Slashdot Mirror
Zombies Blend In With Regular Web Traffic
An anonymous reader writes "Hackers controlling farms of zombie computers are now trying to blend in with web traffic, News.com reports. Instead of traditional IRC controls, many zombie farms are moving to simple web-based control schemes, which makes them harder to track down." From the article: "The change in tactics makes it harder to identify zombies on a network, and it becomes tougher for security professionals to use the hackers' own tools to spy on them. In addition, the switch to Web-based control increases the threat of zombies to enterprises and other organizations, as that method can't be blocked as easily as the previous technique."
Zombies Blend In With Regular Web Traffic
But how do you differentiate the zombies from your standard brain-dead AOL users?
I guess either way, you should just aim for the head.
The theory of relativity doesn't work right in Arkansas.
"Hackers controlling farms of zombie computers are now trying to blend in with web traffic"
:) That'll look like normal web-traffic.
If you really want to blend in, send out your Zombie commands via Myspace profiles.
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
But how do you differentiate the zombies from your standard brain-dead AOL users?
Zombies have hopes, dreams and ambitions.
Funny this story should come up today. My community website has been getting attacked for the last couple of days by a botnet (I think) of zombie computers. I wrote the Spambot Trap article that was published here in 2002, and I've been using the trap successfully to block spambots ever since. Usually, the block list is a couple of dozen repeat offenders. But day before yesterday, it suddenly spiked up - there were dozens of spambots coming in from all kinds of different IP addresses. I'm pretty sure it's a botnet of zombies, because a) they all report exactly the same User-Agent, and b) they all come in directly to the guestbooks and forums (probably using a search engine) and c) all the IP addresses resolve to dialup, cable or DSL accounts (some businesses too). It's getting a bit much, because the block list has suddenly ballooned to over 160, constantly changing. The trap is coping ok, because the blocks will fall off after a while (the block time goes up as the power of 2 for each repeated offence). I have added some logfile snapshots to the article. (Look down the page to see how the number of blocks has suddenly increased in the last couple of days, and also notice how all the browsers are identical). I think this is some kind of virus that may still be spreading, because the number is only increasing.
Anybody else seeing this kind of stuff happening?
"Dictator Flakes. They WILL be delicious."
The problem with zombies has always been the centralization required to control them. For example, if the zombies are controlled via IRC and all pointed at EFnet, idling in #my31337botnet -- all it takes is an EFnet admin to close the channel. So the owners routed them to private IRC servers via their IP.. but now all it takes is the owner of the box or network hosting the server to shut it down. So the owners used dns so they could move the server if needed, but now all it takes is having the domain suspended or the dns removed. And now, if these bots are just polling a website for commands - it shouldn't be difficult to close the website. This problem resonates with just about any protocol used - be it IRC, AIM/ICQ, or a website. The problem is that there are more children creating ddos nets than there are good samaritans/PO'd network admins having them shut down. So join the botnets mailing list and donate a hour a week.
Unless the web sites get indexed by Google, and zombies use specially chosen keywords to search for their latest encrypted instructions.