|Page (1) of 1 - 11/22/10||email article||print page|
Hackers thwarted by security-conscious CIOs have added a new weapon to their arsenal: zombies. In an enterprise IT version of the classic horror film "Night of the Living Dead," seemingly innocuous PCs within corporations are being remotely manipulated by hackers for a variety of malicious means, including relaying spam, perpetrating phishing scams, and launching distributed denial of service attacks aimed to overwhelm and cripple corporate Web sites.
Individual zombie PCs are being marshaled into armies of hundreds to tens of thousands to carry out orders that are difficult to trace, security experts say. Hackers create zombies by depositing code onto an unsuspecting PC. This code creates a back door through which they can install software, send commands, and read files. Zombies have traditionally been a problem among home users, but now they're becoming a concern for businesses, because home users who have access to corporate networks can inadvertently introduce zombie software to the enterprise, where it can spread throughout the company and beyond. In addition, zombies can degrade performance, negatively impact productivity, and hinder legitimate email traffic.
Code that turns a PC into a zombie makes its way onto computers in different ways. Often, a Trojan -- a malicious program designed to look like a legitimate file -- is the entry vehicle for zombie software. Users click on an attachment or a link in email, and the software is downloaded. Worms -- self-replicating viruses -- also deposit zombie software. And hackers utilize security holes in operating system software or Internet browsers to pass the software through. Although spyware is installed on corporate PCs in the same manner, it is different from zombie code. Rather than controlling the PC, spyware scans the PC for confidential or sensitive personal information that criminals can use for identity theft or other malicious purposes. Both pose serious threats to network security.
Zombies often have a short life span -- they are only useful until the computer is repaired. To mitigate their short life expectancy, zombies constantly self-propagate by infecting new computers.
How to spot a zombie
Zombies help to propagate spam -- a network administration headache. Zombie PCs turn desktop PCs into miniature mail servers, says Don Blumenthal, Internet Lab Coordinator with the U.S. Federal Trade Commission. "If a spam server is going to send out 1,000 pieces of spam, it's easy for a network administrator to spot that and filter the messages based on their origins," he says. The spam zombie technique, however, helps them hide their tracks. "Instead of 1,000 messages from a given source, those messages come from 100 different machines, so it makes it a lot more difficult for anti-spam systems to spot the messages based on volume," Blumenthal says.
Telltale signs of zombie infection include:
- Computer performance degradation Zombies hog a computer's processing power. If a user complains of slow computer operation, a zombie may be responsible. Check CPU usage and other performance statistics to see if there is a marked change in the computer's use of resources.
- Increased email server usage Take notice of computers sending more email than usual. If a computer usually sends 50 messages a day and it's now sending 500, is it being used to send out a newsletter, or is it an unwilling recruit into a zombie network?
- Network performance degradation If a zombie is relaying hundreds or thousands of covert phishing messages or spam, users may notice a sluggish network connection. Use monitoring tools to ascertain if there is a large upswing in email and network traffic.
- Blocked email Computers identified as spammers may be logged in anti-spam databases. In their efforts to curtail spam, ISPs and customers may block incoming mail from those sources. Check the IP address of computers suspected of zombie infection and look them up in anti-spam databases, such as #IF($EnableExternalLinks)spamhaus.o#COMMENT#ENDCOMMENTrg#ELSEThe Spamhaus Project Web site#ENDIF.
How to combat spam zombies
To combat the proliferation of zombie networks, the FTC launched "Operation Spam Zombies" in May. The FTC sent letters to 3,000 ISPs to educate them on the nature of zombies and offer ways to combat them. While the advice is for ISPs, it's valid for network administrators as well. "If we had tried to figure out every company out there that runs its own enterprise mail system, it would be impossible, but the techniques are fundamentally the same for enterprise mail systems," Blumenthal says.
Ways to combat zombies include:
- Block port 25, a common Internet port for sending email, when possible. Explore using authenticated SMTP on port 587 for clients that must operate outgoing mail servers.
- Apply rate-limiting controls for email relays. Determine what the appropriate number of messages a given user usually sends, and block email over that amount.
- Identify computers sending unusual amounts of email and quarantine them until the source of the problem is found.
- Use antispam content filters at the server level. Content filters can scan incoming messages and outgoing messages and block the sending or receiving of spam or messages with suspicious attachments.
- Use antivirus software. Although antivirus software probably won't identify one-off types of attacks aimed at a specific company, they do block the sending and receiving of Trojans and worms, which often are used to propagate zombie networks.
- Educate users. CIOs must ensure all users of a corporate network understand the threat of spam and zombies. Instruct them not to open email messages if they don't know the sender; also, don't click on links in email and don't download applications.
- Keep up-to-date with security patches and updates, because hackers rush to exploit the newest weaknesses in operating systems and browsers. Install the latest updates.
Security threats to corporate networks continue to evolve, presenting new challenges for CIOs. "The spammers are getting more sophisticated," Blumenthal says. "None of the techniques are foolproof, but everything in conjunction can have an effect."
Jodi Mardesich writes about business and is a former staff writer for Fortune.
Copyright (c) 2010 Studio One Networks. All rights reserved.>