LAN of the Dead:
Putting computer zombies back in their grave, Ash style.
By Adrian Duane Crenshaw
I'm writing this article about computer zombies in honor of George A. Romero, everyone's favorite zombie film director. A zombie computer is a box that has been backdoored or compromised in such a way that the would-be cyber necromancer can send it instructions to do his unholy bidding. Much like Romero's zombies, one on one they aren't much of a problem, but when you get a few hundred of them clawing at you in a distributed denial of service attack they can become a serious issue.
Zombie networks (a collection of zombie boxes, also know as bot-nets) have many common uses. One of the most common uses is distributed denial of service attacks against servers on the Internet. One computer may not be able to suck up much of a servers bandwidth or processor cycles, but a few hundred can make the server so bogged down that it can't service legitimate users. Zombies can be used to obscure the attackers location. By using a zombie the attacker can send spam or pull off network attacks without it being easily tracked back to an IP associated with the attacker. A Bot-net can also be used to run a process that can benefit from distributed computing. Don't have your own password cracking cluster? Use other folk's computers for the task.
In this article I hope to give the reader details that will help them shoot the network zombies in the head, and keep them down for good.
Listening for Moans
Before a zombie hunter can kill some zombies he has to find them. In the movies the hero can listen for low sorrowful moans or slow shuffling feet to track them down, or just look for the carnage of half eaten people. On your network you can look for similar signs of the undead so you can blast them to oblivion.
Computers that are running way too slowly may have a bot on them. Despite what some newer movies portray, zombies should be slow. Of course this is a purely subjective criteria and is not always a reliable sign. Too many people think that their computer is infected with something just because it behaves a little flakey. Other causes of slowness could be spyware, too many apps set to start up automatically or a very fragmented hard drive. Regardless, if the computer is running very slowly for no obvious reason (like you installed Windows XP on a Pentium 200 with 128 megs of memory) then you should check it out for a possible revenant.
Look for bandwidth spikes that are way beyond normal. If your sniffers/packet shapers/border routers are seeing way more traffic then they should you will want to track down which IPs are hogging most of the bandwidth and check them out. If the zombie is being used as part of a distributed denial of service attack or to host pirated movies its network utilization will likely skyrocket.
Scan for odd open ports. Do regular port scans of your network with tools like Nmap to see if any hosts are running abnormal services. Many zombie software packages listen on standard ports that script kiddies are too lazy or too unknowledgeable to change. If you see those ports open take a look at those boxes for possible malware. Even if it's not a common zombie control port beware of services like FTP or IRC that are running on workstations. For a list of common Bot/Trojan ports see:
Since many modern bots use IRC as the command infrastructure look out for IRC traffic or servers on your network. A few examples of IRC bots would be Agobot, Phatbot, SDBot and GT bots. Most IRC bot-nets run their own IRC servers. Sometimes a host that was originally just a member of a bot-net may be promoted to being a server. This is especially true if the compromised box has a fast connection to the Internet. Most IRC servers operate on TCP port 6667, but an attacker could change the IRC server to listen on some other port. You may want to use Nmap with the "-sV" flag to see if it recognizes an IRC daemon on a non-standard port.
Most anti-virus programs for Windows will also detect other malware that's associated with zombified computers. If your AV package is throwing up warnings about detected malware that's an obvious sign, but if you notice that the AV package's real time protection features have been disabled you will also want to check the box out for potential problems. For those of you running *nix boxes look into using Chkrootkit to find trojaned binaries and backdoors on your box.
If your host based firewall (The one built in to XP or ZoneAlarm for example) warns you of odd applications trying to open up ports, those applications should be checked out.
Odd traffic leaving your network could be a sign of a compromise. I once found out a box of mine was rooted because I sniffed leet speak leaving it. Turns out that someone had installed Stacheldraht on that server. Also, if your sniffer or IDS detects unusual IRC traffic you will want to check into it and make sure the box sending or receiving the traffic is not part of a bot-net.
Look for strange things set to startup automatically on the box. Use a program like HiJackThis to look for suspicious programs set to startup automatically, then check to see if these items are common or not. Be careful with tools like HiJackThis, as disabling the wrong service/startup items could render your system inoperable. When in doubt ask around on forums to see which items should be disabled.
Check for traffic that's resolving to dynamic DNS systems. If your sniffers see a lot of name resolution requests to Afraid.org, DynDNS.org or No-IP.com the requester may be part of a bot-net (See the footnotes for a longer list of dynamic DNS providers). By no means is this necessarily the case; a user on your network may just be trying to access their home computer, but you may still want to look into it.
A Bullet to the Brain
Once you have found a zombie, how do you make it rest in peace? If you wish to do any live forensics on the box while it's up now is the time, but there are a few things you should keep in mind. If the attacker obtained complete admin privileges on the box they may have installed a keyboard catcher. Don't login to the compromised box with a high level account or the credentials may be sent to the attacker, making things far worse.
For some older DDoS zombies, such as Trinoo, TFN, Stacheldraht, and Shaft, you can use Bindview's Zombie Zapper. Zombie Zapper allows you to send a signal to these DDoS zombies to stop flooding. Unfortunately, it only works if the attacker used all of the defaults when they set up the zombie, and not all zombies are designed like the four above. Zombie Zapper has not been updated in awhile so it will be of little use in stopping more modern zombies, but I though it was worth mentioning.
Once you are ready to clean up a zombie box there are two approaches you can take, the "Night of the Living Dead" approach and the "Return of the Living Dead" approach.
The "Night of the Living Dead" approach is much easier and less painstaking, the digital equivalent of shooting the zombie in the head. All that is necessary is to patch the security hole that let the attacker in, shutdown the backdoor apps, uninstall or delete the files and remove them from startup. The problem with this simple approach is that you don't know what all the attacker did while they controlled your box. Depending on the level of the compromise, the attacker may have copied off sensitive password files (SAM and SYSTEM in Windows, passwd and shadow on many *nix systems), installed key stroke catchers, trojaned other system files or done a host of other things that makes the zombie box a security risk.
Most of the time I take the "Return of the Living Dead" approach to killing a zombie computer: nuke and rebuild it from scratch. Since it's hard to be sure what system files the attacker may have changed or trojaned the best course of action is usually to backup all data files on the system and reinstall the OS from known good media. Before you put it back online make sure you have installed all the newest patches; otherwise the box may very well be compromised again, and in short order. Since the attacker may have cracked the local admin password on the box you will want to change that password on every box that shares the same local admin/root login credentials as the compromised machine.
That's another one for the fire
I hope you have enjoyed this article and that your zombie hunting goes well. If you have any suggestions for additional material that should be added to this article please email me. Oh, and: "Good bye aunt Alisha!"
Wikipedia Article on Computer Zombies
Honeynet Project Tracking Botnets Paper
For more detail on IRC zombies that this article
John Kristoff's NANOG32 Botnets presentation
John's presentation kicks much ass, even if you have to use RealMedia to watch it
Killing a Zombie
Common Trojan/Bot Ports:
Dynamic DNS Providers: