Is your home zombie-free?

by Pekka on May 8th, 2009 in News about Lavasoft, Security Tips.

Various reports state that huge numbers of PCs throughout the world have been “zombified” during the last year. Still, the true number of hijacked computers is likely much higher than what's stated, making botnets a massive global security problem.

Infected zombie computers in botnets have had their “willpower capacity" significantly reduced and can be controlled by a “bot-herder” remotely, often by IRC or Internet Relay Chat. The zombies can be made to perform different tasks such as to send spam, distribute different types of denial of service attacks, or as an aid for the dissemination of different types of malware. The services of a botnet may be used by the originator of the botnet or it can be leased out to other cyber criminals.

PCs may be “zombified” by different types of malware (such as backdoors or trojans) but the most common way is by self-propagating worms. Many botnets bear the name of the worm that is used for it's dissemination. Some of these malicious objects are installed by gullible users unsuspecting that their newly installed software applications or games came piggybacked with malignant cargo.

Malicious objects such as worms can infect systems by exploiting existing security vulnerabilities in operating systems, browsers or services on users' computers. The security risks increase with the amount of services and applications that are provided on a system. Therefore, systems should be trimmed down and hardened in order to be more secure.

Hardening IT the U.S. Air Force Way

Wired reports that when the U.S. Air Force made an order of operating systems for their staff, they wanted to make sure that the operating systems were safe “out of the box”. Microsoft answered the request by providing the U.S. Air Force with a “special edition” of Windows XP with several enhancements such as:

  • Over 600 settings of the operating system are “locked down tight”.
  • Critical security patches may be installed within approximately 72 hours instead of the “normal” 57 days.
  • Unique administrative passwords (the length and complexity of passwords was increased) in order to prevent “average users” from obtaining administrative privileges.

John Gilligan, former CIO of the U.S. Air Force, states that, “Many of the changes were complex and technical…”; “emergency patches that needed to be installed post-haste took 57 days to install, leaving systems vulnerable to intruders during that time”; “once the flaw was known, then those who wanted to attack our systems could be developing attacks in that time”. These statements certainly represent true “AHA moments”! The U.S. Air Force does not want non-admins tampering with system settings. Gilligan states further, “Turns out when you configure things properly and don’t touch them, they actually work pretty well”.  Another “AHA moment”!?

This brings to mind security questions in terms of the general public: How are every day computer users supposed to handle changes that are considered “complex and technical” by an Air Force representative? Why are such secure systems not released to the general public? Threat Level did not receive an answer when they contacted Microsoft about these matters.

Vulnerable Network Appliances

Many PCs are not online 24/7, but most DSL/ADSL modems and routers are. The Psybot worm/malware is capable of infecting modems and routers that run MIPS (Microprocessor without Interlocked Pipeline Stages) CPUs under Linux. Many of these routers/modems provide network access via a password protected control interface. The password of such admin interfaces may be very weak, at least at factory settings, and therefore relatively easy to brute force.  The Psybot malware encompasses the tools for such a task: a network scanner and a brute forcer. And there is usually plenty of time to conduct such attacks as they can be performed at any time around the clock!

Steps to Reduce Your Risk

There are steps you can take to reduce your risk of compromising your system. These include:

  • Make sure that your system is patched with the latest, at least with the most critical, security patches. Users may, for example, use the Microsoft Baseline Security Analyzer in order to determine if the security state of their Windows Operating System is in accordance with Microsoft´s security recommendations.
  • If possible, acquire the necessary knowledge and harden your system by locking down unnecessary applications and services.
  • Secure DSL/ADSL modems and routers by using a hard-to-brute-force password to it's admin interface. Also, update/patch the modem/router firmware if necessary in order to close any reported security holes.
  • Do not install unnecessary software that may compromise system security and user privacy.
  • Be aware of common social engineering techniques used by criminals to try to lure gullible users into installing malware (for example "fake-codecs") on the fly.

Remember, the botnet threat may also be a reality for mobile hand held systems, such as Smartphones, very soon in the future. Read more about that here

Regards,

Pekka Andelin

Lavasoft Malware Labs