ABr’s Blog

A computer that has been implanted with a daemon that puts it under the control of a malicious hacker without the knowledge of the computer owner. Zombies are used by malicious hackers to launch DoS attacks.

The hacker sends commands to the zombie through an open port. On command, the zombie computer sends an enormous amount of packets of useless information to a targeted Web site in order to clog the site’s routers and keep legitimate users from gaining access to the site.

The traffic sent to the Web site is confusing and therefore the computer receiving the data spends time and resources trying to understand the influx of data that has been transmitted by the zombies. Compared to programs such as viruses or worms that can eradicate or steal information, zombies are relatively benign as they temporarily cripple Web sites by flooding them with information and do not compromise the site’s data.

Here is My, Abstract (an ingenious solution to the problem)..

So if this is how a Zombie works, in order to lure the intruder (one who has the potential to compromise a system and make it as a zombie), a system can have some unauthorized services.

Here another system should try to emulate the services of a Router, should try and send packets in return that the system is compromised but this information should be sent only after many (un)successful attempts by the intruder.

Though the system that has been compromised is not having any sensitive information but it should give way for few other systems (virtual ones) again the techniques for compromising are pretty much the same but the compromise of a system or a virtual one should never allow the intruder to feel as if it is a deception but rather it is happening in reality.

So now few systems that are compromised (they are under the control of the intruder) can now be used as zombies to launch a DDoS attack, now the system which was acting as a router (emulating the service) should call a few other virtual honeypots to fight out the zombies much like legions of virtual honoeypots will try to battle out with the legions of virtually compromised honeypots.

These virtual Honeypots will try to receive the data, spend time and resources trying to understand the influx of data that has been transmitted by the zombies. But all these things are not going to affect the production systems in anyway and forever they (production systems) will be running without any impacts.

Also time and again there will be logs in the entry level (Real Network), Virtual Router, compromised virtual Honeypots and also the other set of Honeypots which are involved in receiving the data will also maintain the logs but this is allowed only when there is more number of Data packets thrown from many IP addresses. By this approach one can learn the techniques, motives, use of rootkits, commands and other vital information of the intruder.

Cybercrooks ramp up against antivirus firms–and each other

Cybercriminals are increasingly fighting each other, as well as antivirus vendors, in pursuit of illegal gain, Kaspersky Lab has warned.

The antivirus provider said Tuesday that as profits from cybercrime grew in 2005, criminals increasingly tried to prevent antivirus providers from developing protection against the latest threats. "Honeypots," or lightly protected systems set up to collect samples of malicious software for antivirus companies, were a prime target, Kaspersky said.

Criminals can use legions of compromised "zombie" computers, called "botnets," to bombard honeypot networks with data to hinder or stop them working, according to Kaspersky's "Malware Evolution: 2005, Part 2" report, published Monday.

"If the bad guys are aware of a network that looks suspicious because it's too unprotected–to lure bad code–they can take steps like launching (distributed denial-of-service) attacks against that honeypot network. They can then launch other attacks simultaneously (against other targets)," said David Emm, senior technology consultant for Kaspersky.

Worms can also be programmed to avoid domains known to be monitored by antivirus companies.

"Criminals will employ whatever evasive techniques they can," Emm said.

In 2005, cybercriminals increasingly used techniques such as creating their own packing mechanisms to compress malicious code, so that they could try to avoid detection by antivirus software. Creators of malicious software also now routinely include code that will try to either disable antivirus updating mechanisms on infected machines or remove antivirus software completely, Emm said.

Cybercriminals are also increasingly targeting one another to maximize financial gain, according to Kaspersky's research. "It's like any kind of economic venture. Those that get smarter survive. Organized criminal structures are run as businesses, and they take over smaller guys," Emm said.

Kaspersky also said that cybercriminals often launch distributed denial-of-service attacks against rivals to stop them from operating, and they attempt to hijack each other's botnets. They also program their software to attempt to disable any other malicious software that has already been installed on an infected PC.

"Criminals have realized that it is much simpler to obtain already infected resources than to maintain their own botnets or to spend money on buying parts of botnets which are already in use," Yury Mashevsky, a virus analyst at Kaspersky, said in the report.

Kaspersky also reported that it had detected a five-fold increase over 2005 in the amount of malicious software designed to steal financial information.

Excerpt 

Courtesy Tom Espiner
Special to CNET News.com

"The only way of preventing or averting the DDOS(Distributed Denial of Service Attack) is by using a Generation II Honeypot (Research Honeypot). And moreover at a network level there should some Intrusion Detection tool which matches the signature and that can be done using the HoneyComb. Apart from this the ability of the Gen II Honeypot is by applying some very strict constraints at the network level say by means of connection rate limiting and also scrubbing can be done in order to protect the network. Also Core IP filtering (IPchains and Firewall) and Packet filetring will ensure that once a Intruder has come into the network there is no wayout rather than giving up. But all these things can be done but we can never think as a Hacker so it is always worth experimenting (forensic analysis) and research purpose (understanding the motives, use of rootkits, commands and techniques).

It would be greek and latin for newbies (it was the same when I started with it). But it was real fun for it (Honeypot) taught me so many things. All the credit and Honours goes to the man who invented this technology Mr. Lance Spitzner.