Slashdot Mirror
Zombies Blend In With Regular Web Traffic
An anonymous reader writes "Hackers controlling farms of zombie computers are now trying to blend in with web traffic, News.com reports. Instead of traditional IRC controls, many zombie farms are moving to simple web-based control schemes, which makes them harder to track down." From the article: "The change in tactics makes it harder to identify zombies on a network, and it becomes tougher for security professionals to use the hackers' own tools to spy on them. In addition, the switch to Web-based control increases the threat of zombies to enterprises and other organizations, as that method can't be blocked as easily as the previous technique."
Zombies Blend In With Regular Web Traffic
But how do you differentiate the zombies from your standard brain-dead AOL users?
I guess either way, you should just aim for the head.
The theory of relativity doesn't work right in Arkansas.
"Hackers controlling farms of zombie computers are now trying to blend in with web traffic"
:) That'll look like normal web-traffic.
If you really want to blend in, send out your Zombie commands via Myspace profiles.
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
I guess I'm probably stating the obvious, but it seems like Google, Yahoo, and other online cost-per-click advertising portals are most vulnerable to the new type of zombie farms. I wonder if they would employ some of the vast resources (if they aren't already) in fighting this problem?
Crack - Free with every butt and set of boobs
I see zombies hanging out at the local Starbucks all the time trying to blend in. The only thing that blends is their coffee.
But how do you differentiate the zombies from your standard brain-dead AOL users?
Zombies have hopes, dreams and ambitions.
Funny this story should come up today. My community website has been getting attacked for the last couple of days by a botnet (I think) of zombie computers. I wrote the Spambot Trap article that was published here in 2002, and I've been using the trap successfully to block spambots ever since. Usually, the block list is a couple of dozen repeat offenders. But day before yesterday, it suddenly spiked up - there were dozens of spambots coming in from all kinds of different IP addresses. I'm pretty sure it's a botnet of zombies, because a) they all report exactly the same User-Agent, and b) they all come in directly to the guestbooks and forums (probably using a search engine) and c) all the IP addresses resolve to dialup, cable or DSL accounts (some businesses too). It's getting a bit much, because the block list has suddenly ballooned to over 160, constantly changing. The trap is coping ok, because the blocks will fall off after a while (the block time goes up as the power of 2 for each repeated offence). I have added some logfile snapshots to the article. (Look down the page to see how the number of blocks has suddenly increased in the last couple of days, and also notice how all the browsers are identical). I think this is some kind of virus that may still be spreading, because the number is only increasing.
Anybody else seeing this kind of stuff happening?
Google has the power to stop them, they know who they are, Google through Adsense even knows their home addresses, if only those poor 14 guys observing thousands of websites at the Adsense-war-room could be bothered to actually work during working hours.
"Dictator Flakes. They WILL be delicious."
Everyone blocked all ports except 80 because MS couldn't be bothered to fix system security.
;)
Now you have to block port 80 as well... Good luck with that
The bad guys have orders of magnitude more money behind them then the good guys, it's obvious who will win.
- Adam L. Beberg - The Cosm Project - http://www.mithral.com/
Ooops, missed the "web" part. Was picturing the undead in the car next to me in the morning commute.
For that matter, with the way we all look and act in the AM, no one would recognize a real zombie if it reared up and bit you on the brain.
"As God is my witness, I thought turkeys could fly." A. Carlson
HUMANS: Disregard article. Not equals true.
ZOMBIES: Protocol Co08Suy6r45: Attack 216.239.122.200
I for one welcome our new undead overlords?
It has turned out that real life zombies are trying the idea from there digital counter parts
When trying to enter crowded areas such as shopping malls to fest upon the flesh of the living, the RL zombies have been spotted muttering the word "starbucks" instead of their signature phrase "brains." This makes it difficult to spot them among the other hordes of people that instead of needing their tasty flesh kick, need there caffeine kick.
