Questions about this topic? Sign up to ask in the talk tab.

Zombies

From NetSec
Jump to: navigation, search

A zombie computer, often referred to as a zombie, is a computer that is connected to the Internet and has been compromised by a hacker, worm, trojan, or some other form of malware. Zombies are typically only one of many other infected computers in the zombie "horde," also known as a "botnet." These infected computers execute commands that are issued remotely from a botnet command & control server to perform malicious tasks. Most of the time, users of these zombie computers are unaware that their system is compromised and may be linked to illegal activities, hence the metaphor of a brain-dead zombie.

Exploitation

Computers are compromised by bot herders via various methods, such as, drive-by browser exploits or tricking the user into running a malformed program. However, like anything in the hacker world, there is no general rule for how one is infected. Botnets are typically controlled via IRC, however, they have also been controlled via Instant Message and web applications. The most common place for these infected programs is in the "warez" scene.

Types of Attacks

There are many ways a malicious hacker can benefit from a botnet. Botnets are commonly used to send spam e-mail, commit pay-per-click fraud, and launch distributed denial-of-service attacks. Other types of attacks include:

  • Advertising Adware by replacing regular advertisements on websites with malicious adware advertisements
  • Advertising scareware and, basically, holding a zombie computer at ransom
  • Harvesting information, such as, passwords, user names, and banking information, via spyware, to send back to the bot herder.
  • Fast flux - a technique that utilizes the zombies as proxy servers to host malicious websites and advertise malware/spyware.
  • Brute-forcing machines via various services, such as, FTP, SMTP, and SSH
  • Password/Hash-Cracking
  • Infect other hosts
  • Commit voting fraud on website polls or fill a poker table at an online casino.

Staying Safe

Due to the mass amount of IP addresses, botnets can be difficult to defend against, especially when under a denial-of-service attack. There are a few network based intrusion detection systems that use passive OS fingerprinting to detect if an attack is coming from a botnet or not.

The major security company's anti-botnet software uses heuristics to identify bot behavior and attempt to nullroute DNS entries so the bot can not contact the command & control server.

Evolution

Hackers, like everything else online, are always growing and evolving. Today's botnets are not being run by a central command & control. They are being designed to run on a P2P network. This causes each individual zombie to become a command & control server, therefore, there is no single point of failure. The most recent botnets have also been found to recognize if they are being analyzed and actually execute a denial-of-service attack against those studying the zombie horde.