Monday, November 08, 2004

Zombie networks

The New Scientist article linked from the title discusses the growing (over the last year or so) practice of using "zombie networks" for distributed attacks on web sites or other networked resources. Basically, this approach represents the growing professionalization of hacking. In this case, hackers are using the principles of software re-use and generic programming to create a basic infrastructure for distributed attacks. Instead of writing a special-purpose virus that has to infiltrate computers before all the various copies can initiate a mass attack, a more general virus is written. The more general virus invades systems and installs a "bot", which then goes dormant, except for periodically checking one or more chat rooms for commands. When a command is received, the zombies wake up and start their attacks. I assume that the command could also be used to initiate a transfer of new code, thereby updating the bot or installing code specialized for a particular task, such as generating spam email. A side benefit of this approach is that it allows the hackers who create the zombie networks to effectively "rent them out" for each attack. These days, it seems that most phishing email originates from just a few zombie networks.

Right now, it appears that the only good way to deal with this involves looking for telltale network activity patterns. However, considering my previous article, I imagine that there is ongoing work on detecting zombie network commands directly in the chat rooms themselves.

No comments:

Post a Comment