Hackers are trying harder to make their networks of hijacked computers go unnoticed.
Cybercrooks are moving to new Web-based techniques to control the machines they have commandeered, popularly referred to as "zombies". Before, they used to send orders via Internet chat services, but with that method, they ran the risk of inadvertently revealing the location of the zombies and themselves.
"All the good guys are being challenged here. (Hackers are) saying: 'You're spotting my traffic. I am going to try and hide it a little better,'" said Rob Fleischman, the chief technology officer at Simplicita, a Denver-based security start-up that helps Internet service providers deal with infected computers on their networks.
The change in tactics makes it harder to identify zombies on a network, and it becomes tougher for security professionals to use the hackers' own tools to spy on them. In addition, the switch to Web-based control increases the threat of zombies to enterprises and other organizations, as that method can't be blocked as easily as the previous technique.
"If you're a bad guy, this is pretty good news. If you're a good guy, I wouldn't say it is bad news, but it is a challenge," said Jose Nazario, a senior software engineer at Arbor Networks, which sells network analysis products. Nazario has done extensive research into zombies, the results of which he presented at last week's Virus Bulletin conference.
Life of a zombie
Hijacked computers have become one of the most serious security problems on the Internet. Malicious remote-control code turns a computer into a zombie via security holes in software, a worm, or a Trojan horse. It then runs silently in the background, letting an attacker send commands to the system, unbeknownst to its owner.
Zombies are the most prevalent threat to Windows PCs, according to a Microsoft report released earlier this year. A security tool downloaded alongside Microsoft's patches removed at least one version of malicious remote-control software from about 3.5 million PCs between January 2005 and March 2006, it said.
Criminals make money by networking their zombies into a "botnet". They put these networks to work mounting denial-of-service attacks against online businesses in extortion schemes; hosting faked Web sites used in phishing scams; and relaying spam. Attackers also often load adware and spyware onto compromised systems, earning a kickback from the makers of these programs or reselling the private data of their victims.
In fighting botnets, investigators found it was relatively easy to identify zombies because of how they communicate with their masters. Most botnets today are controlled via Internet Relay Chat, or IRC, a still-active chat network that is a relic of the early days of the Net.
IRC lets hackers control their bots in real time. As soon as a computer is infected, it connects to a specific chat server and channel, and awaits its commands. But the benefit for the good guys is that they can lurk in the chat rooms, spy on the hackers, and sometimes even identify them. Furthermore, IRC uses its own network protocol.
"IRC is not as common as other protocols," Fleischman said. "It does not blend in. It has a certain signature. You can use technologies to spot it."
Internet service providers already block traffic to the IRC servers used by zombies, and many organizations use network shields, such as firewalls and intrusion detection systems, to block IRC traffic altogether. This prevents a compromised PC on a specific network from contacting its command-and-control center.
These countermeasures have not gone unnoticed in hacker circles. In a classic game of cat and mouse, miscreants are moving command-and-control channels for their botnets away from IRC and onto the Web. There, the zombies will blend in with regular Web traffic, which can't simply be blocked.
"These bots look like people browsing the Web," Fleischman said. "The brilliance here--and I hate to compliment the botmasters--is that they know that there is a giant haystack of Web traffic, and if they hide their command-and-control there, it is harder to spot."
Instead of connecting to an IRC server, newly compromised PCs connect to one or more Web sites to check in with the hackers and get their commands. These Web sites are typically hosted on hacked servers or computers that have been online for a long time. Attackers upload the instructions for download by their bots.
Play video
There are currently no comments for this post.