Internet security 2 : There’s a lot more going on than you’d think.

Posted by Pointman on March 11, 2011 · 10 Comments 

In a previous article here, I gave some information about what basic precautions you should take in order to enjoy the web safely. I’d like to drop down to a slightly lower level and tell you a few more simple things you can do to make surfing the web a lot safer. They won’t be technical at all and are well within the reach of the ordinary computer user.

All operating systems and programs need what are called patches applied to them. A patch is simply a correction made to software because there’s a fault. The fault may be a programming error that causes the software to malfunction in certain circumstances or it may just be closing down a security loophole that has been found. We’ll be looking at the latter.

Everything I’m going to say applies to all computers, irrespective of whether they’re Windows, Apple, Unix or any other types of machine. A factoid, otherwise known as an urban legend, seems to have grown up and entered the consciousness of the internet that it’s only Windows machines that get attacked or have vulnerabilities. This is simply not true. Yes, you hear a lot about security holes in Windows but all the other machines have them too. The worrying thing is you don’t hear enough about them on these other machines, which makes me think they’re not being guarded against and are going largely undetected.

All those smart phones are just another type of computer as well, with the same sort of security loopholes. On the current generation of these, this is a problem that’s not being either acknowledged or addressed by their manufacturers. This is the reason why, for the moment, I stick to using an old phone which can just make and receive calls and text messages.

An unpatched computer is, as you’d suspect, a machine that is missing the latest patches. They haven’t been applied. It’s always important to patch your computer’s programs but if it’s not connected to the internet it’s not particularly urgent. If it’s going to be attached to the internet, it’s crucial. I’m going to try to give you an idea why it’s crucial.

Any time you buy a brand new computer, it’ll be unpatched. Why’s this and how can it be? The answer is that there is a time gap between the manufacture of a computer, the installation of its software, the shipping to a warehouse, its distribution out to retailers and its eventual purchase at some point, perhaps months later, by a consumer. In that time interval, security loopholes will have been discovered and patches developed to plug them but that new machine you’ve just bought won’t have any of them. A security researcher, knowing this, plugged such a machine into the internet to see what would happen.

It was hijacked within 25 minutes.

Who did it, why did they do it and most importantly how did they do it and so fast as well? Before answering those questions, I have to tell you something; your computer has a unique address, like every other computer connected to the internet. It’s called your Internet Protocol address or IP address for short. There’s a lot more to it but conceptually, it’s just like your postal address. If someone wants to send you a letter, they need to know your full address and the reverse applies. If you want to send them a letter, then you need to know their full address. Looked at a certain way, the internet just sends screens containing information between computers but instead of using postal addresses, it uses IP addresses.

What happened to the machine was; its IP address was scanned, the scan detected that a certain security loophole had not been patched so a program was run which exploited the loophole to take over the machine. So there’re people out there scanning IP addresses all the time, looking for unpatched machines? No, what‘s out there are Not Very Nice Persons (NVNPs) who can write a hijack program which will do both the scanning and hijacking of unpatched machines automatically and for a specified range of IP addresses too.

Having written the hijack program, all they need to do is manually find and hijack one machine and install the program on it. From then on, it’s the manually hijacked machine that runs the hijack program that does the scanning and hijacking. They’ve automated the job you see. Some of the newly hijacked machines will have the hijack program installed on them too so pretty soon the NVNP has a large and geometrically growing collection of machines under their control. The number can very quickly grow into the tens or hundreds of thousands. Just to get the vocabulary right, the name for a hijacked machine is a zombie and for the NVNP’s collection of hijacked machines, a botnet. Calling a botnet a zomnet wouldn’t have been half as dramatic I suppose.

But why on Earth do they want your machine? Well, the good news is, it ain’t personal, it’s just business, as the say in all the best gangster movies. They’re not particularly interested in you or your machine, they just need it to post some emails for them. They’re spammers. When you go online, your zombie machine receives fresh advertising copy and a list of email addresses for the current mail shot. For the rest of your online session, it’s invisibly doing some emailing in the background while you’re surfing. The piece of software inside your machine receiving instructions and doing the emailing is called a spambot.

