Paper On..

ZOMBIE COMPUTERS

Abstract:
A zombie computer, or drone, is a computer that has been secretly compromised by hacking tools which allow a third party to control the computer and its resources remotely. Zombies have been used extensively to send email spam as of 2005, an estimated 5080% of all spam worldwide was sent by zombie computers. Zombies can be used to conduct distributed denial-ofservice attacks, a term which refers to the orchestrated flooding of target websites by armies of zombie computers. This paper focuses on Zombie Computers introduction, history, various mechanisms that are used to detect whether the PC is a Zombie and prevention methods and some live examples.

History: Zombies have been used extensively to send email spam as of 2005, an estimated 5080% of all spam worldwide was sent by zombie computers. This allows spammers to avoid detection and presumably reduces their bandwidth costs, since the owners of zombies pay for their own bandwidth. This spam also greatly furthers the spread of Trojan horses; as Trojans, they are not selfreplicating. They rely on the movement of emails or spam to grow, whereas worms can spread by other means. Zombies can be used to conduct distributed denial-of-service attacks, a term which refers to the orchestrated flooding of target websites by armies of zombie computers. The large numbers of Internet users making simultaneous requests of a websites server are intended to result in crashing and the prevention of legitimate users from accessing the site.[3] A variant of this type of flooding is known as distributed degradation-of-service. Committed by "pulsing" zombies, distributed degradation-of-service is the moderated and periodical flooding of websites, done with the intent of slowing down rather than crashing a victim site. The effectiveness of this tactic springs from the fact that intense flooding can be quickly detected and remedied, but pulsing zombie attacks and the resulting slow-down in website access can go unnoticed for months and even years.

INTRODUCTION: Definition: A zombie computer, or drone, is a computer that has been secretly compromised by hacking tools which allow a third party to control the computer and its resources remotely. When the zombie computer connects to the Internet the remote hacker can clandestinely make contact with the computer to mine data from it or use it for any number of purposes. Communication between the hacker and the computer travels through back channels of the targeted system, keeping these processes hidden from the owner.

Web sites is blocked, pop-up ads appear even when the Web browser is closed. Other signs also include, computer seems to be accessing the hard drive constantly, an unresponsive mouse and keyboard, when you open your email there are several bounce notifications from people you never tried to email, there is internet activity or your modem's activity light continuously flashes even when you're not even accessing the net, your virus checker is disabled and you're unable to update your antivirus program.

Is Your PC a Zombie?
Zombie PCs are computers that have been infected by malicious code that allows spammers to take some control and use them to send emails. It is believed that more than 80 percent of all spam worldwide comes from zombie PCs. What is worse, these computers can be owned by anyone, businesses, universities, government and average users and they dont even know they have a problem. Symptoms of a zombie PC: Symptoms include, poor computer system performance, slower response times and longer start-up and shut-down times, dramatic loss in Internet connection speeds, loss of hard disk space, web browser frequently closes for no apparent reason, browser's home page resets and cannot be changed, new desktop icons and applications, like toolbars, suddenly appear, access to various computer security-related

It can be very difficult to tell if a spammer has installed hidden software on your computer, but there are some warning signs. For example,
y y y

you may receive emails accusing you of sending spam; you may find email messages in your outbox that you didnt send; or your computer is using more power than it has in the past to run the programs you use. (typically, the computer becomes slower to respond)

If your computer has been taken over by a spammer, you could face serious problems. Your Internet Service Provider (ISP) would see the huge number of emails coming out from your account and may prevent you from sending any email at all until the virus is treated, and treatment could be a complicated, time-consuming process.

HOW DOES ZOMBIE WORKS?

Bots can infect a computer in many ways. One of the most common is that Bots spread themselves through the internet by searching for unprotected computers. Sometimes, it is downloaded to the computer by a Trojan, or installed by a website with malicious code or when it is emailed directly by a person whose computer is infected by a Bot. In recent cases, bots spread themselves through various instant messengers. An infected computer sends a URL through their buddy list and when the recipient clicks on that site, they will be infected.

All computers connected to the Internet are potential targets, but those with broadband (dsl, cable modem) connections are especially attractive to spammers because they are always on. Spammers scan the Internet, searching for points of entry and then install hidden software that allows remote access to your data and programs. That, in turn, allows the spammer to send relay their spam and send the spam messages out from your computer.

The computer may also be compromised through vulnerabilities in the Internet Explorer, or when a person's Internet Explorer zone settings is unsecured, or when the user allows Internet Explorer to install a program by clicking "OK" when a dialogue box appears. Spammers can get into your computer in several ways, depending on what kind of Internet connection you have.

Remote access software also can be installed by a virus: A spammer sends email with a virus in the attachment. If you open the infected attachment, a virus is released that installs the hidden software. The person who sent the virus now can access the data and programs on your computer, or take over many computers and use them to send spam.

What to do if pc is a zombie?
If your computer is infected, take action immediately. If your computer has been hacked or infected by a virus, you should:
y

Practice safe computing. Don't open attachments you're not expecting or aren't 100% sure of. Don't fall for phishing attacks, click on popups you don't know are safe, or visit questionable web sites.

Disconnect from the Internet right away. (Unplug the cable connecting you to the DSL router, cable modem - the box typically made by Dlink, LinkSys, Netgear or Airlink) Usually, the cable is blue or yellow. Next scan your entire computer with fully updated antivirus software. Report any unauthorized accesses that the anti-virus software finds to your ISP. Also, if you suspect that any of your passwords have been compromised, call that sites company immediately and change your password.

