The Web’s Latest Threat: Smarter ‘Zombies’

As if zombie PCs — computers taken over by hackers and used to distribute spam and malware — weren’t already bad enough, they are now harder to prevent than ever before.

That’s because they’re getting smarter and harder to track down, according to security software vendor Commtouch. New zombies now routinely request new IP addresses from their ISPs, so anti-spam software that works by blocking spam based the originating IP addresses can no longer effectively halt them, the company said in its most recent quarterly Internet Threats Trend Report.

While some ISPs deny their request to change IP address, others accede, giving them new IP addresses in real time, Amir Lev, chief technology officer at Commtouch (NASDAQ: CTCH), told The result is that zombies can change addresses much faster than most security services and software can respond, which means their users are not protected, Lev said.

Commtouch’s findings signal the latest setbacks in the war on spam and botnets — networks of zombie PCs. Spam and botnet activity fell sharply late last year after major spam host McColo was shut down in November.

Weeks later, however, the spammers and botnet controllers surged back. Their botnets include Srizbi and Rustock, which battle for the top spot as the largest spam sender.

The resurgence in botnets has seen spam levels go up, as well. While they averaged 72 percent of all e-mail traffic throughout the fourth quarter of 2008, they now total 85 percent of all e-mails. That 85 percent constitutes 150 billion spam messages daily, Lev said.

Security experts have warned that spammers are getting more sophisticated, and the new, IP-changing zombies are only one example of this.

Another new tactic adopted by spammers involves more complicated attacks that help them more easily slip past defenses. They include combination attacks, like the one
that breached online bill paying service CheckFree
— and these are proving almost impossible to stop. The CheckFree attackers used a combination of phishing , pharming — redirecting traffic to a bogus Web site — and a “drive-by” malware injection that added botnet software to visitors’ PCs.

“We’re still seeing blended attacks and they have only one purpose — distributing more botnets,” Commtouch’s Lev said. “They mainly direct people to landing pages, where they’re infected.”

Another new tactic adopted by spammers increases the difficulty of detecting and stopping the malicious links they trick victims into clicking. Increasingly, spammers’ malicious links send Internet users to a traffic management system, which redirects each visitor to a different location every time — distributing the traffic load, making it more difficult to track the spammers and hiding the malicious activity from the system administrator.

As a result of these kinds of tactics, it’s impossible to accurately determine exactly how many zombies exist on the Web, Lev said.

On average, more than 300,000 new zombies report for duty every day, he said. This includes zombies that have changed their IP addresses and those that have been dormant for a while and then come back to life.

The attacks are getting bigger, too. “We’ve seen individual attacks send out two to three billion messages in one day from one botnet,” Lev said.

Some efforts to pin down the source of the problem have been successful, however. While the botnet threat is international, Commtouch said it identified Brazil as having the most zombie PCs. Three of the top 10 zombie hotspots listed in the report were based out of Brazil. As a result, Brazil is responsible for 14.6 percent of all spam generated, Commtouch said.

News Around the Web