Thursday, July 07, 2005

The deal with malware today, pt 2

In my previous post, I had a small write-up about the first of two major malware problems today (aggressive malware). I just finished my last test today (yay!) so I'd figure I'd write about the second one. Which is, of course, zombie networks, aka botnets.

You might ask yourself, what is a botnet? Well, it's pretty simple. Imagine one person entering the URL to a site in his browser and hitting Enter every second, reloading the page everytime. That puts some strain on the webserver that's hosting that site, but not much. Now imagine 30,000 people doing the exact same thing. A few hundred times per second. Now THAT puts strain on the server, eh? And when the amount of traffic those 30k people are generating is more than the connection speed that server has, no one else can reach it since the bandwidth is 'full'. And it'll probably crash from the traffic overload. Worse still, if the server runs some commercial website, it'll lose money when it's down. And don't be surprised when these damages rack up several thousand dollars.
So basically, that is what happens during a DDoS - Distributed Denial of Service. A botnet owner (short for 'robot network') has control over several hundred to several thousand of computers all over the world ('zombies' or 'bots') and can make them attack a server (or, in fact, ANY computer that is online) all at once. He does this by tricking the computer user into running a small program which plants the bot on the system, which then waits for orders from its owner. At its command, it starts sending out network packets to the specified target as fast as it can until it's told to stop.
Did you pay attention here? The key step is tricking the computer user into running it. See what that means? It means if you don't accept files from strangers, you can help stop these attacks. You can help prevent online companies from losing thousands of dollars. And all you need is common sense. Which is free. Unless there's a bot on the loose that spreads by security holes on your system. In that case, you eiter need to close the hole, or install a firewall. Which is sometimes free.

So how much of this DDoS practice are we seeing nowadays? Well, things started out pretty easy with this news article, detailing on a DDoS (Distributed Denial of Service) attack on Yahoo, eBay, CNN and Amazon in February 2000. You'll probably remember it. Though only Yahoo and eBay were actually off the air for sometime (the other two were just much slower), this marks pretty much the first big zombie network attack. It was also pretty big in the news, making people aware of this type of attack. In vein.

About a year leater in May 2001, Steve Gibson's was hit with a similar attack. Being the techie that he is, he wrote a detailed page about it and put it up. Unfortunately, by drawing this much attention to him, he has become a testbed for a lot of small botnet owners who just want to 'check if their 'net has enough force to packet a big site'. Not funny. Not very surprisingly, he was attacked again on January 2002 using a slightly more sophisticated attack. These are just a few examples of attacks. Some nimrod tried attacking the website once, but that server had such a massive bandwidth that he could barely make a dent in it. A few worm viruses have tried this as well, but only with neglegible results.

The frustrating thing about being hit with a DDoS attack, is that you can't stop the actual flow of data to your server that's crushing you. Imagine it's raining really, really hard. How much of a chance do you stand making all the clouds stop dropping raindrops? That's what I thought. What you can do, however, is build a roof over your head to prevent the raindrops from actually reaching you, and hope things'll blow over fast. If you read the first DDoS report on (linked above), you'll see this is exactly what Steve Gibson did: he had his upstream provider filter out all the suspicious packets. This didn't stop the attack, but it did stop the attack from bothering him. A good friend of mine had his anti-malware site attacked sometime ago as well. He now has an ingenious system with several proxy servers setup to prevent this kind of thing from happening again. My own site has been hit with a DDoS attack as well once, and there wasn't much else I could do than copy all content to a website mirror and ride out the attack. The only thing that really helps is preventing the installation of these zombie bots in the first place.

Taking out zombie networks (botnets) is pretty hard. Short of breaking into the controller's house and forcing him at gunpoint to command all of his bots to perform the 'uninstall' command (almost all bots have this), you can't directly control the bots, since 1) most of the time access to the bots is restricted by a really long password, and 2) this password only validates if you're on the right IP subnet. In other words, only if the master controller himself logs onto his ISP account and issues the correct password to the bots, does he actually get to tell them anything. Otherwise they'll just ignore him. Bots are funny like that. Anyway, since most of the time the central place the owner meets his bots is an IRC server (all the bots connect to this server and wait in some channel for commands), you CAN get this server shut down and all the bots will be harmless.. albeit still alive. Unless the controller somehow gets the bots to connect to a new, different IRC server. Rinse, repeat.

So... how do you know if you've got one of them zombie programs on your computer? Well, frankly, they're a bit hard to spot. There's a few technical test you can do, but I've found that these often lead to mistakes and panic, followed by a lot of screaming and shotgunning your monitor.. etc. Better ways to detect this stuff is just your eyes. If the 'send' or 'upload' light on your (cable/DSL) modem is constantly on, even if you're doing squat, something on your system could be sending lots of data somewhere where you don't want it to go. You can also check this with bandwidth monitors like DUMeter, Bandwidth Monitor and NetGrid, which monitor your Internet traffic and display it in a fancy graph.

Secondly, how do you prevent getting a zombie? Well, in some cases you need a sjamaan to cast some spells and nail a plucked dead chicken to your door, but in the case we're interested in, all you need is a brain. I think most of you already got one, too. Just use common sense. If you get an email that claims to be from 'Microsoft TechNet', urging you to install the attached security fix, don't. Microsoft doesn't send out fixes over email. To anyone. If you're on a website that claims it can see your entire harddisk and offers a patch to prevent this, don't. You can see your own harddisk too, by typing 'C:\' in the address bar. What that website does is the same thing. If some buddy sends you a file over MSN claiming 'zOMG this gam is AWSOME!!1one LoLZ', at LEAST scan it using whichever antivirus program you have. Better yet, let 14 anvirus programs scan it by uploading it to For free! For all other cases, use common sense. It's stupid not to run an antivirus scanner. It's stupid not to run a firewall if you still have Windows 98 or Windows ME (or even older). It's stupid not to install security fixes from Microsoft. Now go outside and be not stupid.

No comments: