February 28, 2005

The Zombies Are Among Us!

by roy

They could be anywhere – your home, your office, your ISP. They stand awaiting your orders. They are the zombies of the Internet!

Zombies are computers – servers, workstations or laptops – that have been compromised by hackers and have had Trojan horse software deposited on their hard drives, which are awaiting the time when the alarm will tell them, for example, to begin pinging a server at a specific IP address.

The zombie software was perhaps encapsulated in a game or graphic download, or maybe a free software package. Next, an unsuspecting user like yourself downloaded it onto his or her PC.

On the other hand, an ingenious hacker can deposit the software on thousands of home computers via cable modem and at the decided time, each of these home computers will begin pinging a specific server at, say, Microsoft or Amazon. Meanwhile, the user continues to work at his home PC, unaware that any such activity is going on. The zombie software file is only about 16K so it certainly doesn’t take up a lot of disk space.

A good rule of thumb is: Think twice before downloading files ending in “.exe”.

Many home users or small businesses assume that since they’re “small time”, hackers wouldn’t bother with them. But if the hacker’s goal is to set up a system of zombies, your cable-connected PC can be a prime target. If the hacker can compromise your ISP’s server, he can drop off zombie programs onto every PC connected to the server, without ever knowing who they are.

High speed (cable or DSL) users should seriously consider installing firewall software, like Zone Alarm.

The Internet Relay Chat (IRC) connection

Many of these programs are distributed through IRC chat networks. For example, this past summer the program SubSeven, a backdoor, was often downloaded as a porno movie clip, a .avi file which, when played, installed the backdoor zombie software. The backdoor worked was able to overtake monitor, keyboard and mouse controls, just like the legal remote software programs do.

The IRC chat boards can also serve as file servers from which users can exchange files, graphics and applications. However, programs or “bots” can be written that act like and may appear to be an actual user. Bots can even be set up to appear as a file server that offers files to visitors, runs games, etc.

The scary thing about this process is how automated it is. The hacker can send the 16KB bot file to hundreds or thousands of email servers without ever even knowing where they ended up. And it really doesn’t matter, because wherever it is, the bot client will “phone home” to the program on that IRC server.

One of the zombies that does the work for the DDoS attacks is a small program named “rundIl.exe” Clever! This looks just like the Windows program “rundll.exe, except that the first small “l” is actually a capital “I”.

In a nutshell, the bot (or zombie client software) is deposited onto your PC. When the PC is rebooted, it then becomes a zombie. The bot, upon being activated, contacts the program on the IRC server to re- ceive its orders. The orders are something like:”Ping IP address xxx.xxx.xxx.xxx, which happens to be a server in Oslo, Norway. Since several hundred other zombies are receiving (and obeying) the same order, that server in Oslo is going to grind to a halt very quickly.

Zombies and back doors

Back door software, like BackOrifice 2000, takes over the monitor, keyboard and mouse controls of your computer. There are legitimate remote control applications on the market, but these illegal ones are installed without your knowledge by means of zombie clients.

For example, the Sub7Server Trojan horse program is a back door program that is frequently delivered to PCs via a zombie client. (You can learn more about Sub7Server by doing a Google search, but I wouldn’t recommend downloading anything, unless you have a secure PC, separate from your regular network.)

Raw Sockets

Finally, there is the issue of the “raw sockets” in Microsoft’s XP Operating System:

Until September, 2002, the Microsoft XP operating system was susceptible to hacking due to the unprotected “raw sockets” feature of XP. The raw sockets were set up to insure integration with UNIX systems, but were also shown to provide easy entry and exit ports for packets participating in a Distributed Denial of Service attack.

So what’s a “raw socket”?

In simplest terms, it is like a port or pathway through the TCP/IP protocol stack. When TCP/IP was first developed for the Internet, the developers created these sockets at the Application layer, so that data could bypass the usual TCP and UDP protocols as it crosses the Internet. The sockets were created for testing purposes only, when UNIX was the only operating
system on the ‘Net, and developers were the only people using them.

Among other things, the raw sockets allow IP spoofing, which means that the attacked parties don’t know from where the attack is coming. The only way the systems admin can stop the attack is by identifying the computers that are sending the data requests, but he can’t do this if the IP address is spoofed.

On September 29, 2002, Microsoft issued Service Pack 1 for the XP operating system, which corrects the raw sockets problem. The bottom line? If you’re running XP, you should download that Service Pack 1 (if you don’t have it already).

For a detailed discussion of zombie programs in action, visit Steven Gibson’s site at: www.grc.com

The site has a wealth of information and advice on the subject. For example, to check for IRC Bots or zombies on your Windows machine, Gibson recommends running these two commands in the DOS interface: