Up to a million PCs in the zombie army

Posted on 18 Mar 2005 at 09:38

Up to one million PCs are part of an army of zombie computers attached to the internet, according to a survey carried out by a group of security experts. Attackers can control as many as 50,000 at a time.

The survey was carried out as part of the Honeypot Project. In the test, unprotected machines are connected to the internet, usually on a broadband line, in order to attract the attention of hackers who scan the machines for vulnerabilities. As anyone who has a firewall fitted on their home machine will know, such probes constantly take place up to several times a minute. The researchers found that when connected to the internet, a machine could find itself attacked and compromised within minutes.

In its paper Know your Enemy: Tracking Botnets the researchers warn `attackers are highly skilled and organized, potentially belonging to well organized crime structures. Leveraging the power of several thousand bots, it is viable to take down almost any website or network instantly.`

The steep rise in the number of zombie botnets is attributed to the massive growth in broadband connections amongst home users. These machines often have no firewall or anti-virus protection installed and are left connected to the internet 24 hours a day making them a prime target for attackers.

The machines are then usually used either to conduct a range of criminal activities such as blackmail linked to distributed denial of service (DDoS) attacks. The group reports that between November 2004 until the end of January 2005 it monitored 226 DDos attacks against 99 unique targets. The botnets can also be used to broadcast spam or emails for phishing attack. Other growing applications are to manipulate clicks on Google AdSense so that websites gain extra money by the zombies clicking on the ads displayed.

Typically a machine is recruited to the zombie army via the use of an IRC server. Normally used for chat services, IRC has an extension Csend which is used like the more familiar DCC to transfer files between chatters. Once a machine has been compromised via an unguarded port or other means it will attempt to connect to the IRC server, establish a connection and download the Trojan necessary to complete the attack. During the period of the survey the researchers say they counted 226,585 unique IP addresses joining at least one of the rogue IRC channels.

Author: Steve Malone