Dawn of the undead
In the quiet places of the world, a zombie army is gathering.
Are you harbouring zombies? There's a fair chance you could be, if Paul Judge, the CTO of e-mail security firm CipherTrust, is right - he says that his company's statistics, gathered from its customers and a network of honeytrap PCs, show that a quarter of a million new zombie PCs come online every day.
That's a staggering number, but if you take a look at the log of a firewall connected to almost any ISP's network, it gets a whole lot more believable - all day long, that firewall will be hit by port scans and pings, some harmless, but most representing an infected PC elsewhere on the network trying to propagate its infection.
It's no surprise then to hear that an unprotected PC on the public Internet is likely to pick up its first virus or Trojan infection within seconds. "We deployed a new honeytrap PC in Europe a few months ago," says Judge. "It had 300 distinct variants of malware installed on it overnight - without it even doing anything on the Internet."
That means there's most likely a whole army - a veritable fifth column - of zombie PCs out there, waiting for someone to give them the nod, whether it be for spam, phishing or harvesting new zombies. It's the ultimate grid computer, but it's in the hands of the bad guys.
"Very few supercomputers on Earth have that sort of power," says Judge. "What sort of problems could you apply that threat to? We deal in DoS attacks from thousands of PCs - but millions? Most risk models today assume a finite capability for the adversary, but this completely changes that."
Corpnets at risk too
What's more worrying is that it's not unusual for PCs on private networks to get infected too, and once one PC in an organisation has it, it starts recruiting its colleagues too.
The risk isn't just spam or DoS attacks - zombie packages can have a range of features in them, including remote control, and the first targeted malware attacks have now been reported, such as one which aimed to steal data from the UK parliament. For a company or university, say, the thought that someone outside might have their hands inside your organisation via a Trojan-infected PC should be rather worrying.
To make it worse, malware is getting harder to detect as spammers and hackers get wise to counter-measures. For example, Judge says it's not unusual for a zombie to send a blip of spam, then go quiet for a few months, or to trickle spam out at quite a low rate so as not to trip any traffic alarms at its host's NOC.
"The change in the message pattern can be quite subtle," he says. "The issue is that the volumes aren't that high, for example if a network of 100,000 zombies has 10 million spams to send, that's only 100 each."
"There's two things to do," he adds. "First, control your outbound network access as well - many organisations have Port 25 wide open, so block on monitor that.
"The other piece is, is there something someone should do to provide information back to companies? We've focused on our own customers in the past, but now we're creating other windows into our data, such as trustedsource.org."
He claimed that this database, which lists the zombie PCs that CipherTrust has detected, is less subjective than some of the blacklists already in existence because it doesn't allow disgruntled or malicious e-mail recipients to try entering false spam reports.
Authentication or reputation?
This brings up the topic of reputation, which Judge argues is key - and more complex than simply authenticating the sender.
He says that with authentication schemes such as SenderID and DomainKeys now deployed, 25 percent of email is already showing up authenticated. But as the recent proposal by AOL and Yahoo to fast-track commercial e-mail for a fee of one cent per message demonstrates, not all authenticated e-mail is wanted e-mail.
"What authentication does is tell you that the person is who they say they are," Judge notes. "What's great is it makes people tell the truth about who they are, the question is what action do you take after checking - it could still be spam.
"Legitimate companies are catching up now, but there was a time when there was more spam passing SenderID than non-spam, because the spammers were early adopters - they make their money from their e-mail getting through."
"The change now is that the platform for spam went from the spammers' own machines to others, with a heavy focus on zombies for a range of attacks."
Nobody knows how many zombies are out there, but a quarter of a million new ones every day is 90 million a year. That sounds a lot, but Judge says that with about 3000 million usable IP addresses, the attackers have a fair bit of time before they run out of addresses to use.