Monday, August 8, 2011

Zombie Recruitment: How Attackers Find, Exploit, and Employ You


A crucial element of a DDoS attack is the ability to employ hundreds, thousands, or even millions of infected hosts to do the attacker’s bidding.  The reasons are obvious – the end target(s) of the attack will find it more difficult to fend off the malicious traffic, and the attack is less likely to be traced back to the actual perpetrator.  These “zombie” hosts are rarely related to the source host of the attack, and are rather infected by other compromised hosts – but can end up causing more damage than the machine that originated the attack in the first place. So you may be wondering – where do zombies come from?

Most of the compromised machines used to aid in DDoS attacks, believe it or not, are just randomly found from a pool of IP addresses.  The attacker scans through a list of these addresses, performing a number of tests on each host in search of a specific vulnerability – an exploitable service or applications, outdated protocols, open ports, insecure web software, and so on. Once the attacker finds a host with the desired loophole, that host is infected and then often used to scan and infect others in a similar manner, or otherwise begin contributing to the DDoS attack itself. These infections tend to spread very quickly as the workload is split and multiplied across several compromised hosts during a short span of time, generating little traffic across a single network therefore often being more difficult to detect.
Viruses, trojans, and worms have also continually played their parts in DDoS attacks over the years.  One example is the Gumblar virus discovered and documented in 2009.  Gumblar would masquerade as security software and often spread itself as a PDF files and use a known security vulnerability found in certain versions of Adobe Acrobat Reader to access the user’s computer when the PDF was opened.  The virus would then steal FTP credentials from installed FTP clients like Filezilla and Dreamweaver,  or seek the credentials through sniffed network traffic by enabling “promiscuous mode” on the user’s network card – a tactic that Gumblar was among the first to use.  Those credentials would then be sent back to the attacker and used by automated software to systematically connect to hosts via FTP, using the compromised credentials, and inject harmful code into website files. When visitors connected to the hacked websites, their computers would become infected and in turn be used to harvest more FTP credentials to inject more websites, thus repeating the cycle.  Many of the hacked websites and compromised FTP credentials were later used to launch DDoS attacks against other machines and networks.
Other attackers may use publicly-available online services or defacement databases to find targets.  Services such as zone-h.org archive reported digital attacks (mostly attacks that are reported by the hackers themselves, for bragging rights), that other hackers can then use to find servers that may house websites with vulnerabilities that can be used to trigger larger attacks. The unfortunate part of all this is that many websites that are targeted in these attacks simply clean up the residue, but don’t fix the problem that the hacker targeted in the first place.  All this does it make the target vulnerable over and over again until the security hole is addressed.
You may notice by now that most computers that are used to aid in the DDoS task force were targeted and infected due to some sort of security problem on the host or network.  Therefore, it’s reasonable to assume that system administrators that keep up with security advisories and software updates are less likely to have servers compromised and in turn used for other attacks.