Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zombies Blend In With Regular Web Traffic

Posted by ryuzaki0 on from the damn-dirty-zombies dept.

An anonymous reader writes "Hackers controlling farms of zombie computers are now trying to blend in with web traffic, News.com reports. Instead of traditional IRC controls, many zombie farms are moving to simple web-based control schemes, which makes them harder to track down." From the article: "The change in tactics makes it harder to identify zombies on a network, and it becomes tougher for security professionals to use the hackers' own tools to spy on them. In addition, the switch to Web-based control increases the threat of zombies to enterprises and other organizations, as that method can't be blocked as easily as the previous technique."

8 of 117 comments (clear)

  1. NAT! by CdBee · · Score: 3, Insightful

    If every home internet connection had a NAT router it would cut down incoming TCP80 traffic a fair amount (so long as uPNP doen't f*ck it up anyway)

    --
    I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
  2. Centralized botnet control by nevesis · · Score: 5, Insightful

    The problem with zombies has always been the centralization required to control them. For example, if the zombies are controlled via IRC and all pointed at EFnet, idling in #my31337botnet -- all it takes is an EFnet admin to close the channel. So the owners routed them to private IRC servers via their IP.. but now all it takes is the owner of the box or network hosting the server to shut it down. So the owners used dns so they could move the server if needed, but now all it takes is having the domain suspended or the dns removed. And now, if these bots are just polling a website for commands - it shouldn't be difficult to close the website. This problem resonates with just about any protocol used - be it IRC, AIM/ICQ, or a website. The problem is that there are more children creating ddos nets than there are good samaritans/PO'd network admins having them shut down. So join the botnets mailing list and donate a hour a week.

    1. Re:Centralized botnet control by Anonymous Coward · · Score: 1, Insightful

      Except that we're already seeing fully decentralised p2p encrypted botnets, and at a simpler level partitioned botnets which serve their own DNS so the C&C server can be moved to a new botted host quickly and easily. Not that they shouldn't be fought, but the best botnets are very well put together and very difficult to shut down (especially if one is constrained to legal methods.)

      We need significantly improved average-host security and strong/proactive ISP level detection/countermeasures to make a real dent in the botnet epidemic, neither of which will happen anytime soon. Until then it's just going to get worse.

    2. Re:Centralized botnet control by doublebackslash · · Score: 3, Insightful

      The problem with blocking is this:
      User Content on Large/Important websites

      All a hacker must do is create a bot to make logons on some social networking sites, flickr, photobucket, wikipedia, etc and re-direct the captchas to a legitimate pornography site to have real humans crack. Once the bots are on the sites thousands of them can upload content with encrypted stenographic messages. In the case of pictures they will be undetectable, since encrypted messages show up as noise, just as is introduced by a camera.
      Now you have a large, distributed control network that can be self-healing (give status updates to eath other, have a web of control instead of a single link, dead peer detection, peer sharing, etc)

      How would one fight that?

      --
      md5sum /boot/vmlinuz
      d41d8cd98f00b204e9800998ecf8427e /boot/vmlinuz
    3. Re:Centralized botnet control by nevesis · · Score: 2, Insightful

      You're absolutely right. Luckily, this level of sophistication has not yet been seen in botnets. Luckily, most botnets are operated by 14 year old irc warriors. So, please, don't start coding black hat. :P

  3. Google? by tepples · · Score: 5, Insightful
    And now, if these bots are just polling a website for commands - it shouldn't be difficult to close the website.

    Unless the web sites get indexed by Google, and zombies use specially chosen keywords to search for their latest encrypted instructions.

  4. Re:Impact to advertising by Anonymous Coward · · Score: 4, Insightful

    Oh yes. Fraudulent clicks has been a botnet money-making channel for quite some time now. Google et al do have methods of trying to detect it, but I would imagine it pretty much boils down to identifying suspicious sudden spikes, because the botnet guys are intelligent and motivated and there's no real technical countermeasure that's not intrusive (e.g. captcha) and therefore unusable as it would put legitimate users off. It's a serious problem for them.

  5. how comforting by Jasper__unique_dammi · · Score: 4, Insightful

    At the end of the article: "That said, the good guys control the infrastructure, so we ultimately have the last word. If we don't like what they're doing, we can shut them down."

    That's a good one, remember if i ever get life-threateningly sick, that i can always shoot myself. (that will teach those virussus/bacteria/cancercells!)