Get the most out of your Inc. online experience by registering and joining the Inc. community today. Get access to all Inc.com content and priority invites to free Inc. networking events in your area.

Login using:


Or login directly through Inc.com

Invasion of the Zombies

As if "phishing" weren't bad enough, her come the "zombies," the latest cyber threat to business. "Zombies" will greatly increase the amount of spam delivered to e-mail addresses. Here's how it works and what can be done to stem its onslaught.

By John Thielens | 
 

Zombies. The term evokes images of late-night b-movies, black magic rituals, and possession of one's faculties by some mysterious unseen person bent on carrying out questionable tasks by proxy.

But today, in our fully networked and hyper-connected digital environment, the b-movie voodoo priest has been replaced by the malicious hacker, cracker, spammer, and script-kiddie. Rather than controlling an individual person to nefarious ends, the modern zombie masters wield vast armies of personal computers, often numbering in the hundreds to tens of thousands, to accomplish a task in an untraceable manner or to exponentially multiply the impact of an Internet attack. Typically this is done without the computer's real owner being aware that there's anything out of the ordinary.

What is a "zombie"? Our modern zombies are nothing more than regular desktop and notebook computers under remote control, and are commonly used to automatically route vast quantities of spam or phishing attacks, perform denial-of-service attacks against target servers or networks, or spread new viruses or worms. Externally, this leads to increased spam, fraud and virus infections for everyone, as well as downtime for networks, servers and web sites. Internally, it leads to computer and network slowdowns, abuse complaints to service providers, and strangers wandering around in confidential data they shouldn't have access to.

Most zombie computers belong to home or home-office users on broadband cable modem or DSL networks, where they have a fast Internet connection and are always on. But computer systems used by small businesses, which often lack the sophisticated security infrastructures of large corporate networks, are at high risk of hostile takeover and misuse as well.

Signs of infection can include system or Internet slowdowns, frequent or excessive disk noise or activity, or general system instability.

How zombies are created:

In most zombie movies, the first critical step in stealing control is to get a powder, potion, or other ingestible into the victim. Creating a computer zombie isn't all that different - we're just dealing with bits of code instead of potions. The object of the code in question is to create a 'backdoor' to the system, which allows outsiders to install new software, issue commands, and relay attacks while hiding their digital footsteps.

One method of system compromise requires the willing (if unknowing) participation of the computer's authorized user - to actively open a joke attachment from an email, download an infected (or malicious) program from a random web site, run a file received over an instant messenger service or otherwise do something to manually execute backdoor code on the local machine. The user's tendency to do these things can be addressed to some degree by training, but people are curious creatures and incidents will still happen.

Another common method of zombifying a PC requires no user action at all, but instead relies on the security flaws and holes present in most computer software. Simply powering on and connecting an unprotected computer to the Internet is enough to make it a target of automated attacks that leverage open network ports, un-patched operating systems, and known application software vulnerabilities. New vulnerabilities are discovered every day, and patches are usually made available by the affected manufacturer. The problem is that most computer users do not regularly update their software, and millions of systems remain vulnerable to these attacks.

Fortunately there are a few simple, inexpensive things that can be done to minimize the possibility of becoming part of a zombie army.

Zombie proofing your network:

1. Batten down the hatches at the network perimeter.

A network firewall is a minimum safety requirement for any organization connecting to the Internet. Network firewalls sit between the Internet connection device (modem, cable modem, DSL box, etc) and the internal network and protect the network by intercepting, inspecting, and rejecting bad inbound traffic. More advanced models also allow multiple computers to share a single internet connection, mask internal network shares, permit secure remote access to telecommuters, and can also enforce internal use policies like blocking bad web sites from view.

2. Deploy active desktop defenses:

As a second layer of defense, it is essential that each desktop computer in a network have a current anti-virus program running at all times to detect and disable inbound threats received through email and instant messenger applications.

It's also advisable to install a personal firewall application on each pc that connects to the Internet, to monitor and block external network intrusion attempts and to monitor outbound communications of programs installed on the local system. Personal firewalls will often detect and block web threats, scripts, and surreptitious 'phone home' communications of ad-ware, spyware, and Trojan horse applications which may have slipped by perimeter network defenses. Anti-spyware applications often have slightly different criteria for monitoring 'correct' application behavior, and can be a useful addition to the arsenal.

3. Turn on automatic updates, and schedule regular scans:

As the threats evolve and change daily, it's a good idea to turn on automatic updates for anti-virus, personal firewall, and anti-spyware applications, as well as the auto-update features of the operating systems and browsers. Doing so will keep all systems up and running with the most current defenses and help to keep close the most recent software vulnerabilities before they can be exploited.

In the event a zombie already exists, many Internet security software manufacturers have tools available for detecting and cleaning up zombie programs, and often provide them free of charge on their web sites.

After any cleanup, following these simple rules will greatly reduce the risk of becoming a zombie in the future, and will help to make a better Internet for everyone.


John Thielens is the CTO of Tumbleweed Communications.