Zero Day of the Dead

Once upon a time script kiddies were happy simply to infect computers with a virus and unleash an unexpected cascade of tumbling letters. But filthy lucre has corrupted the intellectual curiosity that drove those exploits; now there’s big money in delivering insidious programs that hide, waiting silently for instructions from distant masters.
In this underground world, infected computers are called zombies. Programs that wait for commands are bots (short for robots), and a collection of bots is a botnet.

IT analyst firm Gartner says: “Although botnets are not new, they were previously referred to as zombie networks, their use as a vehicle for DDoS (Distributed Denial of Service) attacks has been the biggest concern. However, organizations are now realizing their impact in other forms of attack, for example in spam relays and as hosts for phishing web sites.”

Gartner estimates that bots generate more than 70% of spam, and that through 2007, half of internet-active firms that do not implement prevention technologies will suffer service or financial losses due to botnet attacks.

Waspish attractions
According to Thorsten Holz, co-founder of the German Honeynet Project, there are thousands of botnets and millions of zombie computers. “It is hard to give exact numbers since we see only a limited amount of them,” he says. “We observed a couple of hundred botnets and estimate that several million zombie computers are out there.”
The Honeynet Project is a non-profit organization dedicated to improving the security of the internet by providing cutting-edge research for free. The project uses deliberately vulnerable machines to study the movement and influence of malware on the internet. Like wasps to a picnic, so malware is attracted to unprotected computers. “The mean time to compromise for un-patched Windows 2000 systems in my network is less then 10 minutes,” says Holz.
Botnets can contain tens of thousands of compromised machines. A botnet with only 1000 bots can cause a great deal of damage due to their combined bandwidth. A thousand home PCs with an average upstream of 128kbit/s can provide more than 100Mbit/s. If they are set to work in a DDoS attack, flooding enterprise networks with bogus requests, this is enough bandwidth to create major difficulties.

Legitimate origins
Bots have been used for many years to monitor and control Internet Relay Chat (IRC) automatically. IRC is an informal communication medium where subscribers send and receive text messages via a central IRC server. Messages sent are distributed to subscribers and categorized into channels (subjects or chat rooms, based on themes). Users subscribe to different channels depending on authentication or invitation.

So far so good, but users need help or even chastisement (for using profanity, for example) and bots help fill the need. A bot automatically responds to events while appearing to be a normal user on the channel. The bot may protect the channel from abuse, allow privileged users access to special features, log events, provide information, or host games. A quiz program is a typical example. Source code for bots is freely available (for example, or

While there are many legitimate uses, bots and botnets add an extra dimension to malware security. Richard Ford, research professor at Computer Sciences’ Florida Institute of Technology, says botnets are “a great illustration of the maxim ‘your insecurity makes my system insecure’.”

You can be damaged by botnets without being infected, he says, and yet defensive strategies currently concentrate on endpoints—preventing individual infections—not on the botnet itself, and not on the fact we contribute to each others’ security.

Ford likes an insect metaphor: you can squash one ant but it makes no difference. It is only when you destroy the queen you know you are safe. “If we don’t kill the centre of the ‘colony’ we’re simply engaged in a war of attrition with an enemy who always has the upper hand,” he says.

Yet he cannot say for certain how a botnet might be destroyed, “Killing the colony might require attacking machines you don’t own, this opens a whole bunch of difficult legal questions.”

But if you can’t shut them down, making sure your neighbour’s machines are not used to launch an attack is also difficult. Their security arrangements may be, legitimately, less bullet-proof than your own. The internet will always be a hotchpotch of machines with different vulnerabilities, and there is no way of forcing a ‘duty of care’ on the whole world, says Jon Fell, partner at IT law firm Pinsent Masons.

But according to Fell, the US doctrine of ‘attractive nuisance’, may apply to IT users that fail to keep their systems secure and thus unwittingly participate in acts that damage others.

“The example usually given,” says Fell, “is that of a child who sees a swimming pool in a garden, enters the pool and subsequently drowns. A homeowner could be liable for the death if he had failed to take sufficient precautions to

prevent such an event, for example, by installing fencing around the pool.

“There is certainly a risk that an party who fails to take sufficient steps to keep hackers from entering their systems could be found negligent if the hackers disrupt others via his system,” he says.

But the risk is small, he says. “To date there have not been any cases decided on this point. Even a business whose lax security allows a hacker to launch attacks via its systems may escape liability.”

And recent analysis of the doctrine suggests that by itself it will not be enough to launch a successful case for damages. “The person who suffers loss is in the wrong category,” says Fell. “They haven’t been attracted to the computer in the first place.”

That leaves legal recourse difficult to pursue, undermining reasons to invest in protection. None the less, modifying a system without a user’s express permission remains punishable by up to five years under section three of the UK’s Computer Misuse Act (CMA) 1990.

Detective Inspector Chris Simpson is with the Economic and Specialist Crime Directorate of the Metropolitan Police Computer Crime Unit (CCU). Speaking at (ISC)2 Secure London event, he said: “If an individual is concerned in any one of the following: authoring the malicious code behind the botnet; managing the botnet itself or being responsible for funding or initiating its creation, that person could potentially be convicted as part of a conspiracy to commit offences under the Computer Misuse Act.”

Which appears to leave the owner of an infected system in the clear.

Simpson stressed the importance of traditional approaches to information security. “People should consider how to prevent or manage infections and DDoS attacks, and also how to raise awareness of IT security within the business environment. Many of the cases investigated by the CCU were infinitely preventable, if only policy was in place and supported by procedure and appropriate management systems,” he said.

Ford thinks the botnet phenomenon will worsen. With commercial reasons to create zombies growing stronger (see sidebar), the value of exploits that install bots is rising. “If a botnet owner wishes to expand his network, and that network makes money, it stands to reason that a zero-day attack has value to him. The goal of a botnet is to spread under the radar, so using an unknown exploit and keeping that exploit out of sight makes sense.”
Simpson is optimistic the CCU can combat the growing zombie armies, even with the cross-border complications inherent in investigations.

“There is extremely good co-operation between international law enforcement and industry. Results in the UK, US, Canada, Holland and Eastern Europe are evidence of this.” (See sidebar.)

But it is the immensity of scale that makes a zero-day exploit so valuable. As Simpson points out: “In the physical world the number of crimes an individual can commit is limited by their physical capacity. In contrast, across the internet, a criminal without any significant assets can target over a billion potential victims.”

This rich field of potential victims and the value of infection makes it inevitable botmasters will try to grow their legions of zombies. A zero-day attack is perfect for their diabolical plans: use your head; make them lose theirs.

Interview with Estonia's data protection chief, Urmas Kukk
Documented uses of botnets from the Honeynet Project

Distributed Denial-of-Service Attacks
Botnets flood a company’s servers with thousands of data requests until the servers are unable to respond. Higher-level protocols can be used for specific attacks, such as running search queries on bulletin boards or recursive HTTP floods.

Attackers are able to send bulk unsolicited commercial email (spam). Some bots also harvest email addresses to send phishing emails.

Sniffing Traffic
Sniffers are used mostly to seek sensitive information like usernames and passwords. If a machine is compromised by multiple bots, sniffers can gather security keys of the other botnets for a hostile take over.

Most bots contain keyloggers and filtering mechanisms (e.g. “I am interested only in key sequences near the keyword”) to steal passwords and other secret data that may be protected by virtual private network or encrypted connections.

Spreading new malware
All bots implement mechanisms to download and execute files via HTTP or FTP. Botnets can launch mail viruses. The Witty worm is suspected to have been started from a botnet.

Click fraud
Using Google’s AdSense, companies can display targeted advertisements on their websites and earn money for each visitor that clicks on the advert. Botnets can automatically and repeatedly click on these advertisements, fraudulently increasing the click count.

Attacking IRC Chat Networks
IRC networks are flooded by service requests or thousands of channel-joins from the botnet. The victim IRC network is brought down as with DDoS attacks.

Manipulating online polls and games
Online polls/games are rather easy to manipulate with botnets. Since every bot has a distinct IP address, every vote has the same validity as a vote cast by a real person. Online games are manipulated in a similar way.

Identity theft
Phishing emails are generated and sent by bots via their spamming mechanism. The bots host multiple fake websites that pretend to be eBay, PayPal, or other bank, and harvest the sensitive data. Keylogging and traffic sniffing can also be used for identity theft.


What vendors say you should do

“Companies should install software to identify bots on their networks and close those communication channels. Bots can use any protocol they want to communicate. Stopping IRC will never be enough.” Jose Nazario, Arbor Networks’ senior security advisor.

“Anti-spam applications will greatly reduce this problem but real-time blacklists become less useful. Companies should be backing initiatives that counteract spam like Sender Policy Framework (SPF).” Simon Heron, Network Box Defence Systems.

“Web browsers are probably the most frequently abused port of entry. It’s harder to take down Firefox than IE by spyware, so consider switching.” Mark Stevens, chief strategy officer at WatchGuard

“A holistic approach to security is essential. It’s no longer sufficient to rely on traditional anti-virus techniques.” David Emm, senior technology consultant, Kaspersky Labs

“Companies should definitely be looking to shore up their IM channels. Many of the hacker groups we monitor are moving away from web page drive-bys in favour of spreading their payloads via IM.” Chris Boyd, security research manager, FaceTime Communications.


Court in the act

December 2004, UK and Canada
A British convicts a 16-year-old Briton of releasing the Randex Trojan, used to relay spam. Canadian police charge another 16-year-old with writing and distributing the worm. Randex quickly infected more than 9,000 computers.

August 2004, US
Operation Cyberslam results in indictment of Jay R Echouafni and Joshua Schichte on charges of conspiracy and causing damage to protected computers. They allegedly used a botnet to send bulk mail and set up DDoS attacks against spam blacklist servers.

January 2005, US
Jeanson James Ancheta pleads guilty to installing and controlling tens of thousands of zombie computers used for spam, DDoS and adware. Ancheta allegedly makes over US$60,000.

October 2005, The Netherlands
Dutch police arrest three people for building a 100,000 PC botnet. Compromised machines were infected with the W 32.Toxbot Trojan. Investigations surround DDoS attacks, Paypal and eBay fraud.

February 2006, US
Christopher Maxell and two juvenile accomplices allegedly made US$100,000 with pop-up adverts on compromised computers. Their botnet is also suspected of DDoS attacks of Seattle’s Northwest Hospital in January 2005.


What’s hot on Infosecurity Magazine?