Don't let a zombie in the backdoor

Defenses still weak against computer attacks

By Hiawatha Bray, Globe Staff, 10/4/2003

Executives at SCO Group knew their high-profile legal campaign against the popular Linux operating system wouldn't win them any popularity contests. But they weren't expecting to be blasted off the Internet. That's just what happened, though -- twice. For a few hours in May, and for an entire weekend in August, SCO's Internet server computers were overwhelmed by a storm of illicit data packets, generated by a computer vandal.

Microsoft Corp. isn't especially popular, either, which is why its main website was taken down for several hours in August by a similar attack. And in recent weeks, three Internet sites devoted to blocking spam e-mail have announced they're shutting down, unable to fend off relentless assaults from hostile forces somewhere on the Net. All these "denial of service" attacks have one feature in common: "zombies" -- otherwise normal computers which have been transformed by remote control into merciless network-killers. Attackers armed with computer viruses have planted denial of service programs on countless computers. These programs provide the attackers with a "back door" into the system, letting them use it in a massive digital assault on other Internet machines.

Zombies are an old story to Internet security experts. But the rise of high-speed DSL and cable modem Internet service for the home has added a new dimension to the problem. A corporation or government agency can hire technicians to defend against zombie infections. But few home computer users even know that they must be on guard, while those who recognize the danger usually don't know how to defend their computers.

Chris Wysopal, a research scientist at the Cambridge Internet security firm At Stake Inc., said a large and growing number of zombies reside in living rooms. "This is really a problem of the unmanaged home users' machines," Wysopal said. "We know that at any given time there are millions of backdoored zombies," said Ted Julian, founder and chief strategist of Arbor Networks Inc., a Lexington firm that builds defenses against zombie attacks. Indeed, Julian said, so many machines are infected that vandals no longer have to create zombies. Using software easily available in the computer underground, they can identify and enlist ready-made zombies.In principle, denial of service attacks are as simple as a ball-peen hammer to the skull. A computer fires a stream of meaningless data packets at the target -- so many packets that the target computer's resources are consumed in the effort to keep up. But it generally takes more than one computer to crank out that many packets. And it's fairly easy for a network manager to identify the source of the attack and lock it out.So vandals devised a powerful variant, the distributed denial of service attack. They begin by planting software on hundreds or thousands of machines across the Internet. These programs generally do no harm to the infected machines. Instead, they wait to be activated. Once the vandal chooses a target, he can send an Internet command to some or all of his zombie machines. These computers begin the assault, but this time, the packets come pouring in from hundreds of computers, each with a different address. Halting such an attack is far more difficult and costly.

The most famous such attack happened three years ago, when a 15-year-old Canadian who called himself Mafiaboy managed to shut down several popular websites, including at Yahoo, Amazon, eBay, and CNN. He relied on a well-known flaw in software found on thousands of computers, which allowed him to install a piece of code called the Tribal Flood Network. This program, widely available, can be remotely commanded to flood a target machine with useless data. Once Mafiaboy had planted the program on dozens of insecure computers, the rest was easy.

Vandals can also use computer worms to spread the zombies. The Code Red worm of 2001 attempted to shut down the White House website, and the recent Blaster worm was designed to attack a Microsoft Corp. website. These two attacks failed, partly because the targets moved quickly to defend themselves. But zombies like the ones that have struck this year can be remotely ordered to attack, making them far more dangerous.

There are defenses. Companies like Arbor and Mazu Networks Inc. in Cambridge make products that detect the incoming packet storm and filter it out. These services cost thousands of dollars and are designed for large enterprises and Internet providers. But Arbor's Julian said many potential zombie targets remain unprotected.

On the other side of the equation, Internet users must prevent the installation of zombies on their machines. A good antivirus program is a start; such software can fend off worms containing zombie code. But antivirus isn't enough. Worms like Blaster attacked computers with unrepaired defects in the Windows operating system. Installing the latest repair patches is another vital defensive tactic. Finally, there's the need for a good firewall program. These can do more than prevent the installation of some zombies. A properly run firewall can ensure that even an infected machine won't be able to launch attacks on other computers.

But all these efforts require time, effort, and knowledge. Even many corporations, government agencies, and universities don't secure their computers against infections. Locking down millions of home computers would be an even more daunting task.

Yet experts warn that if the job isn't done, zombie attacks will continue and get worse. It's been three years since Mafiaboy brought some of the biggest websites to their knees. Jerry Brady, chief technology officer of the Waltham computer security firm Guardent Inc., said a repeat performance could happen at any time.

"Is this a risk to business and government? Absolutely," Brady wote in e-mail to the Globe. "Will bad things happen in the coming months as a result? Without a doubt."

Hiawatha Bray can be reached at bray@globe.com.