05 May 2007
From New Scientist Print Edition.
YOU are surfing the net, and stop at a sports site you regularly
visit to read the latest headlines. You are always careful to avoid
sites that appear suspect, so you feel safe online. Unbeknownst to
you, though, and to the innocent owner of the website, a piece of
malicious code has been added to the page you are viewing. This
uploads software onto your computer via your browser, turning it into
a "zombie" PC under the remote control of a malicious user.
While installing firewalls and antivirus software on your computer
may keep it safe from conventional threats such as worms and viruses,
these security tools do not inspect data downloaded through browsers -
a loophole that attackers can exploit. "The firewall is dead," says
Google security specialist Niels Provos.
As a result of this loophole, PCs are increasingly becoming infected
with "bot" software, creating networks of zombie computers, or
botnets. Bots are "the Swiss army knives of the underground economy",
because they are so versatile, says Nick Ianelli, an internet
security analyst at Carnegie-Mellon University in Pittsburgh,
Pennsylvania. Bots first establish a link to a remote "botmaster"
before probing your computer for email addresses and personal data,
and even logging your keystrokes. Most zombies are used to churn out
huge amounts of spam email, while some target business websites with
so-called "denial of service" attacks.
"Their versatility makes bots the Swiss army knives of the
underground economy"Botnets are not new, but the methods they use to
infect computers are changing. Until recently, a bot program tended
to arrive as an attachment with spam email, or carried by a computer
worm. As users have grown wary of email attachments and installed
firewalls and anti-virus software, however, the bad guys have shifted
their attentions to websites in a bid to find more victims. "We still
see a tremendous amount of bot propagation via email, but the web has
overtaken it in the past year," says Pat Peterson of security firm
Ironport in San Bruno, California.
The sleazy side of the web has long been a place where people have
been easily duped into downloading malicious programs for themselves.
Lured to a site by spam and then promised pirated software or
pornography, for example, visitors click on a link only to download a
Now, though, even an ordinary website can be risky. At a meeting on
botnets held last month in Cambridge, Massachusetts, Provos warned
that many web users are becoming the victims of "drive-by" downloads
of bots from innocent websites corrupted to exploit browser
vulnerabilities. As firewalls allow free passage to code or programs
downloaded through the browser, the bot is able to install itself on
the PC. Anti-virus software kicks in at this point, but some bots
avoid detection by immediately disabling it. Once a computer has
become infected with the malicious software, the zombie periodically
connects to a web server controlled by the botmaster to receive
instructions and download more software.
To determine the scale of the problem, Provos's group at Google
analysed several billion web pages and selected 4.5 million
suspicious pages for more detailed study. To test for malicious
software, or malware, they loaded a program designed to simulate a
computer with a vulnerable version of Internet Explorer and monitored
what happened. They found around 450,000 web pages that launched
drive-by downloads of malicious programs. Another 700,000 pages
launched downloads of suspicious software. More than two-thirds of
the malicious programs identified were those that infected computers
with bot software or programs that collected data on banking
transactions and emailed it to a temporary email account.
Ordinary users would not know that their computer had been hit by a
drive-by download unless their browser started crashing or they
suddenly started being hit with pop-up advertisements, Provos says.
Nor would website owners spot that their pages had been corrupted, as
such malware is typically hidden, for example, by adding code to the
designed to hide from anyone trying to find it; Provos encountered
websites that checked the IP address of all visitors and only
installed malware on a user's first visit.
Botnets themselves are also evolving. Most existing bots are
vulnerable because they receive their instructions via an internet
relay chat (IRC) server, a simple communication system. This gives
security professionals a hope of disabling them by trapping one
zombie using a "honeypot" designed to mimic a vulnerable computer.
They can then identify the IRC address of the computer's botmaster
when it tries to communicate, says Julian Grizzard, a computer
scientist at Johns Hopkins University in Laurel, Maryland. Traffic to
the botmaster could then be blocked, effectively cutting off the
Now, however, malicious users are beginning to explore peer-to-peer
botnets, modelled on file-sharing networks such as Gnutella, as they
are harder to disable. The first P2P bots appeared in 2004, and they
are now beginning to increase in sophistication, says Grizzard.
Botmasters distribute new bots programmed to establish contact with
one of a group of operating zombies. Once contact is made, the P2P
network relays information to the botmaster, who can link to the
network through any zombie.
In this way, even if security professionals trap a bot, they would
have no way of identifying the botmaster. However, Grizzard is not
without hope that even these advanced botnets could ultimately be
stopped. "The major disadvantage of P2P is that it is typically very
chatty," he says. This increased traffic could be detected from
outside the host machine and give away the existence of the botnet,
Until botnets can be stopped, though, users should try to lessen
their computer's chances of becoming infected as they surf the web by
keeping browsers updated with the latest software patches, says Cliff
Zou of the University of Central Florida in Orlando. This helps
browsers avoid vulnerabilities that can be exploited by malware.
Surfers should also take special care not to be duped by tricks such
as links embedded in spam emails or offers of free software, and pay
attention to warnings displayed alongside search engine links.
Ultimately what is needed is a new type of firewall that inspects the
content of programs downloaded through the browser, says Zou. This
should stop any nasties lurking in websites gaining a free pass to
infect your computer.
From issue 2602 of New Scientist magazine, 05 May 2007, page 28-29
Beat zombies at their own game
Botnets exploit the fact that many computers working together are far
better than a single machine at launching denial of service attacks
and sending spam. Now the good guys are fighting back with a system
that uses multiple online computers to fight rather than spread
Dubbed "herd computing", the application behaves like a benevolent
botnet. Like its malicious counterpart, herd PCs contain a program
that reports back to a central computer. But unlike the zombie PCs in
a botnet, whose reports are met by a command to launch spam or spread
a virus, members of the herd send back details on the health of their
computers, alongside a list of all the software they are running.
This can be used to monitor the effect of downloaded software on the
performance of the computer. This information can then be presented
to any computer in the herd that attempts to download the same code,
warning them in advance.
"It is a way of understanding computing as an act that is not done in
isolation," says Jonathan Zittrain, a researcher at Harvard Law
School's Berkman Center for Internet and Society and the Oxford
Internet Institute, part of the University of Oxford. "That is the
way botnets gained their power and it would be crazy for us not to
harness that power," he says.
The main use for herd computing will be in combating spyware. This
software causes unwanted pop-up advertisements, hogs processing
cycles and memory, and spies on a web-user's actions. It often
arrives bundled with something useful such as a screensaver or chat
application, which makes it difficult for existing anti-virus
software to remove it. "Viruses are mean, evil programs, but spyware
is a little weird," says Nathan Good, a spyware researcher at the
University of California at Berkeley. "In some cases it's consensual."
Herd computing could deal with this grey area by flagging the likely
consequences of a piece of software before it is downloaded, and then
leaving it up to the user to decide whether to install it.
All members of the herd would send in regular updates of their vital
signs, including the number of pop-ups they experience, the speed of
their processor and the number of crashes and restarts, alongside
details of the software they are running. The central computer would
collate this information to determine the effect of different pieces
of software on computers.
Then, when one of the computers in the herd tried to download
software, a message would appear informing the user of what happened
to other PCs that downloaded the same program. With this information,
users can decide whether or not to download it. "It's a way of
allowing people to make better choices," says Good. Zittrain likens
the concept to "giving the internet a nervous system".