LAN of the Dead:
Putting computer zombies back in their grave, Ash style.
By Adrian Duane Crenshaw
I'm writing this article about
computer zombies in honor of George A. Romero, everyone's favorite zombie film
director. A zombie computer is a box that has been backdoored or compromised in
such a way that the would-be cyber necromancer can send it instructions to do
his unholy bidding. Much like Romero's zombies, one on one they aren't much of a
problem, but when you get a few hundred of them clawing at you in a distributed
denial of service attack they can become a serious issue.
Zombie networks (a collection of
zombie boxes, also know as bot-nets) have many common uses. One of the most
common uses is distributed denial of service attacks against servers on the
Internet. One computer may not be able to suck up much of a servers bandwidth or
processor cycles, but a few hundred can make the server so bogged down that it
can't service legitimate users. Zombies can be used to obscure the attackers
location. By using a zombie the attacker can send spam or pull off network
attacks without it being easily tracked back to an IP associated with the
attacker. A Bot-net can also be used to run a process that can benefit from
distributed computing. Don't have your own password cracking cluster? Use other
folk's computers for the task.
In this article I hope to give the
reader details that will help them shoot the network zombies in the head, and
keep them down for good.
Listening for Moans
Before a zombie hunter can kill some
zombies he has to find them. In the movies the hero can listen for low sorrowful
moans or slow shuffling feet to track them down, or just look for the carnage of
half eaten people. On your network you can look for similar signs of the undead
so you can blast them to oblivion.
Computers that are running way too
slowly may have a bot on them. Despite what some newer movies portray, zombies
should be slow. Of course this is a purely subjective criteria and is not always
a reliable sign. Too many people think that their computer is infected with
something just because it behaves a little flakey. Other causes of slowness
could be spyware, too many apps set to start up automatically or a very
fragmented hard drive. Regardless, if the computer is running very slowly for no
obvious reason (like you installed Windows XP on a Pentium 200 with 128 megs of
memory) then you should check it out for a possible revenant.
Look for bandwidth spikes that are
way beyond normal. If your sniffers/packet shapers/border routers are seeing way
more traffic then they should you will want to track down which IPs are hogging
most of the bandwidth and check them out. If the zombie is being used as part of
a distributed denial of service attack or to host pirated movies its network
utilization will likely skyrocket.
Scan for odd open ports. Do regular
port scans of your network with tools like Nmap to see if any hosts are running
abnormal services. Many zombie software packages listen on standard ports that
script kiddies are too lazy or too unknowledgeable to change. If you see those
ports open take a look at those boxes for possible malware. Even if it's not a
common zombie control port beware of services like FTP or IRC that are running
on workstations. For a list of common Bot/Trojan ports see:
http://www.simovits.com/nyheter9902.html
and
http://www.glocksoft.com/trojan_port.htm
Since many modern bots use IRC as the
command infrastructure look out for IRC traffic or servers on your network. A
few examples of IRC bots would be Agobot, Phatbot, SDBot and GT bots. Most IRC
bot-nets run their own IRC servers. Sometimes a host that was originally just a
member of a bot-net may be promoted to being a server. This is especially true
if the compromised box has a fast connection to the Internet. Most IRC servers
operate on TCP port 6667, but an attacker could change the IRC server to listen
on some other port. You may want to use Nmap with the "-sV" flag to see if it
recognizes an IRC daemon on a non-standard port.
Most anti-virus programs for Windows
will also detect other malware that's associated with zombified computers. If
your AV package is throwing up warnings about detected malware that's an obvious
sign, but if you notice that the AV package's real time protection features have
been disabled you will also want to check the box out for potential problems.
For those of you running *nix boxes look into using Chkrootkit to find trojaned
binaries and backdoors on your box.
If your host based firewall (The one
built in to XP or ZoneAlarm for example) warns you of odd applications trying to
open up ports, those applications should be checked out.
Odd traffic leaving your network
could be a sign of a compromise. I once found out a box of mine was rooted
because I sniffed leet speak leaving it. Turns out that someone had installed
Stacheldraht on that server. Also, if your sniffer or IDS detects unusual IRC
traffic you will want to check into it and make sure the box sending or
receiving the traffic is not part of a bot-net.
