administrator," Lee told ZDNet.com.au.

"I could like play games and all that, though it was pretty much worthless on the netbook, and I could possibly run programs that could exploit issues with Windows 7 and so on and gain access to the network and so on and utterly destroy their security," he said. "However I have no such program."

Few students would have Lee's technical knowledge, but knowledge is shared. "Students probably would know how to gain access to someone who could get around it ... There's internet at home, forums, Facebook, Twitter and so on," Lee said.

So what to do about it?

Given these concerns, ISPs are now being asked to formalise existing voluntary arrangements for identifying and removing users' zombie computers from their networks.

Three years ago, the Australian Communications and Media Authority (ACMA) instituted the Australian Internet Security Initiative (AISI). As part of this initiative ACMA offered to provide some of the largest ISPs with technical intelligence identifying the IP addresses of suspected zombies on their networks, and asked whether they'd notify their customers to get the problem fixed.

"The response was initially a little bit cautious, but I've got to say it didn't take long before a couple of ISPs threw their hat in the ring on this," Coroneos said.

Three years later some 68 ISPs, representing more than 90 per cent of the Australian internet market, are signed up to the scheme and have been acting on ACMA's intelligence.

"The ISPs have quite surprisingly jumped on this ... because there is a high degree of self-interest from an ISP standpoint," said Coroneos.

"It is in no one's interest to have zombie computers sitting on networks consuming large amounts of bandwidth, firing off potentially tens or even hundreds of thousands of spam emails as part of the botnet program."

ISPs that are identified as spam sources, or that are seen as being "soft on spam", can end up being blacklisted by anti-spam filter providers. It can take weeks to be removed from a blacklist, during which time the ISP's customers can't send email to other parts of the internet.

"The indications were that customers are generally grateful to be advised that their computer has been compromised. No one likes to think that they've got a ticking time bomb, as it were, sitting in their office or their lounge room," Coroneos said.

Early in 2009, the government approached the IIA to turn this informal scheme into formal coverage of all Australian internet users. Following an ISP roundtable in May, the IIA released a draft e-security code for public comment. The code aims, amongst other things, to create a culture of e-security within ISPs and to develop consistent procedures and messaging for notifying customers of suspected zombie computers.

Coroneos stresses that disconnecting a customer from the internet would be a last resort.

"We will not mandate specific steps in all cases. We're leaving the ultimate decision up to ISPs, and in fact the code itself will remain a voluntary code," he said. "The idea of termination, it's not termination at all. It's really just a temporary quarantining of the machine until such time as the problem can be resolved and then we can get them back online."

Peter Coroneos

Peter Coroneos, chief executive, IIA
(Credit: IIA)

The IIA will develop a central resource to which customers can be directed for information on disinfecting their computers. Some ISPs may also offer additional support, and at least one company has started offering a home-visit zombie re-mediation service.

Privacy issues

But could an ISP monitoring a customer's internet traffic be a breach of privacy or even construed as an illegal telecommunications intercept?

"It is a grey area, I'll be frank. I think it's something we're seeking to get a bit of resolution with," said Coroneos.

"We're actually looking to the iiNet case, ironically, as possibly a source of guidance here. The judge is presumably going to adjudicate on that question as part of the broader question of what the appropriate role of ISPs is."

iiNet has been taken to court by a representative of film studios and television shows for allowing its users to download and upload copyrighted works using the ISPs network. The film studios want the ISPs to threaten infringing customers with disconnection from the internet. Whether ISPs should be held responsible for user activity is being decided in the case.

Justice Dennis Cowdroy will be handing down his findings in the so-called "iiTrial" this Thursday 4 February, and the IIA hopes to finalise its e-security code by the end of March.

Editorial standards