.
May 20th, 2009
12:04 PM ET

Attack of the zombie computers

David Gewirtz | BIO
AC360° Contributor
Editor-in-Chief, ZATZ Publishing

Zombies. I hate zombies. I particularly hate it when wave after wave of zombies come at you, eating brains and dripping flesh.

And yet they came - zombies...everyday computers, brains hijacked by outsiders and linked together to form an army on the attack - they came in droves.

The rate of cyberattacks against large corporations, government agencies, and even small businesses has shot through the roof over the past year.

I've thwarted cyberattacks before. But none were as ferocious as the one my company was hit with last week. Literally, millions of zombie computers attacked us, all at once.

Show me the money

In most cases, it's about money. Cybercriminals use viruses, malware, and spyware to sneak nasty computer code onto unsuspecting computers and then hijack the computers to do their bidding - creating vast armies of zombie computers.

All these computers are then targeted at their victim with one of a few main purposes: use them to send out junk mail or break into financial and credit card data, or gang them up all together at once, to shut down a computer network so the bad guys can extort payment to make it all stop.

Imagine you're in a tank. A big, powerful, armored tank... in a video game.. One or two zombies attack, and you crush them. Even if ten or even a hundred zombies attack, you can crush them.

But what if your tank is swarmed by a million zombies at once? You're toast. Buttered brains on bread kind of toast.

That's what happened to us, except with zombie computers instead of actual zombies.

Never experienced one? You're lucky, and there's a chance you might never get hit. But increasingly, commercial and even governmental computer networks are being attacked in a growing trend of both cybercrime and cyberterrorism.

Cybersecurity experts can't use normal methods to block these coordinated attacks, because the attacks come from everywhere. We can't just look for computers firing at us from, say, China. Instead, millions of these zombified computers are lying in wait, right here in the good ol' U.S. of A. You could be using one right now to read this article.

It's done by remote control. What my company (and many others like us) experienced is called a Distributed Denial of Service attack. These attacks originate from vast networks of computers called botnets (robot networks).

The zombie computers that belong to a botnet can be anywhere in the world, including on your desk or in your mom's living room. On a remote digital command from a criminal called a "botnet herder," the zombie computers awake, connect to the Internet, and all working together at exactly the same time, begin their attack.

Anatomy of an attack

At first, I thought the attack might be an angry response to one or more of the articles I've written. That's happened before (along with death threats and suggestions I rearrange my body in physically impossible but charmingly creative ways).

But this attack was much bigger than something a cranky reader could spin up in a fit of righteous indignation.

My day job is running a small online publishing company called ZATZ Publishing. We publish online technical magazines, ranging from serious tech stuff for professional computer geeks to Connected Photographer, our magazine for helping you get the most out of your camera.

About two months ago, I noticed some strange behavior on our Web servers. In particular, I noticed that our email-to-a-friend page was getting accessed repeatedly, at a rate disproportionate to what regular traffic would generate.

The purpose of this page was to let our readers send a note to a friend telling them about a particularly interesting article. But some criminal operating a botnet out of Russia, Brazil, Turkey, Korea, and the Ukraine decided to try to use our servers to send out their junk mail.

So, I turned that feature off. Things were quiet until Tuesday. On Tuesday, Connected Photographer came under attack. The last time we were hit, only a few bad-guy computers tried to sneak past our defenses. They were relatively easy to track and to block.

This time was different. Way different.

Through the use of an industrial-strength cybersecurity system, I was able to determine that requests to the email-to-a-friend page were coming into the server at a rate of thousands of requests per second.

However, within about ten minutes, the cybersecurity system ceased to function. It had banned more than 10,000 individual computer addresses, (about 1,000 per minute), exceeded its available memory, and pushed the server to its limit. It, too, was toast.

I tried a variety of techniques to block the attacks. No matter what I tried, the incredible quantity of individual computers simultaneously firing on our server overwhelmed our defenses.

I finally had to shut down part of our network and spent the weekend engineering some seriously insane new technology that sits between the big, bad Internet and our primary Web servers, intelligently diverting the flow of these attacks and keeping our computers out of the direct line of fire. As of now, it seems to be holding the zombie hordes at bay - knock on wood.

Organized cybercrime

Like I said, I've experienced botnet attacks before. But I've never, ever experienced an attack with this ferocity.

We were being hit by thousands of separate computers every minute. I tracked more than 10,000 individual computers in the ten minutes before the stage-one protection system melted into goo. Overall, somewhere above a million individual computers hit our servers each day on Tuesday, Wednesday, and Thursday.

Like most cyberattacks, this was clearly an attack with a commercial goal. The botnet herders were attempting to use our computers to send junk mail. There's actually an industry of organized cybercriminals who rent out the use of these botnets, and there's a very profitable black market for their capabilities.

Because of the absolute ferocity of this attack and the fact that it came from from so many computers at once, it took me a couple of days to engineer a robust defense. My sites are merely informational. But were an attack like this to hit a server that was important to infrastructure (say something that runs the electrical grid or a hospital), the damage could be devastating.

There are also cyberattacks initiated by political groups and nation states. They, too, often take the form of thousands or millions of computers attacking at once, but these attacks are actually far more rare than those initiated simply out of greed.

I recently wrote an article in Counterterrorism Magazine about how cyberterrorism can damage infrastructure. This week, we witnessed the power of such an attack. With the number of botnets growing exponentially - and the size of each also growing exponentially - this sort of attack is going to happen more and more.

Like I said, I hate zombies.

Editor’s note: David Gewirtz is Editor-in-Chief, ZATZ Magazines, including OutlookPower Magazine. He is a leading Presidential scholar specializing in White House email. He is a member of FBI InfraGard, the Cyberterrorism Advisor for the International Association for Counterterrorism & Security Professionals, a columnist for The Journal of Counterterrorism and Homeland Security, and has been a guest commentator for the Nieman Watchdog of the Nieman Foundation for Journalism at Harvard University. He is a faculty member at the University of California, Berkeley extension, a recipient of the Sigma Xi Research Award in Engineering and was a candidate for the 2008 Pulitzer Prize in Letters.

Follow David on Twitter at http://www.twitter.com/DavidGewirtz.

soundoff (One Response)
  1. Dre

    Mike Vick should go see the dog now living with Kathleen, to see how great the dog is doing in a normal house hold. But he may need to bring some cheese, just in case the dog remembers who he is and try to bite him.

    I still like Vick and think he should be given a second chance in the NFL.

    Dre

    May 20, 2009 at 12:33 pm |