Net Of The Living Dead

Paul M. Hirsch paul@voltagenoir.org - 05/27/2004

Somewhere on the Internet there is a chat room with thousands of members online. They aren't chatting with each other, and they won't chat with you. Don't be offended. They aren't human. They are members of a zombie network, and they are waiting for their master to give them a target to attack.

For many years, script kiddies (unskilled hackers) have been using various tools to break into and "collect" huge numbers of unprotected computers. Once in, they install one or more backdoor programs that allow the attacker to remotely control the infiltrated machine, thus adding the machine to their collection of "owned" computers. ("Owned" just means "under control of", but it sounds cooler, which is a major consideration when you are trying to impress other 15 year olds or the press.) The focus of this article is "zombie" (or "bot") networks, so I will leave more advanced types of backdoor programs to other articles.

Zombie networks are made up of two or more infiltrated computers that are controlled remotely and take action as a group. Starting around 1999, with the release of the "Tribal Flood Network" and "Trinoo" DDOS programs, script kiddies started to gather huge zombie networks for use in huge Denial Of Service (DOS) attacks. In a DOS attack the goal is to break or temporarily disable the victim's computers or network. In a DDOS (Distributed Denial Of Service) attack multiple attackers work together to flood the victim with more network traffic than it can handle. The power of a DDOS attack is in numbers so script kiddies work to create huge zombie networks. While these zombie networks are occasionally used to attack major web sites, like Yahoo, they are usually used to attack a rival script kiddie's network. (Remember, script kiddies are life-deficient.)

In recent years things have started to change. Spammers and real criminals have discovered the power and relative anonymity of zombie networks. For instance, instead of searching the Internet for misconfigured email servers to bounce spam off of, spammers can just use a zombie network to send millions of emails out with incredible speed. Since each zombie hides the true origin of the message it is hard to track the spam back from the zombie to the spammer. As long as the spammer continues to add new members to their zombie network the spam "blacklist" services, which track spammers by Internet address, will be unable to keep up.

Zombies? Where?

Zombie computers are everywhere on the Internet. Most seem to be home PCs connected to the Internet over permanent broadband (cable or DSL) links, but there are zombies in corporate networks, and zombies on dial-up connections too. In most cases there is no sign that a computer is part of a zombie network. The zombie programs that listen for and carry out commands look like just another program. Unless the zombie is instructed to attack or perform some other labor intensive activity, the zombie computer will run as usual.

There are no hard figures on how many computers are infected with one or more zombie client programs. From anecdotal evidence, (which is always more reliable than statistical data), chances are you know at least one person with a computer that is part of a zombie network. Read on for a dry explanation of how computers are infected, how the attacker communicates with the zombie minions, an example of what a zombie network can do, and how you can prevent your computer from eating your brain. (Details on how computers are broken into, and how other backdoor and Trojan programs work, will be left to future articles.)

The Zombie's Byte

There are numerous methods used to infect computers with zombie clients, including:

Tricking users into running a zombie client installer
Tricking computers into running a zombie client installer
Breaking into victim computers using security holes in the computer

To trick a user, the attacker renames the zombie client to something that might interest the victim, like "Hilarious-Beer-Commercial.mov.exe" or "P Diddy - Still a gangsta, even though I party with Martha Stewart - Uncut.mp3.bat". The file is then emailed, sent through an instant messaging service (AIM, ICQ, MSN, etc.), or shared using a file sharing client (Kazaa, Morpheus, LimeWire, etc). When the victim runs the zombie client, nothing visible usually happens, so the user tosses the file in the trash. Behind the scenes, the zombie client is installed and running. The computer has been zombified.

Tricking computers involves taking advantage of weaknesses in web browser or email client software to download and run a zombie client. Though initiated through a user's action, (clicking a link, or opening an email message), the infection proceeds behind the scenes without any signal to the user that something is wrong. Zombified.

Breaking into computers directly requires the attacker to take advantage of a weakness in the operating system or a service on the victim system. Once the weakness has been exploited the victim machine is instructed to download and run the zombie client. Zombified!

These methods may sound familiar since they are all used by email borne worms, Internet worms, Phishers, etc. In fact, a number of worms have actually been used to spread zombie programs.

Zombie Mind Control

Regardless of how a computer is infected with a zombie client, there must be a way for the controller of the zombie network to communicate with the zombies. The three most common communication methods follow.

