Zombie Attackers

While researching information for writing Spyware, Part 1 and Part 2, I explored the Gibson Research Corporation Web site. Steve Gibson, an assembly language programmer and noted advocate for consumer privacy on the Internet, is also interested in security systems connected to the Internet. Recently, script kiddies attacked his Web site (script kiddies are young crackers who maliciously knock off Web sites).

Unlike most victims of an Internet assault, Gibson dissected and analyzed the attack. On his Web site, Gibson describes what he did to find out how the script kiddies used a Distributed Denial of Service (DDoS) attack on his systems, and he shares what he can do to protect his Web site in the future. It turned out that some young people created automated robots (bots) that spread through email. Once installed and operational on a target (zombie) computer, these bots connect to an Internet Relay Chat (IRC) room and receive commands from a central operator (the attacker). With hundreds of these infected zombie computers at the operator’s command, the attacker invoked simultaneous large-packet pings and broken Internet Control Message Protocol (ICMP) messages, which overloaded Gibson’s dual-T1 connection to the Internet. Under this heavy load, legitimate traffic couldn't get through, so Gibson's Web site appeared to drop off the Internet.

You can read the details of the attack on Gibson’s Web site, but in short, Gibson’s findings were ominous. He stumbled on the fact that his routers, and the ISP’s routers, could have protected him from the malicious packets flooding his bandwidth, which told him one key thing—all the zombie computers sending the packets were Windows-based computers. To understand why knowing this is important, read on.

The many varieties of UNIX were some of the first systems that developers designed to communicate using TCP/IP over networks, and they used complete socket implementation—all code using TCP/IP (known as the stack) conformed to Request for Comments (RFC) standards and was correct by the book. Unfortunately, old standards sometimes have security loopholes, and in the complete UNIX sock implementation, it’s possible to make a packet appear to be coming from an IP address completely unrelated to the computer sending the packet. Although there are a few useful applications for spoofing IP addresses, by and large, attackers use and abuse this technique. With the complete UNIX TCP/IP socket code, a malicious user can also generate inherently false packets, such as malformed pin signals, which bombard and overload routers and servers.

Microsoft failed to include a complete socket specification in Windows NT and Windows 9x OSs, so all machines running these OS versions are limited in their ability to generate deliberately malformed Internet packets to conceal the user's true IP address. Microsoft has actually benefited the Internet with this oversight. Although NT and Win9x don’t comply with standards, their incomplete stack implementation makes these versions safe for the Internet community.

However, if Microsoft provides a complete stack in Windows XP, Gibson proclaims that it will be the end of the Internet as we know it. On the surface, this assertion appears to be true, but the problem’s root causes lie deeper. Gibson mistakenly says that you can’t spoof IP addresses in NT or Win9x, but astute users know that it’s possible to work around this situation by developing custom raw packet drivers, which most attackers can do.

As always, we end users have to take responsibility for our computer security. Security expert Bob Walder of The NSS Group has put together a list of suggestions that I’d like to draw from here, because the suggestions are important to both small office/home office (SOHO) users and big companies.

1. Don’t open email attachments unless you’re expecting them and the attachment is from a reliable source. Computer security experts have warned us about this over and over, yet users continue to cause their own security problems by opening email attachments.
2. Open suspect attachments on a quarantined PC only—one not connected to your regular production network.
3. Run antivirus software, and keep it up-to-date, something that’s so easy to do with all the inexpensive, automatic update software that's available.
4. Be sure that there’s a functional, properly configured firewall at the connection point from your network to the Internet. Walder points out that most firewalls do a good job of denying incoming packets, but let almost anything go out. Scrutinizing and denying outbound and inbound requests guard against zombie attacks. Enable only what you need, and deny all the rest. Use Network Address Translation (NAT), and disable VBScript in your browser (I’ve covered both topics in previous columns).
5. If you’re using a dial-up account, or if properly completing step 4 is not possible, contact your ISP to see what they’ll do about implementing a customer-specific firewall. Most ISPs will be reluctant to do so, but it’s worth a try. Most ISPs' firewalls are for their own protection than for their users’ protection—user firewalls are more effective because they’re customized to each individual customer network. Because ISPs most likely won’t honor this request, it’s up to users to take care of this problem.
6. If you’ve got the funds, use an intrusion detection system (IDS). Firewalls attempt to prevent intrusion, but once attackers permeate this line of defense, they’re in the clear unless you’re using an IDS.
7. There are several programs designed to assess file integrity that let you see at a glance where new programs lie and when they were added. (Walder mentions TripWire, and I’ll cover some of these programs and their techniques in future articles.) These reports of abnormal activities are good indicators that malicious users have introduced Trojan horses into your system.
8. Mobile users should use ZoneAlarm, as should anyone who doesn’t have any other form of Internet protection. However, ZoneAlarm, as good as it is, should be only second or third in your security line-up. It’s not a substitute for a full-blown firewall, IDS, and file integrity assessment program.

Walder recommends checking out The NSS Group Web site and your local library resources for more information. Although taking these steps might seem like corporate-size measures, it’s time for all of us to increase our efforts to curtail zombie attacker threats. Otherwise, Internet integrity and security is at the mercy of 13-year-old script kiddies everywhere.