Zombies Blend In With Regular Web Traffic 117
An anonymous reader writes "Hackers controlling farms of zombie computers are now trying to blend in with web traffic, News.com reports. Instead of traditional IRC controls, many zombie farms are moving to simple web-based control schemes, which makes them harder to track down." From the article: "The change in tactics makes it harder to identify zombies on a network, and it becomes tougher for security professionals to use the hackers' own tools to spy on them. In addition, the switch to Web-based control increases the threat of zombies to enterprises and other organizations, as that method can't be blocked as easily as the previous technique."
brains (Score:5, Funny)
But how do you differentiate the zombies from your standard brain-dead AOL users?
I guess either way, you should just aim for the head.
Easy to tell... (Score:5, Funny)
Zombies have hopes, dreams and ambitions.
Re: (Score:1, Funny)
Re:Easy to tell... (Score:4, Funny)
Re:brains (Score:4, Funny)
You never find them together. Why? Zombies like braaaaaains...
Re:brains (Score:5, Funny)
17556639 how to kill your wife
17556639 how to kill your wife
17556639 wife killer
17556639 how to kill a wife
17556639 poop
17556639 dead people
17556639 pictures of dead people
17556639 killed people
17556639 dead pictures
17556639 dead pictures
17556639 dead pictures
17556639 murder photo
Re:brains (Score:4, Funny)
Re:brains (Score:5, Funny)
Actually, I think that's just a regular AOL user. I think a more likely zombie is user #17293141:
17293141 brains
17293141 brains
17293141 brains
17293141 brains
17293141 brains
17293141 brains
17293141 brains
17293141 brains
17293141 brains
17293141 brains
17293141 brains
17293141 brains
Re: (Score:1)
Re: (Score:1)
Re:brains (Score:4, Funny)
What good will that do? In both cases the bullet will just fly through a big empty space.
So then...? (Score:5, Funny)
If you really want to blend in, send out your Zombie commands via Myspace profiles.
Re: (Score:2)
If you really want to blend in, send out your Zombie commands via Myspace profiles. :) That'll look like normal web-traffic.
That's crazy, network engineers at a company will block MySpace even if they happen to notice traffic there that isn't botnet control traffic. Use comments from a user here on Slashdot and the network and security guys will leave it open just in case it is one of their scripts they forgot about :)
You've got a point (Score:5, Interesting)
I can actually imagine the botnets and the blog spammers getting together on this. Someone blasts a bunch of nonsensical comments to various blogs, wikis, guestbooks, etc. They monitor them to see which ones get cleaned up. The ones that don't get cleaned up are designated as sources for commands. Then the spambots start posting encoded commands along with the blogspam, and the zombies start reading the blogs' comments to get instructions.
Talk about a disturbing synergy.
Re: (Score:3, Interesting)
I've used this particular group to track spam trends. For instance, look at the spam boomlet in this group at the end of 2003 after the Sobig http://en.wikipedia.org/wiki/Sobig_worm [wikipedia.org] worm did its damage.
Impact to advertising (Score:5, Interesting)
Re:Impact to advertising (Score:4, Insightful)
Re: (Score:1)
Re: (Score:1)
Classaction lawsuits (Score:1)
Are you kidding?! (Score:3, Funny)
Re: (Score:2, Funny)
Re: (Score:3, Informative)
Zombie spambots are attacking my site as we speak (Score:5, Interesting)
Anybody else seeing this kind of stuff happening?
Re: (Score:3, Funny)
crazyguyonabike dot com
Gotta stay one step ahead of the spammers.
Re: (Score:1)
Re: (Score:3, Interesting)
Yes, if you
The "dot" could in extreme cases be used. But if it's replaced by a period (and placed such that it fits with normal syntax, following a word and follow
Re: (Score:2)
One trick I've seen used from time to time is to describe the domain - e.g. hotmail becomes "the mail that's hot", gmail might become "google's email thing", and so on. I've no idea how effective it is, but with so many different possibilties coding something to parse them all isn't something I'd want to have to do.