Types of Systems:
1. HIDS:

Intrusion

Detection

A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyzes the internals of a computing system rather than the network packets on its external interfaces (as a network-based intrusion detection system (NIDS) would do).A hostbased IDS monitors all or parts of the dynamic behavior and the state of a computer system. Much as a NIDS will dynamically inspect network packets, a HIDS might detect which program accesses what resources. 2. NIDS: A Network Intrusion Detection System (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic. A NIDS reads all the incoming packets and tries to find suspicious patterns known as signatures or rules. If, for example, a large number of TCP connection requests to a very large number of different ports are observed, one could assume that there is someone conducting a port scan of some or all of the computer(s) in the network. It also (mostly) tries to detect

How can you prevent an attack of the zombies?

Zombies are just another form of virus or malware. All of the usual precautions that keep you from getting infected with anything apply to keeping zombies at bay:
y

Keep Windows up-to-date. The majority of successful infections occur on unpatched machines. Get behind a firewall - ideally a router, or a software firewall. Run up-to-date anti-spyware and anti-virus software.

incoming shell codes in the same manner that an ordinary intrusion detection system does. A NIDS is not limited to inspecting incoming network traffic only. Often valuable information about an ongoing intrusion can be learned from outgoing or local traffic as well. Some attacks might even be staged from the inside of the monitored network or network segment, and are therefore not regarded as incoming traffic at all. Often, network intrusion detection systems works with other systems as well. They can for example update some firewalls' blacklist with the IP addresses of computers used by (suspected) crackers. 3. APIDS : An application protocol-based intrusion detection system (APIDS) is an intrusion detection system that focuses its monitoring and analysis on a specific application protocol or protocols in use by the computing system. An APIDS will monitor the dynamic behavior and state of the protocol and will typically consist of a system or agent that would typically sit between a process, or group of servers, monitoring and analyzing the application protocol between two connected devices. A typical place for an APIDS would be between a web server and the database management system, monitoring the SQL protocol specific to the middleware/business logic as it interacts with the database. 4. PIDS: A protocol-based intrusion detection system (PIDS) is an intrusion detection system which is typically installed on a web

server, and is used in the monitoring and analysis of the protocol in use by the computing system. A PIDS will monitor the dynamic behavior and state of the protocol and will typically consist of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication between a connected device and the system it is protecting. A typical use for a PIDS would be at the front end of a web server monitoring the HTTP (or HTTPS) stream. Because it understands the HTTP relative to the web server/system it is trying to protect it can offer greater protection than less in-depth techniques such as filtering by IP address or port number alone, however this greater protection comes at the cost of increased computing on the web server. Where HTTPS is in use then this system would need to reside in the "shim" or interface between where HTTPS is unencrypted and immediately prior to it entering the Web presentation layer.

Intrusion Prevention Systems (IPS):

Intrusion Prevention Systems (IPS), also known as Intrusion Detection and Prevention Systems (IDPS), are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and report activity. Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion

prevention systems are placed in-line and are able to actively prevent/block intrusions that are detected. More specifically, IPS can take such actions as sending an alarm, dropping the malicious packets, resetting the connection and/or blocking the traffic from the offending IP address. An IPS can also correct CRC, unfragment packet streams, prevent TCP sequencing issues, and clean up unwanted transport and network layer options. Classifications: Network-based Intrusion Prevention (NIPS): monitors the entire network for suspicious traffic by analyzing protocol activity. Wireless Intrusion Prevention Systems (WIPS): monitors a wireless network for suspicious traffic by analyzing wireless networking protocols. Network Behavior Analysis (NBA): examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DdoS) attacks, certain forms of malware, and policy violations. Host-based Intrusion Prevention (HIPS): an installed software package which monitors a single host for suspicious activity by analysing events occurring within that host.

service in 2006. In 2000, several prominent Web sites (Yahoo, eBay, etc.) were clogged to a standstill by a distributed denial-ofservice attack mounted by a Canadian teenager. An attack on grc.com is discussed at length, and the perpetrator, a 13-year old probably from Kenosha, Wisconsin was identified on the Gibson Research Web site. Steve Gibson disassembled a 'bot' which was a zombie used in the attack, and traced it to its distributor. In his account about his research, he describes the operation of a 'bot' controlling IRC channel.

Beginning in July 2009, similar botnet capabilities have also emerged for the growing smartphone market. Examples include the July 2009 in the wild release of the Sexy Space text message worm, the world's first botnet capable SMS worm, which targeted the Symbianoperating system in Nokia smartphones. Later that month, Charlie Miller revealed a proof of concept text message worm for the iPhoneat Black Hat. Also in July, United Arab Emirates consumers were targeted by the Etisalat BlackBerry spyware program. At the present time, the security community is divided as to the real world potential of mobile botnets.

Live examples:
Incidents of distributed denial- and degradation-of-service attacks in past include the attack upon the SPEWS service in 2003, and the one against BLUE FROG

Conclusion:
From the analysis of the sending attempts of thousands of zombie computers it is possible to profile computer zombies into types. Seven computer zombie types were identified and methods for applying these profiling techniques to filter out unwanted emails were investigated. Some techniques have more demonstrable effectiveness while others may only be useful if used in conjunction with other techniques. References:
http://computer.howstuffworks.com/ http://www.wordspy.com/words/ http://www.wikipedia.org/

90% of hosts), could produce a combination of filters that are even more effective. With the many techniques currently available for blocking unwanted email, the techniques discusses in this paper can add to the arsenal that already exist to further reduce the amount of unwanted email reaching the end user. Ideally this will result in less unwanted email, leading to fewer computers becoming computer zombies, therefore reducing the botnet operators financial gain.

Specifically, identifying computer zombies by multiple FROM addresses is very effective (94% success) and coupled with blacklisting known bad web servers (used by