Information Warfare: Abandoned Zombies Frantically Call Home


November 23,2008: The war against Internet crime has turned against the bad guys, as ISPs (Internet Service Providers) that provide access for the Internet criminals, have been identified and cut off from the Internet. This had an interesting side-effect recently, as nearly half a million hijacked computers frantically sought to "call home."

It all began with the recent take-down, of ISP McColo Corporation, which caused worldwide spam traffic to decline by over 50 percent in one day. In the past years, two other similar ISPs, the Russian Business Network and Intercage, had similar, but not as dramatic, impact on spam traffic, and Internet based criminal activity in general, when they were shut down.

The basic tactic here was to compile a report of the known criminal activity being conducted via a particular ISP, and then present it to police authorities (like the FBI in the U.S.). What made this work was the discovery that child pornography sites were hosted on places like McColo. While ISPs cannot be held legally responsible for most customer activity, copyright infringement and child pornography are two things the ISP can be prosecuted for it they know it's on their servers, and do nothing about it. While the ISPs doing the hosting, like McColo, will play games with the authorities (moving the criminal sites to another server, or shutting them down and then letting them start again under a different name), you can take the same evidence to the ISPs that "peer" (connect to) the offending ISP, and get them to disconnect with the offending ISP. Since the Internet is a network of networks, if an ISP cannot connect to the "web" of thousands of ISPs (especially the major ones), they are not connected to the Internet. That's how McColo, the Russian Business Network and Intercage got shut down. And that's how new ISPs, specializing in supporting criminals, will get shut down.

Internet crime, particularly spam (unsolicited email) has become a big money maker. Because of the very low cost of sending it, you need only one response for several million spam messages, to make lots of money. But the same ISPs that host the spammers, also host operations that try to sneak into business, government and personal computers to steal stuff (bank account information, trade secrets, classified military information). As much as the bad guys try to find places to hide, they tend to congregate at unscrupulous ISPs that will charge a bit extra, and look the other way. Now these rogue ISPs are under attack, and this will slow down the Internet bandits, and increase their cost of doing business.

When McColo went dark, Internet criminals lost touch with their botnets (networks of PCs infected with a hidden program that allowed the botnet controller to direct the zombie (infected) PCs to send spam or unleash programs that tried to infect other PCs or break into business or government networks and steal information. Internet security companies monitor many of these botnets, and one of the largest collection of botnets, called the Srizbi network, suddenly went haywire. Over 450,000 zombie PCs were frantically trying to connect to the disconnected McColo servers that the Srizbi criminals used to control their botnets.

Internet security firms use traffic analysis (examining patterns of activity in the Internet) to spot stuff, and the pre-programmed instructions of all those Srizbi zombies was similar enough to reveal who the zombies were. This is being monitored to try and identify all the zombies, and help get them uninfected. The security firms also hope to get a better idea of exactly who the Srizbi gang is, and where they are, and possibly get them arrested and taken out of business.

All this has implications for Cyber War operators, which use lots of zombies to set up wartime attacks, and engage in espionage and low level attacks right now.




Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contribute. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   contribute   Close