Figure_1-Direct_Connection

Direct Connection: Many early zombies used this method, in which the attacker's computer opens up a separate network connection to each zombie client. The attacker must keep track of the zombies they own, and then either manually, or with the assistance of a script, connect to each zombie before issuing a command. This is the least robust and scalable way to control zombies. It is blocked by most firewalls (as shown by the red line from the attacker to zombie 3), doesn't track which zombies are online, and makes it easy to trace back to the attacker from any zombie.

Figure_2-Reverse_Connection

Reverse Connection: This method is widely used and quite robust. Each zombie client opens a network connection back to the attacker's machine. Since the zombie initiates the connection, the average firewall will not block it. Also, the attacker always knows how many zombies are available by looking at how many zombies are connected to the attacker's machine. One downside is that it is easy to trace back from a zombie to the attacker's machine.

Figure_3-Chat_Connection

Chat Connection: This final method is the one this article opens with. Each zombie client connects to a chat room and waits to be given an order. In this case, the chat room is on an Internet Relay Chat (IRC) server, but the chat room can be anywhere on the Internet, and use any of a number of chat services. This method has all the advantages of reverse connections with the additional advantage of making it difficult to find the attacker's Internet address. The main weakness is that the attacker must trust the chat server. If the server's administrators block access to the server or remove the chat room, the zombies will have no way to communicate. In addition, if the chat room is not protected, the zombies can be seen, meddled with, or even stolen.

"They lie in wait like wolves, the smell of blood in their nostrils. Waiting, interminably waiting. And then..."

Now for an example of how an attacker might put a zombie network to use. Mr. Attacker is out to get his nemesis, Phreakmaster Greg. He wants to knock Greg's computer offline for a day using a DOS attack. Attacker knows that the Internet address (IP) for Greg's computer is 209.98.233.250.

Figure_4-Command Sent

Attacker starts by using an IRC chat client to log into the IRC chat room his zombies are listening too. He then issues the command to attack Greg's IP number, 209.98.233.250.

Figure_5-Command Received

The IRC server forwards the message from Attacker on to all the members of the chat room.

Figure_6-Zombies Attack

As commanded, each zombie starts attacking 209.98.233.250. In this case, by sending thousands of connection requests to the target as fast as they can. The combined traffic from all the different zombies floods the victim's computer and network, rendering it useless. If done right, an attack like this can keep a site off the Internet indefinitely, forcing the owners of the site to take the drastic measure of changing to a new IP address or moving to a new network altogether. (As one would do if real zombies appeared at your doorstep and refused to leave without feating on mortal flesh.)

The flood of traffic also impacts the Internet Service Provider (ISP) the victim uses to connect to the Internet. If severe enough, the traffic can even wreak havoc on the ISP's links to the Internet. (Much like the clogged streets and traffic that would ensue if one million zombies marched on your neighborhood.)

Holy Water

Besides sucking up your Internet bandwidth and annoying or harming others on the Internet, keep in mind that a zombie client can steal your passwords, destroy your data, or do all sorts of other nasty things. It is in your best interest to prevent your computers from being zombified. Luckily, the defenses used to protect against outside attack, and the precautions that are effective against email worms, are just as effective at preventing zombification.

Use antivirus software
Use anti spyware software
Keep your security patches up to date
Do not open an email attachment unless it is from someone you trust, and you were expecting it
Do not trust web links (URLs) in email messages

Once infected, most zombie clients can be detected by antivirus or anti spyware software. If your computer seems to be running much more slowly all of a sudden, or if you notice that your Internet connection is very active, even though you are not using it, you may be witnessing signs of infection. Try scanning your system using at least antivirus software, preferably in conjunction with anti spyware software.

Defending against a zombie network is another matter, and the focus of much research. With enough zombies, something as simple as requesting a web page from a web site can add up to an overload. Hey, but that is for Google, Yahoo, MSN, and the other big guys to worry about....

More Information

http://staff.washington.edu/dittrich/misc/ddos/ - Dave Dittrich's DDOS Documents: An exhaustive collection of information on DDOS, including history and technical information, presented by an expert on DDOS attacks
http://www.theregister.co.uk/2003/04/27/rise_of_the_spam_zombies/ - Rise Of The Spam Zombies, (The Register): An article on the growing use of zombie networks by spammer
http://windowsupdate.microsoft.com - Windows Update - Keep your windows systems patched!
http://www.safer-networking.org/ - Spybot: Search and Destroy: If you do not have any anti-spyware software on your home PCs, Spybot: S&D is free and one of the best
Now I'm Feeling Zombified, by Alien Sex Fiend - When else will I be able to mention this song germanely?