How much do you trust your computer?
While you think it's doing nothing -- or even while you're using it -- your desktop machine could be sending spam to millions of e-mail addresses or participating in an electronic attack on a corporate website. It could even be silently betraying you, transmitting your passwords and personal data to a fraud artist.
These are some of the dirty tricks played by the remote-controlled "bots" -- short for robots -- that are planted by some computer viruses. They can turn the machines they infect into electronic "zombies" used for unsavoury purposes, while keeping the people controlling them safe from detection.
Bots aren't new, but the threat they pose has been skyrocketing. Reports of personal computers infected with bots grew by 600 per cent between April and September last year, according to Michael Murphy, general manager of Symantec Canada Corp.
"We've had bots for over a decade," adds Ed Skoudis, co-founder of security consulting firm Intelguardians LLC in Washington, D.C., "but it wasn't until this year that we've seen a new version released pretty much every day."
Why the upsurge in bots? One word: Money.
"The profit motive got added to the bots and the worms and so forth," Mr. Skoudis says.
In the past, most people who created bots and other computer malware did so to show off their programming abilities. Then, those with more malicious intent started writing bots that crack passwords, or that log everything typed on the infected machine (including passwords, financial and personal information) and secretly send it back to their creators. But recently, Mr. Skoudis says, bot writers began realizing they could make money by harnessing the network resources and computing power of the infected PC itself.
"This seems to be the latest craze" in the virus-writing and hacking community, says Jack Sebbag, Canadian general manager and vice-president of security software vendor McAfee Inc.
Security firm Trend Micro Inc.'s 2004 report notes that the latest crop of bots "generally utilize IRC channels to give a remote attacker access to the compromised system, enabling the attacker to steal application CD keys, terminate processes, launch denial-of-service attacks, establish remote connections, upload/download files, scan open ports, and perform a slew of other backdoor routines that direly compromises system security."
There are two main ways people profit from harnessing zombie PCs. The first is to send illicit e-mail, which may be spam or part of a phishing scam. Phishing is the use of e-mails that appear to be from a legitimate organization to fool recipients into going to fake websites. Once there, people are duped into entering personal information, such as passwords or credit card numbers, which criminals can then use to defraud the victims.
Using bots to send such e-mail through other people's computers helps protect perpetrators from detection. Dave Dittrich, senior security engineer and an information assurance researcher at the University of Washington, explains that fraud artists usually relay messages through two or more zombie PCs before the messages reach their destinations, making it very hard to trace a message back to its source. By using a zombie PC only a few times before moving on to a new one, he adds, it makes detection even tougher.
The second means of profit is to use bots in distributed denial-of-service attacks. Networks of zombie PCs bombard a website with a huge number of requests for data, blocking legitimate requests and in some cases crashing the site's servers. This kind of attack is increasingly common in extortion schemes, Mr. Skoudis says, particularly against on-line gambling sites.
Trend Micro says it documented 2,830 new bot programs in 2004 and a marked expansion in the number of zombie networks operating on the Internet. Its security report said this is "symptomatic of the increasing number of hackers that are being drawn to the idea of controlling remote systems."
Bots are a favourite tool of cyber-criminals because both the software on the PC and the unauthorized network activity are hard to spot, particularly for home users and small businesses without a skilled IT department.
"For the most part, you wouldn't notice it unless you were looking at inbound and outbound traffic," Mr. Murphy of Symantec says.
And once they're in place, bots can be tricky to remove. Many are cleverly designed to hide themselves from virus scanners and software tools, such as the Windows Task Manager, which lists the processes running on a PC. Some are built so that their creators can upgrade them remotely over the Internet, giving them new capabilities.
Protecting a PC from bots is mostly a matter of standard precautions -- use antivirus software and network firewalls, and install operating system updates promptly, experts say. Organizations should also employ intrusion detection software and monitor their computers and networks for unusual behaviour, Mr. Dittrich says.
Bot attacks "will continue to get worse," Mr. Sebbag of McAfee warns, particularly now that they're being used for profit, but he is optimistic that the defences provided by computer security companies can keep pace.
1