This behavior change baffled security experts, Bruce Campbell and Milla Jovovich. They where confused at first but have things firgured out. They will be issuing a statement to the press that will be a new description on how one can spot a zombie. This will be a clear description of appearance and behavior patterns that no longer rely on hearing the signature phrase "brains."
C'mon pals, it's fun: http://malfy.org/
"The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits."
Declare a state of sentinEl porcupine. The colorless gReen dreams sleep furiously. Lillypond overflows with deadly bUnnies. Happy birthday WaltEr?
"...the threat of zombies to enterprises and other organizations, as that method can't be blocked as easily as the previous technique."
The cash register is nice, but personally, I think using a park bench is just plain artful...
http://ww2.capcom.com/deadrising/
If every home internet connection had a NAT router it would cut down incoming TCP80 traffic a fair amount (so long as uPNP doen't f*ck it up anyway)
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
why not use encrypted steganography, probably even harder to deal with?
Got Code?
The problem with zombies has always been the centralization required to control them. For example, if the zombies are controlled via IRC and all pointed at EFnet, idling in #my31337botnet -- all it takes is an EFnet admin to close the channel. So the owners routed them to private IRC servers via their IP.. but now all it takes is the owner of the box or network hosting the server to shut it down. So the owners used dns so they could move the server if needed, but now all it takes is having the domain suspended or the dns removed. And now, if these bots are just polling a website for commands - it shouldn't be difficult to close the website. This problem resonates with just about any protocol used - be it IRC, AIM/ICQ, or a website. The problem is that there are more children creating ddos nets than there are good samaritans/PO'd network admins having them shut down. So join the botnets mailing list and donate a hour a week.
find \ zombie
...
feed brains appetizer
point zombie to \windows
stop feeding appetizer
Really what do you expect? When you post a direct link to your website like that machines can easilly harvest it and add it to their zombie spambot lists... Really you should type it out like this so only a human can parse it...
:)
crazyguyonabike dot com
Gotta stay one step ahead of the spammers.
What concerns me is how many companies would respond to this. Unforuntately, the threat for IM viruses brought on a corporate IM client at a company I formerly worked for (and I enjoyed working for them immensely). While I admit it was good that you always knew how you could instant message someone within the company, they were planning on eventually blocking all other IM clients. This moved surprised me, however, as I used other IM clients to communicate with my primary contacts who were employed by our client. This was essential to me since our group focused on working for clients all over the U.S. remotely. The same could happen with web browsing should this occur, unfortunately. If they are unable to deter outbound these connections easily (which woud be the case if it were on port 80), they will likely try to filter as much as possible as a deterrent. We already know how limiting such proxying and filtering can be - it would be a real pain to have to deal with that on a regular basis.
You would think the smell would give them away.
I am not a number. I am a free man!
The zombies are the ones screaming "BRRAAAAAAAIIIIINNNS!"
... and then they built the supercollider.
Once GoDaddy gets the court order to switch off Spamhaus's domain, how will you use SBL/XBL?
FTA :
"In fighting botnets, investigators found it was relatively easy to identify zombies because of how they communicate with their masters. Most botnets today are controlled via Internet Relay Chat, or IRC, a still-active chat network that is a relic of the early days of the Net."
A relic? This is worse than hearing Pearl Jam on a classic rock radio station. Am I really that old?
Unless the web sites get indexed by Google, and zombies use specially chosen keywords to search for their latest encrypted instructions.
Or it could just be looking for a comment with a particular subject. Who knows?
p gncpgmdjhcgedgghcogkhagh
USeR l l l l
NiCK n1-e6f01a0d
USeRHOST n1-e6eb410c
JOiN #n1 nert4mp1
!Q gfcagihehehadkcpcpgngfgegjgbcohagjhihagpgogecogdg
FoRm oN mY wIng
aTtack http://www.lib.ru/
dRop sPam -tYpe:viagra tftp@*.com
In all honesty, don't you think that, somewhere along the line, some spammer has written a program that can make sense of e-mails written like that?
steve? is that you?
for a minute there, i lost myself...
I can actually imagine the botnets and the blog spammers getting together on this. Someone blasts a bunch of nonsensical comments to various blogs, wikis, guestbooks, etc. They monitor them to see which ones get cleaned up. The ones that don't get cleaned up are designated as sources for commands. Then the spambots start posting encoded commands along with the blogspam, and the zombies start reading the blogs' comments to get instructions.
Talk about a disturbing synergy.
at 19:00 target1.sh
at 19:30 target2.sh
at 23:00 spam.sh
Move along humans, nothing to see here.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Aha! A botnet guy!
"Hello 911? I just tried to toast some bread, and the toaster grew an arm and stabbed me in the face!"
At the end of the article: "That said, the good guys control the infrastructure, so we ultimately have the last word. If we don't like what they're doing, we can shut them down."
That's a good one, remember if i ever get life-threateningly sick, that i can always shoot myself. (that will teach those virussus/bacteria/cancercells!)
Apparently with 60 comments posted I'm the first one to think "no shit...botnets ops getting smarter...covert channels getting more covert...who'da'thunk'it". Botnet interdiction based on ferriting out the control nexus will work in the long run about as well as drug interdiction.
I have noticed strange behavior on my blogger blog and have been trying to figure it out all day.
I run both Google analytics and my own php-based (pphlogger) counter on it. I was checking my pphlogger logs just now and noticed that yesterday evening it appears a certain IP address started scraping my blogger site. I who-is'd the IP and it comes up with a server in Isreal.
Before this I was averaging several hundred hits a day. In the hours since then, I've logged only 5 or 6 hits total -- and all list the same IP address as a proxy. I've logged into my pphlogger site and all appears to be running ok.
I've tried to check my Google Analytics stats, but it hasn't updated since yesterday -- though it appears to have counted hits last night that my pphlogger counter had missed.
It struck me as fishy. Think the two are related? (Attempts to get a response from blogger on this have been futile.)
Innovation makes enemies of all those who prospered under the old regime... -- Machiavelli
I thought I'd been clever on the blog I run for an open source project of mine by stripping all links from comments. Now I'll have to try to strip bot commands too :(
>> In addition, the switch to Web-based control increases the threat of zombies to enterprises and other organizations
umm yeah lets forget about the regular home users.
Soooo was it really that smart to post a newstory with a headline like that so close to Hollaween?
I'm guessing not - with my big juicy tasty brain dripping with brainy goodness.
Come and get it!
Ah, web traffic. At first I pictured zombies wandering the streets of NYC and nobody noticing...
Duct tape is like the Force. It has a light side, a dark side, and it holds the universe together.
configure them to read memes - they fit right in
Starbucks, Harbuckle of Breath.
I read that first as "herpes, dreams, and ambitions." I must be tired.
Nope, just dyslexic.
If the zombie hordes are getting smarter and they still require stupid humans to provide the medium for their existence, how long will it be before the zombies are smarter than the people owning the computers they live on? - Or has this actually happened already?
"For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
The preview page is just an additional URL - if the spambot can follow that by accident, it can just as well follow the confirmation link. To prevent bots (legitimate search engines too) from accidentally submitting forms, use the POST method instead of GET, and make sure that if the submission page is visited directly (without post parameters filled out) the submission is dropped.
It won't stop spambots that are deliberately out to submit spam (those can use POST just fine), but it will stop "accidental" submissions (including duplicate posts from people who reload the page.
If you didn't have this problem, it was probably because your form was better written, not because of the preview page.
One failsafe is to use "user at domain. com".
/know/ this is an email address, you can parse it. But what do you look for to find this on a page? The usual identifier for emails is an @ character. For a very devious spammer, "(at)", "AT", "[at]" and such will suffice. But "at" is an English word. It will occur anywhere on a page with English text.
