Security threats Toolkit

Zombie networks implicated in ID theft

Tags:
Compromise,
Zombie,
Phishing,
Spyware

Published: 15 Mar 2005 09:15 GMT

Botnets — otherwise known as zombie networks — collections of compromised computers controlled by a single person or group, have become more pervasive and increasingly focused on identity theft and installing spyware, according to a Honeynet Project report.

The report, released on Monday, summarises the findings of researchers who have tapped into more than 100 different botnets since last summer. Some of the networks were made up of more than 50,000 computers, said the Honeynet Project, a security group that sets up heavily monitored systems, or honeypots, and allows them to be attacked.

While many of the networks had been used to hit other botnets with denial-of-service attacks, others had been used to gather sensitive identity information and install adware and spyware, a practice that is increasing, said Thorsten Holz, a computer science research student at RWTH Aachen University of Technology in Germany and one of the primary authors of the paper.

"Our research shows that some attackers are highly skilled and organised, potentially belonging to some well-organised crime structures," Holz, a member of the Honeynet Project, wrote in the paper. "Even in unskilled hands, it should be obvious that botnets are a loaded and powerful weapon."

Over the past year, security experts have become increasingly wary of botnets. Once used mainly by online vandals to attack each other, the large networks of compromised computers are now a tool for groups of criminals bent on making money through identity fraud, adware installation or sending massive amounts of spam. A person whose computer is infected with bot software runs the risk of having sensitive information such as account passwords and credit card numbers sent to the controller of the network.

A botnet onslaught is believed to have caused an outage at Internet service provider Akamai Technologies last summer.

At least a million computers worldwide are unwitting hosts to bot software, Honeynet researchers calculate — but that's a conservative estimate, Holz wrote in the report. A typical bot could be connected to 10,000 other computers, use IRC for command and control, and have a plug-in architecture that allows new features to be quickly added, he noted.

The report also describes how the researchers monitored the bots and intercepted communications. The Honeynet Project plans to release the software programs it developed to the community at large.

Some interesting applications of the malicious networks have been noticed by researchers, Holz said in an interview. In one case, bot software detected whether the game "Diablo II" was installed on the host PC. If the game was present, the program would steal items from the player's characters and drop them at preplanned places in the online game world. The bot net's controller would then collect the items and sell them on auction site eBay, Holz said.

"It was pretty clever and hard to detect," he said.

Future botnets are likely to move to peer-to-peer communications, which are harder to intercept and shut down, Holz said. Moreover, there is a trend toward smaller numbers of bots in each network — a measure that makes the collection of compromised computers that much harder to detect, he said. While a network of 3,000 to 8,000 computers is harder to detect than one of 20,000, it can be as damaging, he added.

"Even those small botnets can cause much harm, especially if the compromised machines have good Internet connectivity or are located within interesting places," Holz said.