The Walking Cyber Dead

Zombies: In the movie “Night of the Living Dead,” (the precursor to “The Walking Dead”) zombies are walking around the city attacking humans.   If the humans are infected, they become zombies, too, and join in the chaos.  

Cyber Zombies: Strangely enough the cyber world has exactly the same thing, except it is not fiction, it is real. It usually starts out with users getting this great free software program or clicked on a link that advertised an unbelievable deal.  This means it sometimes comes in as a Trojan Horse.  A Trojan Horse is an actual application that works as advertised, but it also has additional malware functionality that goes with it.   The malware may also be distributed by using an email with a malicious hyperlink.     The hackers have various methods to infect your machine.

Infected: Once infected, the fun begins.  First, the software searches your computer for any useful information like credit card, bank account or other critical information.  Critical information might be relatives names, birthdays, home towns and other similar data that might help them answer your security questions.  The information is sent to the hacker’s Command and Control (C2) server. 

Working for Them: The really bad part about being a zombie is that the C2 is not finished with you once it has your information.  You are now part of the zombie botnet.   It’s a network of computing devices that infect other computers – perhaps everyone in your email address book.  Or they might control your computer to perform a denial of service attack on a large corporation making their network unusable.   

Beacons: You may ask how the C2 server can control your laptop once you are infected.  The malware running on your computer is sending a “beacon” back to the C2 server.  The activecountermeasures.com website defines beaconing as “the practice of sending short and regular communications from an infected host to an attacker-controlled host to communicate that the infected host malware is alive, functioning, and ready for instructions.”  In other words when your device is a zombie, your system communicates with the C2 server to see if there is any nefarious work for your device to perform. 

IAT Zombies: Remember that the Trickbot network we discussed a couple weeks back had over a million devices on their network. There are many other botnets with hundreds of thousands of devices.  It’s very common.  Almost all devices show no indication that they’ve been compromised even though they are controlled by hackers.   It’s funny to think that some of the devices are part of the “Internet of Things” appliances. Imagine that your refrigerator or your coffee maker could be a zombie in one of these botnets.

Find Your Zombie Response Team: Unfortunately most managed security service providers are not looking for beacons even though they are prevalent.  Anti-virus won’t stop it and firewalls won’t block them.  In order to detect them, you need to be looking for them.   Beacons have very specific characteristics.  They phone home periodically at regular intervals with similar message size.  Beacons can be detected and there are some manage service providers (like CyberEye) that know how to hunt them down and take them out.

Unlike the zombies in the “Night of the Living Dead,” there is a cure for this sickness in the cyber world. We do have the cyber equivalent of the Zombie Apocalypse Response Team.