Look for strange things set to
startup automatically on the box. Use a program like HiJackThis to look for
suspicious programs set to startup automatically, then check to see if these
items are common or not. Be careful with tools like HiJackThis, as disabling the
wrong service/startup items could render your system inoperable. When in doubt
ask around on forums to see which items should be disabled.
Check for traffic that's resolving to
dynamic DNS systems. If your sniffers see a lot of name resolution requests to
Afraid.org, DynDNS.org or No-IP.com the requester may be part of a bot-net (See
the footnotes for a longer list of dynamic DNS providers). By no means is this
necessarily the case; a user on your network may just be trying to access their
home computer, but you may still want to look into it.
A Bullet to the Brain
Once you have found a zombie, how do
you make it rest in peace? If you wish to do any live forensics on the box while
it's up now is the time, but there are a few things you should keep in mind. If
the attacker obtained complete admin privileges on the box they may have
installed a keyboard catcher. Don't login to the compromised box with a high
level account or the credentials may be sent to the attacker, making things far
worse.
For some older DDoS zombies, such as
Trinoo, TFN, Stacheldraht, and Shaft, you can use Bindview's Zombie Zapper.
Zombie Zapper allows you to send a signal to these DDoS zombies to stop
flooding. Unfortunately, it only works if the attacker used all of the defaults
when they set up the zombie, and not all zombies are designed like the four
above. Zombie Zapper has not been updated in awhile so it will be of little use
in stopping more modern zombies, but I though it was worth mentioning.
Once you are ready to clean up a
zombie box there are two approaches you can take, the "Night of the Living Dead"
approach and the "Return of the Living Dead" approach.
The "Night of the Living Dead"
approach is much easier and less painstaking, the digital equivalent of shooting
the zombie in the head. All that is necessary is to patch the security hole that
let the attacker in, shutdown the backdoor apps, uninstall or delete the files
and remove them from startup. The problem with this simple approach is that you
don't know what all the attacker did while they controlled your box. Depending
on the level of the compromise, the attacker may have copied off sensitive
password files (SAM and SYSTEM in Windows, passwd and shadow on many *nix
systems), installed key stroke catchers, trojaned other system files or done a
host of other things that makes the zombie box a security risk.
Most of the time I take the "Return
of the Living Dead" approach to killing a zombie computer: nuke and rebuild it
from scratch. Since it's hard to be sure what system files the attacker may have
changed or trojaned the best course of action is usually to backup all data
files on the system and reinstall the OS from known good media. Before you put
it back online make sure you have installed all the newest patches; otherwise
the box may very well be compromised again, and in short order. Since the
attacker may have cracked the local admin password on the box you will want to
change that password on every box that shares the same local admin/root login
credentials as the compromised machine.
That's another one for the fire
I hope you have enjoyed this article
and that your zombie hunting goes well. If you have any suggestions for
additional material that should be added to this article please email me. Oh,
and: "Good bye aunt Alisha!"
Wikipedia Article on Computer Zombies
http://en.wikipedia.org/wiki/Zombie_computer
Honeynet Project Tracking Botnets Paper
For more detail on IRC zombies that this article
http://www.honeynet.org/papers/bots/
John Kristoff's NANOG32 Botnets presentation
John's presentation kicks much ass, even if you have to use RealMedia to watch
it
http://www.nanog.org/mtg-0410/kristoff.html
Killing a Zombie
http://tweezersedge.com/archives/2005/02/000534.html
Zombie Zapper
http://www.bindview.com/Services/RAZOR/Utilities/Windows/ZombieZapper_form.cfm
Common Trojan/Bot Ports:
http://www.simovits.com/nyheter9902.html
http://www.glocksoft.com/trojan_port.htm
Chkrootkit Website:
http://www.chkrootkit.org/
Dynamic DNS Providers:
http://dmoz.org/Computers/Software/Internet/Servers/Address_Management/Dynamic_DNS_Services/
Printable version of this article