Web of Crime: Zombie PC Armies Designed to Suck Your Wallet Dry

How They're Controlled

One common characteristic of botnets is that they can be controlled from a central location. Reflecting their historical roots, most bots connect to an IRC chat channel to receive their commands.

But some sinister varieties now use other means of control, including peer-to-peer networks like EDonkey or Gnutella, to send control messages. "Those are the scary ones," Lyon says, because they're much harder to trace and shut down.

Creating a botnet is like "casting a net out wide," Huger says. A would-be controller essentially releases the bot (or a precursor Trojan horse that installs the bot) onto the Internet to see how many computers it infects.

Targeted Malware

On the other hand, some criminals prefer to choose a particular target and use a tailored approach, without botnets. In one attack that spanned March and April 2005, cybercrooks tricked individual companies' and organizations' domain name servers--which guide all Internet traffic--into sending all of their Internet traffic to a server controlled by the attackers.

Ken Dunham, director of malicious code at IDefense, a Virginia-based Internet security company, estimates that 3000 DNS servers at a range of companies, including at least two with more than 8000 employees each, got hit.

Anyone inside one of the affected companies or organizations who tried to go to any Web page ended up instead at the attacker's site, where stealth scripts surreptitiously installed about 80MB worth of adware and spyware onto any computer using an older version of Microsoft's Internet Explorer browser.

Because so much malware was installed, its presence was immediately obvious to the hapless users, slowing their systems to a crawl and peppering their screens with pop-up ads. As a result, IT response was fast, and the companies quickly cleaned their employees' PCs. But some analysts have theorized that the attackers designed the huge payload simply to create a diversion while a separate piece of malware not yet caught by antivirus and antispyware programs installed itself.

According to this theory, the remaining piece of stealth software may have been programmed to steal information in a corporate espionage scheme, a growing threat to businesses across the globe.

Subscribe to the Security Watch Newsletter

Comments