Re:Zombie spambots are attacking my site as we spe (Score:1)
I run both Google analytics and my own php-based (pphlogger) counter on it. I was checking my pphlogger logs just now and noticed that yesterday evening it appears a certain IP address started scraping my blogger site. I who-is'd the IP and it comes up with a server in Isreal.
Before this I was averaging several hundred hits a day. In the hours since then, I've logged only 5 or 6 hits total -- and all list the
Re:Zombie spambots are attacking my site as we spe (Score:1)
The preview page is just an additional URL - if the spambot can follow that by accident, it can just as well follow the confirmation link. To prevent bots (legi
Re: (Score:2)
I think the spambots find "likely looking" forms that seem to be for posting on guestbooks or forums (or contacting someone off a page like that). They then use heuristics to try to fill it in by looking for fields like "name" and "email". They then su
Re: (Score:2)
The Zombie Surivial Guide (Score:5, Funny)
Re: (Score:3, Informative)
HA HA!!!! (Score:3, Interesting)
Now you have to block port 80 as well... Good luck with that
The bad guys have orders of magnitude more money behind them then the good guys, it's obvious who will win.
NAT! (Score:4, Insightful)
Re: (Score:2)
I'm confused. Microsoft has more money than the hackers...Microsoft is the bad guy?
But aren't hackers bad?
So...who are the good people? Victims of botnet attacks?
They may have less money of their own, but they do have Microsoft and the federal government of many countries on their side.
So the good people might not be able to win, but they've got bad people of their own.
I don't think it matters, th
Re: (Score:1)
Proxy's are their own kind of problem but with one you can block all outbound access from a workstation without authentication... unless it's absolutely required by bad software. Even then you can restrict it.
Zombies blend in with Traffic? (Score:4, Funny)
For that matter, with the way we all look and act in the AM, no one would recognize a real zombie if it reared up and bit you on the brain.
Re: (Score:1)
I am not a robot (Score:1)
ZOMBIES: Protocol Co08Suy6r45: Attack 216.239.122.200
Re: (Score:1)
This would look like legitimate web traffic. It would also be hard to fight, as the zombies could be programmed with a list of several names in case one gets banned, should the scheme even be discovered. The zombie instructions would also time out after a certain predictable period of time, as stories fall off the homepage,
Obligatory karma loss (Score:4, Funny)
Re: (Score:1)
Spamhaus saves the day again? (Score:5, Interesting)
"The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits."
Spamhaus is in legal trouble (Score:3, Interesting)
Once GoDaddy gets the court order to switch off Spamhaus's domain, how will you use SBL/XBL?
Re: (Score:2)
Use their other domain? The one that they registered in their home country perhaps? (Hint: add
Re: (Score:2)
Re: (Score:2)
Re:Lockout chip business model (Score:2)
As a precaution for the future, we the technicians should also think about a robust, distributed architecture for RBL querying that would be in effect lawyerproof. Cryptography then can secure the integrity of the data, while the database itself that is queried will be hidden from direct reach of not only the self-nominated "authorities" but also of various denial-of-service attacks that took down some other RBLs. Think about it
Thank you for the correction (Score:1)
So is my argument valid after s/GoDaddy/Tucows/g ?
Re: (Score:1)
DNSBLs provide a great way to have community-based blocklists. Pick the ones that agree most with your own policy. I recommend spamhaus but also use spamcop and dsbl.org since they're a bit faster and better suited for preventing the most current attacks.
My plugin is for ruby on rails (just drop it in and go) but sh
Zombie steganography. (Score:2)
crude but effective (Score:1)
The cash register is nice, but personally, I think using a park bench is just plain artful...
http://ww2.capcom.com/deadrising/ [capcom.com]
zombie control by steganography (Score:4, Interesting)
Re: (Score:2)
either 500k aol users figured out how to look at disgusting porn on freenet overnight, or they're all zombies.
