YOU are surfing the net, and stop at a sports site you regularly visit to read the latest headlines. You are always careful to avoid sites that appear suspect, so you feel safe online. Unbeknownst to you, though, and to the innocent owner of the website, a piece of malicious code has been added to the page you are viewing. This uploads software onto your computer via your browser, turning it into a "zombie" PC under the remote control of a malicious user.
While installing firewalls and antivirus software on your computer may keep it safe from conventional threats such as worms and viruses, these security tools do not inspect data downloaded through browsers - a loophole that attackers can exploit. "The firewall is dead," says Google security specialist Niels Provos.
As a result of this loophole, PCs are increasingly becoming infected with "bot" software, creating networks of zombie computers, or botnets. Bots are "the Swiss army knives of the underground economy", because they are so versatile, says Nick Ianelli, an internet security analyst at Carnegie-Mellon University in Pittsburgh, Pennsylvania. Bots first establish a link to a remote "botmaster" before probing your computer for email addresses and personal data, and even logging your keystrokes. Most zombies are used to churn out huge amounts of spam email, while some target business websites with so-called "denial of service" attacks.
"Their versatility makes bots the Swiss army knives of the underground economy
Botnets are not new, but the methods they use to infect computers are changing. Until recently, a bot program tended to arrive as an attachment with spam email, or carried by a computer worm. As users have grown wary of email attachments and installed firewalls and anti-virus software, however, the bad guys have shifted their attentions to websites in a bid to find more victims. "We still see a tremendous amount of bot propagation via email, but the web has overtaken it in the past year," says Pat Peterson of security firm Ironport in San Bruno, California.
The sleazy side of the web has long been a place where people have been easily duped into downloading malicious programs for themselves. Lured to a site by spam and then promised pirated software or pornography, for example, visitors click on a link only to download a bot.
Now, though, even an ordinary website can be risky. At a meeting on botnets held last month in Cambridge, Massachusetts, Provos warned that many web users are becoming the victims of "drive-by" downloads of bots from innocent websites corrupted to exploit browser vulnerabilities. As firewalls allow free passage to code or programs downloaded through the browser, the bot is able to install itself on the PC. Anti-virus software kicks in at this point, but some bots avoid detection by immediately disabling it. Once a computer has become infected with the malicious software, the zombie periodically connects to a web server controlled by the botmaster to receive instructions and download more software.
To determine the scale of the problem, Provos's group at Google analysed several billion web pages and selected 4.5 million suspicious pages for more detailed study. To test for malicious software, or malware, they loaded a program designed to simulate a computer with a vulnerable version of Internet Explorer and monitored what happened. They found around 450,000 web pages that launched drive-by downloads of malicious programs. Another 700,000 pages launched downloads of suspicious software. More than two-thirds of the malicious programs identified were those that infected computers with bot software or programs that collected data on banking transactions and emailed it to a temporary email account.
Ordinary users would not know that their computer had been hit by a drive-by download unless their browser started crashing or they suddenly started being hit with pop-up advertisements, Provos says. Nor would website owners spot that their pages had been corrupted, as such malware is typically hidden, for example, by adding code to the JavaScript program used to create the site. The malware can also be designed to hide from anyone trying to find it; Provos encountered websites that checked the IP address of all visitors and only installed malware on a user's first visit.
Botnets themselves are also evolving. Most existing bots are vulnerable because they receive their instructions via an internet relay chat (IRC) server, a simple communication system. This gives security professionals a hope of disabling them by trapping one zombie using a "honeypot" designed to mimic a vulnerable computer. They can then identify the IRC address of the computer's botmaster when it tries to communicate, says Julian Grizzard, a computer scientist at Johns Hopkins University in Laurel, Maryland. Traffic to the botmaster could then be blocked, effectively cutting off the botnet's head.
Now, however, malicious users are beginning to explore peer-to-peer botnets, modelled on file-sharing networks such as Gnutella, as they are harder to disable. The first P2P bots appeared in 2004, and they are now beginning to increase in sophistication, says Grizzard. Botmasters distribute new bots programmed to establish contact with one of a group of operating zombies. Once contact is made, the P2P network relays information to the botmaster, who can link to the network through any zombie.
In this way, even if security professionals trap a bot, they would have no way of identifying the botmaster. However, Grizzard is not without hope that even these advanced botnets could ultimately be stopped. "The major disadvantage of P2P is that it is typically very chatty," he says. This increased traffic could be detected from outside the host machine and give away the existence of the botnet, he says.
Until botnets can be stopped, though, users should try to lessen their computer's chances of becoming infected as they surf the web by keeping browsers updated with the latest software patches, says Cliff Zou of the University of Central Florida in Orlando. This helps browsers avoid vulnerabilities that can be exploited by malware. Surfers should also take special care not to be duped by tricks such as links embedded in spam emails or offers of free software, and pay attention to warnings displayed alongside search engine links.
Ultimately what is needed is a new type of firewall that inspects the content of programs downloaded through the browser, says Zou. This should stop any nasties lurking in websites gaining a free pass to infect your computer.
Botnets exploit the fact that many computers working together are far better than a single machine at launching denial of service attacks and sending spam. Now the good guys are fighting back with a system that uses multiple online computers to fight rather than spread malicious software.
Dubbed "herd computing", the application behaves like a benevolent botnet. Like its malicious counterpart, herd PCs contain a program that reports back to a central computer. But unlike the zombie PCs in a botnet, whose reports are met by a command to launch spam or spread a virus, members of the herd send back details on the health of their computers, alongside a list of all the software they are running.
This can be used to monitor the effect of downloaded software on the performance of the computer. This information can then be presented to any computer in the herd that attempts to download the same code, warning them in advance.
"It is a way of understanding computing as an act that is not done in isolation," says Jonathan Zittrain, the researcher at Harvard Law School's Berkman Center for Internet and Society and the Oxford Internet Institute, part of the University of Oxford, who is leading the herd computing project. "That is the way botnets gained their power and it would be crazy for us not to harness that power," he says.
The main use for herd computing will be in combating spyware. This software causes unwanted pop-up advertisements, hogs processing cycles and memory, and spies on a web-user's actions. It often arrives bundled with something useful such as a screensaver or chat application, which makes it difficult for existing anti-virus software to remove it. "Viruses are mean, evil programs, but spyware is a little weird," says Nathan Good, a spyware researcher at the University of California at Berkeley. "In some cases it's consensual."
Herd computing could deal with this grey area by flagging the likely consequences of a piece of software before it is downloaded, and then leaving it up to the user to decide whether to install it.
All members of the herd would send in regular updates of their vital signs, including the number of pop-ups they experience, the speed of their processor and the number of crashes and restarts, alongside details of the software they are running. The central computer would collate this information to determine the effect of different pieces of software on computers.
Then, when one of the computers in the herd tried to download software, a message would appear informing the user of what happened to other PCs that downloaded the same program. With this information, users can decide whether or not to download it. "It's a way of allowing people to make better choices," says Good. Zittrain likens the concept to "giving the internet a nervous system".
Celeste Biever
All comments should respect the New Scientist House Rules. If you think a particular comment breaks these rules then please use the "Report" link in that comment to report it to us.
If you are having a technical problem posting a comment, please contact technical support.
