Become a fan of Slashdot on Facebook


Forgot your password?

Zombies Blend In With Regular Web Traffic 117

An anonymous reader writes "Hackers controlling farms of zombie computers are now trying to blend in with web traffic, reports. Instead of traditional IRC controls, many zombie farms are moving to simple web-based control schemes, which makes them harder to track down." From the article: "The change in tactics makes it harder to identify zombies on a network, and it becomes tougher for security professionals to use the hackers' own tools to spy on them. In addition, the switch to Web-based control increases the threat of zombies to enterprises and other organizations, as that method can't be blocked as easily as the previous technique."
This discussion has been archived. No new comments can be posted.

Zombies Blend In With Regular Web Traffic

Comments Filter:
  • brains (Score:5, Funny)

    by User 956 ( 568564 ) on Thursday October 19, 2006 @04:50PM (#16508045) Homepage
    Zombies Blend In With Regular Web Traffic

    But how do you differentiate the zombies from your standard brain-dead AOL users?

    I guess either way, you should just aim for the head.
  • So then...? (Score:5, Funny)

    by Jace of Fuse! ( 72042 ) on Thursday October 19, 2006 @04:50PM (#16508049) Homepage
    "Hackers controlling farms of zombie computers are now trying to blend in with web traffic"

    If you really want to blend in, send out your Zombie commands via Myspace profiles. :) That'll look like normal web-traffic.
    • If you really want to blend in, send out your Zombie commands via Myspace profiles. :) That'll look like normal web-traffic.

      That's crazy, network engineers at a company will block MySpace even if they happen to notice traffic there that isn't botnet control traffic. Use comments from a user here on Slashdot and the network and security guys will leave it open just in case it is one of their scripts they forgot about :)

    • You've got a point (Score:5, Interesting)

      by Kelson ( 129150 ) * on Thursday October 19, 2006 @07:17PM (#16510023) Homepage Journal
      If you really want to blend in, send out your Zombie commands via Myspace profiles. :) That'll look like normal web-traffic.

      I can actually imagine the botnets and the blog spammers getting together on this. Someone blasts a bunch of nonsensical comments to various blogs, wikis, guestbooks, etc. They monitor them to see which ones get cleaned up. The ones that don't get cleaned up are designated as sources for commands. Then the spambots start posting encoded commands along with the blogspam, and the zombies start reading the blogs' comments to get instructions.

      Talk about a disturbing synergy.

  • by Salvance ( 1014001 ) on Thursday October 19, 2006 @04:54PM (#16508105) Homepage Journal
    I guess I'm probably stating the obvious, but it seems like Google, Yahoo, and other online cost-per-click advertising portals are most vulnerable to the new type of zombie farms. I wonder if they would employ some of the vast resources (if they aren't already) in fighting this problem?
    • by Anonymous Coward on Thursday October 19, 2006 @06:18PM (#16509303)
      Oh yes. Fraudulent clicks has been a botnet money-making channel for quite some time now. Google et al do have methods of trying to detect it, but I would imagine it pretty much boils down to identifying suspicious sudden spikes, because the botnet guys are intelligent and motivated and there's no real technical countermeasure that's not intrusive (e.g. captcha) and therefore unusable as it would put legitimate users off. It's a serious problem for them.
      • by yuna49 ( 905461 )
        Wouldn't this be a good strategy to boost the Google page-rank score as well? Have the zombies run a little web server with pages of paid-for links, and links to all the others. Suddenly it looks like millions of webmasters have decided your customer's page is really important. Even better, this method doesn't leave those traffic spikes in the logs.
    • That's a good question. I've read various things, some of which have said that as much of 40% of Google's adword traffic is bogus. Google is already starting to juggle the lawsuits coming in. I think that when a company as big as a Google or a Yahoo is having problems, that we'll finally start to see some kind of law enforcement doing something. And if we don't... well shit, I guess that the Web will be ruined the same way that email has been.
    • I run [] and have been advertising quite a lot with google. I month ago I received a letter to participate in classaction lawsuit against yahoo for fraud clicks (even though we have not been advertising a long time with them. However, as we have been using adsense for quite some time, but no invitation to participate in a lawsuit there. A classaction against Google next?
  • by __aaclcg7560 ( 824291 ) on Thursday October 19, 2006 @04:54PM (#16508111)
    I see zombies hanging out at the local Starbucks all the time trying to blend in. The only thing that blends is their coffee.
    • Re: (Score:2, Funny)

      by IflyRC ( 956454 )
      Are you sure you aren't confusing zombies with the wanna-be vampire goth crowd?
    • Re: (Score:3, Informative)

      by jacksonj04 ( 800021 )
      Starbucks serves coffee now? The advances to brown liquid technology that modern times allows...
  • by ngunton ( 460215 ) on Thursday October 19, 2006 @05:00PM (#16508207) Homepage
    Funny this story should come up today. My community website [] has been getting attacked for the last couple of days by a botnet (I think) of zombie computers. I wrote the Spambot Trap [] article that was published here [] in 2002, and I've been using the trap successfully to block spambots ever since. Usually, the block list is a couple of dozen repeat offenders. But day before yesterday, it suddenly spiked up - there were dozens of spambots coming in from all kinds of different IP addresses. I'm pretty sure it's a botnet of zombies, because a) they all report exactly the same User-Agent, and b) they all come in directly to the guestbooks and forums (probably using a search engine) and c) all the IP addresses resolve to dialup, cable or DSL accounts (some businesses too). It's getting a bit much, because the block list has suddenly ballooned to over 160, constantly changing. The trap is coping ok, because the blocks will fall off after a while (the block time goes up as the power of 2 for each repeated offence). I have added some logfile snapshots [] to the article. (Look down the page to see how the number of blocks has suddenly increased in the last couple of days, and also notice how all the browsers are identical). I think this is some kind of virus that may still be spreading, because the number is only increasing.

    Anybody else seeing this kind of stuff happening?
    • Re: (Score:3, Funny)

      Really what do you expect? When you post a direct link to your website like that machines can easilly harvest it and add it to their zombie spambot lists... Really you should type it out like this so only a human can parse it...

      crazyguyonabike dot com

      Gotta stay one step ahead of the spammers. :)
      • by ewl1217 ( 922107 )
        In all honesty, don't you think that, somewhere along the line, some spammer has written a program that can make sense of e-mails written like that?
        • Re: (Score:3, Interesting)

          by Arancaytar ( 966377 )
          One failsafe is to use "user at domain. com".

          Yes, if you /know/ this is an email address, you can parse it. But what do you look for to find this on a page? The usual identifier for emails is an @ character. For a very devious spammer, "(at)", "AT", "[at]" and such will suffice. But "at" is an English word. It will occur anywhere on a page with English text.

          The "dot" could in extreme cases be used. But if it's replaced by a period (and placed such that it fits with normal syntax, following a word and follow
          • by Tim C ( 15259 )
            The only remaining vulnerability is to search for "gmail", "yahoo" or "hotmail". I'm afraid I don't know a solution for that one, unless someone knows a way to mask domain names as well? ...

            One trick I've seen used from time to time is to describe the domain - e.g. hotmail becomes "the mail that's hot", gmail might become "google's email thing", and so on. I've no idea how effective it is, but with so many different possibilties coding something to parse them all isn't something I'd want to have to do.
    • I have noticed strange behavior on my blogger blog and have been trying to figure it out all day.

      I run both Google analytics and my own php-based (pphlogger) counter on it. I was checking my pphlogger logs just now and noticed that yesterday evening it appears a certain IP address started scraping my blogger site. I who-is'd the IP and it comes up with a server in Isreal.

      Before this I was averaging several hundred hits a day. In the hours since then, I've logged only 5 or 6 hits total -- and all list the
    • Somewhat off-topic, but the following isn't quite accurate in my experience (quoted from your Spambot article):

      So if the guestbook posting form has no preview or confirmation page, then the spambot would leave a message simply by following this link! My guestbooks and message boards have a preview page, which is probably why I hadn't had any of this.

      The preview page is just an additional URL - if the spambot can follow that by accident, it can just as well follow the confirmation link. To prevent bots (legi

      • by ngunton ( 460215 )
        Actually, I had always used POST on my contact form. Simply adding the preview step got rid of the spam. Also, you can use robots.txt to keep legitimate crawlers out of your posting pages (by and large - the contact form for the webmaster may be an exception).

        I think the spambots find "likely looking" forms that seem to be for posting on guestbooks or forums (or contacting someone off a page like that). They then use heuristics to try to fill it in by looking for fields like "name" and "email". They then su
  • by Raynor ( 925006 ) on Thursday October 19, 2006 @05:05PM (#16508271) Journal
    You don't need to reload a melee weapon!

    Nowhere is safe; only safer.

    One zombie can make the world zombie.

    Anyone who isn't prepared is a burden to you; only help those who can help themselves.

    Always be prepared for zombies.
  • HA HA!!!! (Score:3, Interesting)

    by Duncan3 ( 10537 ) on Thursday October 19, 2006 @05:05PM (#16508287) Homepage
    Everyone blocked all ports except 80 because MS couldn't be bothered to fix system security.

