Zombies Blend In With Regular Web Traffic

An anonymous reader writes "Hackers controlling farms of zombie computers are now trying to blend in with web traffic, News.com reports. Instead of traditional IRC controls, many zombie farms are moving to simple web-based control schemes, which makes them harder to track down." From the article: "The change in tactics makes it harder to identify zombies on a network, and it becomes tougher for security professionals to use the hackers' own tools to spy on them. In addition, the switch to Web-based control increases the threat of zombies to enterprises and other organizations, as that method can't be blocked as easily as the previous technique."

Impact to advertising

[Salvance]

I guess I'm probably stating the obvious, but it seems like Google, Yahoo, and other online cost-per-click advertising portals are most vulnerable to the new type of zombie farms. I wonder if they would employ some of the vast resources (if they aren't already) in fighting this problem?

Zombie spambots are attacking my site as we speak

[ngunton]

Funny this story should come up today. My community website [crazyguyonabike.com] has been getting attacked for the last couple of days by a botnet (I think) of zombie computers. I wrote the Spambot Trap [neilgunton.com] article that was published here [slashdot.org] in 2002, and I've been using the trap successfully to block spambots ever since. Usually, the block list is a couple of dozen repeat offenders. But day before yesterday, it suddenly spiked up - there were dozens of spambots coming in from all kinds of different IP addresses. I'm pretty sure it's a botnet of zombies, because a) they all report exactly the same User-Agent, and b) they all come in directly to the guestbooks and forums (probably using a search engine) and c) all the IP addresses resolve to dialup, cable or DSL accounts (some businesses too). It's getting a bit much, because the block list has suddenly ballooned to over 160, constantly changing. The trap is coping ok, because the blocks will fall off after a while (the block time goes up as the power of 2 for each repeated offence). I have added some logfile snapshots [neilgunton.com] to the article. (Look down the page to see how the number of blocks has suddenly increased in the last couple of days, and also notice how all the browsers are identical). I think this is some kind of virus that may still be spreading, because the number is only increasing.

Anybody else seeing this kind of stuff happening?

HA HA!!!!

[Duncan3]

Everyone blocked all ports except 80 because MS couldn't be bothered to fix system security.

Now you have to block port 80 as well... Good luck with that ;)

The bad guys have orders of magnitude more money behind them then the good guys, it's obvious who will win.

Spamhaus saves the day again?

[TooMuchToDo]

We use the Spamhaus SBL/XBL to filter incoming mail, why not use the XBL list [http://www.spamhaus.org/xbl/index.lasso] to filter traffic at the web server/content switch/firewall level?

"The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits."

zombie control by steganography

[codepunk]

why not use encrypted steganography, probably even harder to deal with?

The enterprise response

[blindd0t]

What concerns me is how many companies would respond to this. Unforuntately, the threat for IM viruses brought on a corporate IM client at a company I formerly worked for (and I enjoyed working for them immensely). While I admit it was good that you always knew how you could instant message someone within the company, they were planning on eventually blocking all other IM clients. This moved surprised me, however, as I used other IM clients to communicate with my primary contacts who were employed by our client. This was essential to me since our group focused on working for clients all over the U.S. remotely. The same could happen with web browsing should this occur, unfortunately. If they are unable to deter outbound these connections easily (which woud be the case if it were on port 80), they will likely try to filter as much as possible as a deterrent. We already know how limiting such proxying and filtering can be - it would be a real pain to have to deal with that on a regular basis.

Spamhaus is in legal trouble

[tepples]

Once GoDaddy gets the court order to switch off Spamhaus's domain, how will you use SBL/XBL?

You've got a point

[Kelson]

If you really want to blend in, send out your Zombie commands via Myspace profiles. :) That'll look like normal web-traffic.

I can actually imagine the botnets and the blog spammers getting together on this. Someone blasts a bunch of nonsensical comments to various blogs, wikis, guestbooks, etc. They monitor them to see which ones get cleaned up. The ones that don't get cleaned up are designated as sources for commands. Then the spambots start posting encoded commands along with the blogspam, and the zombies start reading the blogs' comments to get instructions.

Talk about a disturbing synergy.

Re:Zombie spambots are attacking my site as we spe

[Arancaytar]

One failsafe is to use "user at domain. com".

Yes, if you /know/ this is an email address, you can parse it. But what do you look for to find this on a page? The usual identifier for emails is an @ character. For a very devious spammer, "(at)", "AT", "[at]" and such will suffice. But "at" is an English word. It will occur anywhere on a page with English text.

The "dot" could in extreme cases be used. But if it's replaced by a period (and placed such that it fits with normal syntax, following a word and followed by a space), that too becomes unrecognizable. It's going to catch an enormous number of false positives.

The only remaining vulnerability is to search for "gmail", "yahoo" or "hotmail". I'm afraid I don't know a solution for that one, unless someone knows a way to mask domain names as well? ...

"Protect your email address: Write in leetspeak!"

Re:You've got a point

[yuna49]

I'd target a zombie newsgroup like this one http://games.groups.yahoo.com/group/shuffleboard/ [yahoo.com]. These groups have no active members and collect nothing but spam. Wouldn't be hard to hide a few commands in amongst the Viagra offers.

I've used this particular group to track spam trends. For instance, look at the spam boomlet in this group at the end of 2003 after the Sobig http://en.wikipedia.org/wiki/Sobig_worm [wikipedia.org] worm did its damage.