...
Yes, if you
The "dot" could in extreme cases be used. But if it's replaced by a period (and placed such that it fits with normal syntax, following a word and followed by a space), that too becomes unrecognizable. It's going to catch an enormous number of false positives.
The only remaining vulnerability is to search for "gmail", "yahoo" or "hotmail". I'm afraid I don't know a solution for that one, unless someone knows a way to mask domain names as well?
"Protect your email address: Write in leetspeak!"
I run http://www.mywebdesktop.net/ and have been advertising quite a lot with google. I month ago I received a letter to participate in classaction lawsuit against yahoo for fraud clicks (even though we have not been advertising a long time with them. However, as we have been using adsense for quite some time, but no invitation to participate in a lawsuit there. A classaction against Google next?
"instead of writing 'user at example dot com' you would write 'user at example dot com'" An over-eager text filter, I presume? :)
Isn't this being reported elsewhere?
The only remaining vulnerability is to search for "gmail", "yahoo" or "hotmail". I'm afraid I don't know a solution for that one, unless someone knows a way to mask domain names as well? ...
One trick I've seen used from time to time is to describe the domain - e.g. hotmail becomes "the mail that's hot", gmail might become "google's email thing", and so on. I've no idea how effective it is, but with so many different possibilties coding something to parse them all isn't something I'd want to have to do.
It's official. Most of you are morons.
And, of course, we can usually count on the large amounts of people who don't bother as enough of a protection. Nobody would want to write the ultimate email harvester when there are plenty of addresses without obfuscation.
Your bicycle doesn't need to be impossible to steal, just harder to steal than the one next to it.
If they were at all really interested in being the regular traffic, and maybe using more resources then they do, thier bots would have HTTP request capability and view webpages for their
content so as to retrieve cleverly hidden commands in the text of the web page, so that someone's blog would contain commands for Alpha one, and Alpha two, with dates.
This is the same tactic regularly used by our own secret agencies and the terrorists while
communicating with each other. They blend their text into the newspapers, blogs, normal
web pages etc...
The HTTP request would parse out most of the text, and would have to be coded in binary
for the url to avoid detection or an actual http request in order to further avoid detection
by the antivirus and adware killers!
Now that i have given out the secret let's sit back and watch how much more the internet will be interesting!!!
: )
So is my argument valid after s/GoDaddy/Tucows/g ?
Actually, I had always used POST on my contact form. Simply adding the preview step got rid of the spam. Also, you can use robots.txt to keep legitimate crawlers out of your posting pages (by and large - the contact form for the webmaster may be an exception).
I think the spambots find "likely looking" forms that seem to be for posting on guestbooks or forums (or contacting someone off a page like that). They then use heuristics to try to fill it in by looking for fields like "name" and "email". They then submit the form. But so far they don't appear to anticipate any preview page, or else they just assume that a site with something else after the initial POST is too complicated to work out automatically, I don't really know. All I do know is that I always used POST, and I was getting spam through the contact form. But then I added the preview step, and the spam stopped. I still saw bots hitting the page and making POSTs, but they only do it once. Go figure...
As a precaution for the future, we the technicians should also think about a robust, distributed architecture for RBL querying that would be in effect lawyerproof. Cryptography then can secure the integrity of the data, while the database itself that is queried will be hidden from direct reach of not only the self-nominated "authorities" but also of various denial-of-service attacks that took down some other RBLs. Think about it as a DoS preventing architecture and count with lawsuits as one of the attack vectors. If a judge's decision can't be enforced, it's irrelevant; and I, for one, will opt for querying a service declared illegal if it means less spam for mailboxes I admin.
The same architecture will be handy for other kinds of DNS-like queries, supplying informations potentially unfriendly to big corporations (eg. eco-friendliness of products or active boycotts of vendors), and potentially for making the DNS itself more robust.