    Now you have to block port 80 as well... Good luck with that ;)

    The bad guys have orders of magnitude more money behind them then the good guys, it's obvious who will win.
    • NAT! (Score:4, Insightful)

      by CdBee ( 742846 ) on Thursday October 19, 2006 @05:23PM (#16508575)
      If every home internet connection had a NAT router it would cut down incoming TCP80 traffic a fair amount (so long as uPNP doen't f*ck it up anyway)
    • The bad guys have orders of magnitude more money behind them then the good guys, it's obvious who will win.

      I'm confused. Microsoft has more money than the hackers...Microsoft is the bad guy?
      But aren't hackers bad?

      So...who are the good people? Victims of botnet attacks?
      They may have less money of their own, but they do have Microsoft and the federal government of many countries on their side.

      So the good people might not be able to win, but they've got bad people of their own. :)

      I don't think it matters, th
    • by caller9 ( 764851 )
      It's easy to block port 80, use a proxy. Use group policy to spread proxy settings before the block goes up.

      Proxy's are their own kind of problem but with one you can block all outbound access from a workstation without authentication... unless it's absolutely required by bad software. Even then you can restrict it.
  • by R2.0 ( 532027 ) on Thursday October 19, 2006 @05:06PM (#16508297)
    Ooops, missed the "web" part. Was picturing the undead in the car next to me in the morning commute.

    For that matter, with the way we all look and act in the AM, no one would recognize a real zombie if it reared up and bit you on the brain.
  • HUMANS: Disregard article. Not equals true.

    ZOMBIES: Protocol Co08Suy6r45: Attack
    • This would not at all be a bad way of controling a zombie collection. Search the articles on the slashdot homepage at -1 for comments by a certain username. Execute encrypted command.

      This would look like legitimate web traffic. It would also be hard to fight, as the zombies could be programmed with a list of several names in case one gets banned, should the scheme even be discovered. The zombie instructions would also time out after a certain predictable period of time, as stories fall off the homepage,
  • by dreamchaser ( 49529 ) on Thursday October 19, 2006 @05:07PM (#16508329) Homepage Journal
    I for one welcome our new undead overlords?
  • by TooMuchToDo ( 882796 ) on Thursday October 19, 2006 @05:17PM (#16508475)
    We use the Spamhaus SBL/XBL to filter incoming mail, why not use the XBL list [] to filter traffic at the web server/content switch/firewall level?

    "The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits."

    • Once GoDaddy gets the court order to switch off Spamhaus's domain, how will you use SBL/XBL?

      • by tlhIngan ( 30335 )
        Once GoDaddy gets the court order to switch off Spamhaus's domain, how will you use SBL/XBL?

        Use their other domain? The one that they registered in their home country perhaps? (Hint: add .uk to the .org...)
      • by RMH101 ( 636144 )
        um, use their uk address? use their IP address instead?
      • Easy. Spamhaus gets the .uk domain, outside of ICANN reach, and problem solved.

        As a precaution for the future, we the technicians should also think about a robust, distributed architecture for RBL querying that would be in effect lawyerproof. Cryptography then can secure the integrity of the data, while the database itself that is queried will be hidden from direct reach of not only the self-nominated "authorities" but also of various denial-of-service attacks that took down some other RBLs. Think about it

    • by joost ( 87285 )
      That's exactly what my rails plugin [] does: it uses DNSBLs to check client connections. Works absolutely fantastic, too. Since i've started using the filter the spam has dropped to zero. Yes, zero.

      DNSBLs provide a great way to have community-based blocklists. Pick the ones that agree most with your own policy. I recommend spamhaus but also use spamcop and since they're a bit faster and better suited for preventing the most current attacks.

      My plugin is for ruby on rails (just drop it in and go) but sh
  • Declare a state of sentinEl porcupine. The colorless gReen dreams sleep furiously. Lillypond overflows with deadly bUnnies. Happy birthday WaltEr?
  • "...the threat of zombies to enterprises and other organizations, as that method can't be blocked as easily as the previous technique."

    The cash register is nice, but personally, I think using a park bench is just plain artful... []
  • by codepunk ( 167897 ) on Thursday October 19, 2006 @05:24PM (#16508591)
    why not use encrypted steganography, probably even harder to deal with?
    • Maybe because 500k aol users suddenly transferring large ammounts of encrypted traffic would look mighty suspicious?

      either 500k aol users figured out how to look at disgusting porn on freenet overnight, or they're all zombies.

