Rediff.com« Back to articlePrint this article

Bugs that will ruin your PC

November 05, 2007 11:44 IST

The greatest threat to global cyber security today, according to Internet Security Systems researcher Josh Corman, may be your mother's computer.

Or more precisely, the collected computers of all the world's mothers. Along with millions of other out-of-date and unsecured PCs strung together by the Internet--what Corman calls "the leper colony"--those machines represent a combined mass of computing power responsible for most of the Net's spam e-mails, much of its click fraud, and the vicious "denial of service" attacks that can knock sites offline and even destroy online businesses altogether.

Since the beginning of the decade, cybercriminals have increasingly used malicious software to hijack unwitting PCs, turning about 20 per cent of the world's computers into "zombies" that can be controlled and collected by the thousands into subservient criminal armies, according to research by security firm Trend Micro.

Now, that zombie software is becoming more infectious and sophisticated: One strain in particular, the so-called "Storm worm," has enslaved between 15 and 50 million PCs, by security researchers' estimates. To make matters worse, Storm's zombies don't moan or drool blood, like their human-shaped counterparts. These digital undead, security researchers say, work in practically undetectable silence.

"The Storm worm is patient, resilient, adaptive and invisible," says Corman. "It's persisted unfettered for 10 months now, and a lot of us in the security industry think that it's the biggest threat we've ever seen."

So far, Storm's zombie army hasn't been used for much other than sending spam e-mails that grow its ranks. Storm's messages originally offered news about disastrous storms in Europe last January. Now they constantly evolve to tempt users into opening infected e-mail attachments by referring to recent news and using other "social engineering" tactics.

The Storm worm's final purpose still isn't clear: Some security experts worry that its massive botnet could be turned on government Web sites to flood them with denial of service attacks. Others say Storm's collection of zombies is now being split into pieces, which are sold to the highest bidder--a sort of commando bot-force, available for hire.

Most people probably wouldn't want their computer to lead a double life as an agent in a seething, cybercriminal organization. Then again, most people don't notice whether their machines are busy even when no one is at the keyboard.

Brian Grayek, vice president of security company CA, says that users can sometimes detect a slowdown in performance, hear their PC's hard drive whirring or see their Internet router's lights flashing when they're not using the computer, all signs that zombie software is at work. But David Perry, a spokesperson for Trend Micro, says that's no longer enough. "Everyone wants to be clever and think they can spot a zombie," Perry says. "But really there are no behavioral or visual clues."

Zombie hunting, Perry argues, should be left to the professionals: commercial anti-virus scanning programs. But even software scans may not be enough to detect the Storm worm, according to Internet Security Systems' Corman. He says that Storm mutates as often as every 30 minutes, updating far faster than the scanners trying to track it. Worse, the worm can "lobotomize" anti-virus software, Corman says, so that it appears to be running but has no effect.

Storm's zombie network is endlessly innovative. Unlike past viruses that have hijacked armies of PCs, Storm doesn't place the command and control of the network in a single computer. Whereas other zombie networks can be "beheaded" and disabled, according to Corman, every enslaved member of Storm's army has equal autonomous power.

Even scarier, Storm's creators are actively attacking researchers who try to uncover the worm's secrets. Security analysts at firms like Secureworks and Spamhaus have both been struck with denial of service attacks after publishing research on Storm, according to Corman.

But Bruce Schneier, chief technology officer of BT Counterpane, says that the simple element that keeps Storm more elusive than past viruses is its patience. "Symptoms don't appear immediately, and an infected computer can sit dormant for a long time," he wrote in his blog earlier this month. "If it were a disease, it would be more like syphilis, whose symptoms may be mild or disappear altogether, but which will eventually come back years later and eat your brain."

The only remaining key to preventing the expansion of Storm's zombie hordes may thus be prevention: If users stopped opening e-mail attachments from strangers--a basic security practice--Storm would lose its main avenue of infection.

But Schneier warns that education isn't any more likely to solve the problem, because users have no direct incentive: A subtle zombie sends spam at other users without victimizing its host. "The basic problem is that your company's security depends on my mother," he says.

That means, Schneier reluctantly admits, that the zombie epidemic will continue. "Short of finding the guys who wrote this and arresting them, there's no real solution," he says. "Annoying, isn't it?"

Andy Greenberg, Forbes.com