The idea is for the zombies to blend in with the normal net users, not the nerdiest of the slashdotters.
Centralized botnet control (Score:5, Insightful)
Re: (Score:2)
You think so? Imagine a bot that loads /. and looks for a comment from anyone that has a specific checksum. Once found, the owner's journal is accessed and the instructions are loaded. For example. How do you close /. ?
Re: (Score:2)
I believe that is how they reverse engineered a worm some time ago. If it did not find it's command host it would look to the next generated hostname in it's list. While the domain may not have been registered it would have gone down the list checked generated host after another until it found it's home again. The problem is, once you understand the algorithm it isn't difficult to step ahead of the path.
I can't remember if it was a list or a
Re: (Score:2)
On every Monday the comment must contain the words "literally" and "exact", and the checksum from start to finish should be 0xF4. If that is true, then the checksums of the first four words of the second sentence indicate the IP to access for further instructions.
Even if you know all this, h
Re: (Score:2)
-1 Botnet command?
Re: (Score:2)
Re: (Score:1)
Google? (Score:5, Insightful)
Unless the web sites get indexed by Google, and zombies use specially chosen keywords to search for their latest encrypted instructions.
Re: (Score:2, Funny)
Re: (Score:2)
Unless the web sites get indexed by Google, and zombies use specially chosen keywords to search for their latest encrypted instructions.
Could be slow. Better for the botnet herders to buy Google AdWords adverts [google.com] on obscure keywords using a stolen credit card, or make use of Google's free $50 coupons when they offer them.
Rich.
Re: (Score:2)
Re: (Score:1, Insightful)
We need significantly improved average-host security and strong/proactive ISP level detection/countermeasures to make a real
Re:Centralized botnet control (Score:4, Insightful)
User Content on Large/Important websites
All a hacker must do is create a bot to make logons on some social networking sites, flickr, photobucket, wikipedia, etc and re-direct the captchas to a legitimate pornography site to have real humans crack. Once the bots are on the sites thousands of them can upload content with encrypted stenographic messages. In the case of pictures they will be undetectable, since encrypted messages show up as noise, just as is introduced by a camera.
Now you have a large, distributed control network that can be self-healing (give status updates to eath other, have a web of control instead of a single link, dead peer detection, peer sharing, etc)
How would one fight that?
Re: (Score:1)
Hey, I can dream, right?
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:1)
The only development base I know is Linux. Not so great for viri.
Re: (Score:1)
Re: (Score:1)
The enterprise response (Score:4, Interesting)
Zombies blend in? (Score:1)
Re: (Score:2)
Well, duh. (Score:2, Funny)
Attention my lovely zombie army #5yd7a8 (Score:5, Funny)
at 19:30 target2.sh
at 23:00 spam.sh
Move along humans, nothing to see here.
how comforting (Score:4, Insightful)
That's a good one, remember if i ever get life-threateningly sick, that i can always shoot myself. (that will teach those virussus/bacteria/cancercells!)
Duh? (Score:2)
Oh great :( (Score:1, Offtopic)
Aheh (Score:4, Funny)
I'm guessing not - with my big juicy tasty brain dripping with brainy goodness.
Come and get it!
Zombies blend in with traffic? (Score:2)
I'll just have my bots read slashdot (Score:1)
Re: (Score:1)
I, for one, welcome our meme-reading overlords!
Smarter? (Score:2)
IF THEY WERE REALLY SMART (Score:1)
content so as to retrieve cleverly hidden commands in the text of the web page, so that someone's blog would contain commands for Alpha one, and Alpha two, with dates.
This is the same tactic regularly used by our own secret agencies and the terrorists while
communicating with each other. They blend their text into the newspap
Re: (Score:1)
Re: (Score:2)
Simple solution, of course, to IRC filtering is to use SSL.