      The idea is for the zombies to blend in with the normal net users, not the nerdiest of the slashdotters.
  • by nevesis ( 970522 ) on Thursday October 19, 2006 @05:26PM (#16508641)
    The problem with zombies has always been the centralization required to control them. For example, if the zombies are controlled via IRC and all pointed at EFnet, idling in #my31337botnet -- all it takes is an EFnet admin to close the channel. So the owners routed them to private IRC servers via their IP.. but now all it takes is the owner of the box or network hosting the server to shut it down. So the owners used dns so they could move the server if needed, but now all it takes is having the domain suspended or the dns removed. And now, if these bots are just polling a website for commands - it shouldn't be difficult to close the website. This problem resonates with just about any protocol used - be it IRC, AIM/ICQ, or a website. The problem is that there are more children creating ddos nets than there are good samaritans/PO'd network admins having them shut down. So join the botnets mailing list [] and donate a hour a week.
    • by tftp ( 111690 )
      it shouldn't be difficult to close the website.

      You think so? Imagine a bot that loads /. and looks for a comment from anyone that has a specific checksum. Once found, the owner's journal is accessed and the instructions are loaded. For example. How do you close /. ?

      • by Cylix ( 55374 )
        Once you have the algorithm you can obviously do anything you want.

        I believe that is how they reverse engineered a worm some time ago. If it did not find it's command host it would look to the next generated hostname in it's list. While the domain may not have been registered it would have gone down the list checked generated host after another until it found it's home again. The problem is, once you understand the algorithm it isn't difficult to step ahead of the path.

        I can't remember if it was a list or a
        • by tftp ( 111690 )
          Sure, you may know what data may serve as a container for the bot's orders. But how will you order /. and any number of other blogs to block comments that match a complex and daily changing algorithm? For example:

          On every Monday the comment must contain the words "literally" and "exact", and the checksum from start to finish should be 0xF4. If that is true, then the checksums of the first four words of the second sentence indicate the IP to access for further instructions.

          Even if you know all this, h

          • "But how will you order /. and any number of other blogs to block comments that match a complex and daily changing algorithm?"

            -1 Botnet command?
      • by nevesis ( 970522 )
        You don't. Slashdot bans said user, or any comment with that checksum.
    • Google? (Score:5, Insightful)

      by tepples ( 727027 ) <tepples@gm a i l . c om> on Thursday October 19, 2006 @06:10PM (#16509191) Homepage Journal
      And now, if these bots are just polling a website for commands - it shouldn't be difficult to close the website.

      Unless the web sites get indexed by Google, and zombies use specially chosen keywords to search for their latest encrypted instructions.

      • Re: (Score:2, Funny)

        by alx5000 ( 896642 )
        Or they could use MS Live Search, using specially chosen keywords to search for last month's encrypted instructions...
      • Unless the web sites get indexed by Google, and zombies use specially chosen keywords to search for their latest encrypted instructions.

        Could be slow. Better for the botnet herders to buy Google AdWords adverts [] on obscure keywords using a stolen credit card, or make use of Google's free $50 coupons when they offer them.


      • by mgblst ( 80109 )
        Ah, so somebody finally found a way to use the Googlewhack?
    • Re: (Score:1, Insightful)

      by Anonymous Coward
      Except that we're already seeing fully decentralised p2p encrypted botnets, and at a simpler level partitioned botnets which serve their own DNS so the C&C server can be moved to a new botted host quickly and easily. Not that they shouldn't be fought, but the best botnets are very well put together and very difficult to shut down (especially if one is constrained to legal methods.)

      We need significantly improved average-host security and strong/proactive ISP level detection/countermeasures to make a real
    • by doublebackslash ( 702979 ) <> on Thursday October 19, 2006 @06:58PM (#16509809)
      The problem with blocking is this:
      User Content on Large/Important websites

      All a hacker must do is create a bot to make logons on some social networking sites, flickr, photobucket, wikipedia, etc and re-direct the captchas to a legitimate pornography site to have real humans crack. Once the bots are on the sites thousands of them can upload content with encrypted stenographic messages. In the case of pictures they will be undetectable, since encrypted messages show up as noise, just as is introduced by a camera.
      Now you have a large, distributed control network that can be self-healing (give status updates to eath other, have a web of control instead of a single link, dead peer detection, peer sharing, etc)

      How would one fight that?
      • Demand that law enforcement do their job and start putting these kids in jail. Sure, I know that current law enforcement is absolutely clueless, but that's not our problem. All the feds would have to do is stop the goddamned "war" for a day, and they'd have enough budget to hire and train some smart people who can track these people down, and put them in jail.