Why can’t they use their own machines? The answer is, they used to use their own machines until enough people complained about the amount of spam being emailed from them so emails from the spammer’s IP addresses were blocked. It’s a profitable business and the only way they could stay in business was to diversify, so to speak. Instead of emailing from their own IP address, which could easily be blocked, they email from the IP addresses of millions of zombies which can’t all be blocked. From a business viewpoint, this also cuts down on their hardware overheads. Over 90% of all email traffic on the internet is now spam, most of it originating from zombies in botnets.

The first generation of spambots used as much of the user’s internet connection speed, called the bandwidth, as they could. This led to the user not being able to use the internet so they didn’t. Not good news for the spammer. The spambots were therefore modified not to use all of the user’s bandwidth and leave some for the user. The spam business, like all businesses, is competitive. There are lots of botnets out there run by different spammers. When competitors hijacked the same unpatched machine, the user ended up with even less bandwidth or none at all so they stopped using the internet. Having several different types of spambots in the same zombie machine also interfered with each others proper operation as well as the machine’s.

This led to the spambot wars which rage to this day. When a hijack program found an unpatched machine with a competitor’s spambots already installed, it deleted all of them and installed its own spambot. The next escalation was to try to fix the security hole with their own patch to keep the competitors out of the unpatched machine. After that, hijack programs were modified to unpick the competitors patch, install their own spambot and put in place their very own patch.

Each botnet is controlled by a spammer from a central machine. If a competitor can find one of the zombies being controlled, they can track back to the central machine. If they watch and analyse the instructions being sent by it, they can find out the IP addresses of all the zombies controlled by it and either start feeding the zombies their own emails to send or attempt to steal the whole botnet. This led to authentication of messages to botnets from the controlling machine to prevent whole botnets being hijacked. And so it goes, on and on. Essentially, it’s the usual arms race.

Email addresses are very important to spammers so having compromised a machine, copying every email address in it is a priority. They’re used not only as targets for spam but in some situations, are used as the supposed senders of the spam. Your friends start sending spam to each other. It can all get very confusing very fast.

The overwhelming majority of machine hijacks are done by spammers but there is another type of person who does the same but for a different reason. They’re assembling a vast collection of zombie machines to commit at some future point what’s known as a Distributed Denial of Service or DDoS attack on a website to make it inoperable.

To get an idea of what a DDoS attack is, imagine a meeting room with a few people in it who are doing a telephone conference call to an external party and asking them questions. Given a bit of politeness, the external party can keep up with a steady stream of questions from the people in the meeting room. However, if the room is invaded by a flash mob of people, all of whom are shouting questions down the phone, the exterior party is soon overwhelmed and can’t answer any questions at all. If you think of the external party as a website, the meeting attendees as its legitimate users and the botnet being activated as the flash mob appearing, that’s pretty much what a DDoS attack is. At any one time, something like 2% of all internet traffic is DDoS flooding.

The third category of person who is interested in hijacking machines is a lot more shadowy and a lot more dangerous to you. They want your machine to act as a buffer and cut-out between their machine and the internet. Essentially, they’re probably up to no good and taking the precaution that if whatever they’re doing is traced back to a machine, it won’t be their one. It’ll be yours.

After this little trip around the murkier but interesting side of the internet, I hope you can see why it’s so important to keep your machine’s software up to date by applying all the latest security patches as soon as possible. That experiment the researcher did with the unpatched machine took place over five years ago. I suspect it’d be hijacked in well under 25 minutes nowadays. As for how to do the patching, on Windows, like other consumer operating systems, this consists of ticking a box in the Security Centre. By default it’s set to on. What happens is your machine checks for new patches automatically every time you go online and if there are any, they’re downloaded and applied to your machine.

The other thing it’s vital to do is to have anti-virus software and make sure it’s up-to-date. If there is a bot inside your machine, it’ll detect it and remove it.

The takeaways from this one are :

• Always make sure your machine has the latest security patches.
• Keep your anti-virus software up-to-date.

Look after your machine or you’ll lose it and you might not even know it’s gone.

©Pointman

Related article :

Internet Security 3: The Worst Sort Of Predator.

Internet Security 1 : Let’s be safe out there.

Click for a list of other articles.

Filed under Article · Tagged with Botnet, DDoS, Hacking, Internet Security Series, IP Address, Security, Spam, Spambot, Spammers, Zombie