        Hey, I can dream, right?
        • I don't know, if the hacker has a few profiles on myspace, a could of flickr galleries, etc and a 'core network' of bots that visit those pages (so the feds can't simply find an insanely popular page to blame as the root) he could hide VERY effectively. Law enforcement or not there are more ways for these guys to go undergound than we have ways of stopping them.
      • Re: (Score:2, Insightful)

        by nevesis ( 970522 )
        You're absolutely right. Luckily, this level of sophistication has not yet been seen in botnets. Luckily, most botnets are operated by 14 year old irc warriors. So, please, don't start coding black hat. :P
    • The botmaster can also just use (multiple)backup-server(s). Then you'll have to get the software of the bot and somehow find all the servers to close down. Another way, each bot has adresses for a couple of other bots, so you only have to find one. (ofcourse, then your botnet could be stolen by just finding one though) Also note other replies. (ok, don't know much of this, correct me if i am wrong..)
      • by Talchas ( 954795 )
        (ofcourse, then your botnet could be stolen by just finding one though)
        And of course they can prevent that by using cryptographically signed messages.
  • by blindd0t ( 855876 ) on Thursday October 19, 2006 @05:34PM (#16508729)
    What concerns me is how many companies would respond to this. Unforuntately, the threat for IM viruses brought on a corporate IM client at a company I formerly worked for (and I enjoyed working for them immensely). While I admit it was good that you always knew how you could instant message someone within the company, they were planning on eventually blocking all other IM clients. This moved surprised me, however, as I used other IM clients to communicate with my primary contacts who were employed by our client. This was essential to me since our group focused on working for clients all over the U.S. remotely. The same could happen with web browsing should this occur, unfortunately. If they are unable to deter outbound these connections easily (which woud be the case if it were on port 80), they will likely try to filter as much as possible as a deterrent. We already know how limiting such proxying and filtering can be - it would be a real pain to have to deal with that on a regular basis.
  • You would think the smell would give them away.
  • Well, duh. (Score:2, Funny)

    by dangitman ( 862676 )
    The zombies are the ones screaming "BRRAAAAAAAIIIIINNNS!"
  • by metamatic ( 202216 ) on Thursday October 19, 2006 @07:23PM (#16510107) Homepage Journal
    at 19:00
    at 19:30
    at 23:00

    Move along humans, nothing to see here.
  • how comforting (Score:4, Insightful)

    by Jasper__unique_dammi ( 901401 ) on Thursday October 19, 2006 @07:37PM (#16510293)
    At the end of the article: "That said, the good guys control the infrastructure, so we ultimately have the last word. If we don't like what they're doing, we can shut them down."

    That's a good one, remember if i ever get life-threateningly sick, that i can always shoot myself. (that will teach those virussus/bacteria/cancercells!)
  • by kjs3 ( 601225 )
    Apparently with 60 comments posted I'm the first one to think "no shit...botnets ops getting smarter...covert channels getting more covert...who'da'thunk'it". Botnet interdiction based on ferriting out the control nexus will work in the long run about as well as drug interdiction.
  • Oh great :( (Score:1, Offtopic)

    by nickos ( 91443 )
    I thought I'd been clever on the blog I run for an open source project of mine by stripping all links from comments. Now I'll have to try to strip bot commands too :(
  • Aheh (Score:4, Funny)

    by mgabrys_sf ( 951552 ) on Thursday October 19, 2006 @08:22PM (#16510811) Journal
    Soooo was it really that smart to post a newstory with a headline like that so close to Hollaween?

    I'm guessing not - with my big juicy tasty brain dripping with brainy goodness.

    Come and get it!
  • Ah, web traffic. At first I pictured zombies wandering the streets of NYC and nobody noticing...

  • configure them to read memes - they fit right in
    • I'll just have my bots read slashdot [and] configure them to read memes - they fit right in

      I, for one, welcome our meme-reading overlords!
  • If the zombie hordes are getting smarter and they still require stupid humans to provide the medium for their existence, how long will it be before the zombies are smarter than the people owning the computers they live on? - Or has this actually happened already?
  • If they were at all really interested in being the regular traffic, and maybe using more resources then they do, thier bots would have HTTP request capability and view webpages for their
    content so as to retrieve cleverly hidden commands in the text of the web page, so that someone's blog would contain commands for Alpha one, and Alpha two, with dates.

    This is the same tactic regularly used by our own secret agencies and the terrorists while
    communicating with each other. They blend their text into the newspap

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell