WASHINGTON, D.C., Oct. 27, 2005 – Like medical researchers studying a strain of a contagious virus, Microsoft Internet Safety Enforcement investigators carefully experimented this summer with a tiny piece of malicious code used by computer criminals to hijack personal computers. The investigators began by placing a single copy of the code onto a healthy computer and then connected the computer to the Internet.
Almost immediately, the researchers noticed the first rumblings of life. The infected computer sent an alert with its Internet location and hijack status to a distant server. Then, connection requests from hundreds of Internet Protocol (IP) addresses poured into the machine, commanding the infected computer to distribute millions of illegal spam e-mails.
These requests meant one thing: the investigators had successfully created a “zombie” computer.
Today, Microsoft, the U.S. Federal Trade Commission (FTC) and Consumer Action, a public watchdog and education group, launched a campaign aimed at helping consumers prevent their computers from getting turned into zombies.
Timed to coincide with National Cyber Security Awareness Month and Halloween on Oct. 31, the “Don’t Get Tricked on Halloween” campaign alerts computer users to the threat of zombie computers and how to protect their personal computers (PCs) from being infected with malicious code. In addition, Microsoft is announcing a legal enforcement action that for the first time specifically targets illegal e-mail operations that connect to zombie computers to send spam.
“The only way to slow the spread of zombies and other online threats is by going after them as resolutely and in as many ways as possible,” says Tim Cranton, director of Microsoft’s Internet Safety Enforcement programs.
Turning Computers into Zombies
While the zombies of Hollywood B-movie fame are easily identifiable by their gruesome appearance and menacing groans, zombie computers are silent stalkers. People who use the Internet but don’t properly protect their PCs from computer criminals may never know that their machines have been compromised – even after their infected machines begin causing problems for other people and, potentially, themselves.
As government agencies and e-mail providers such as Microsoft have cracked down on ways of exploiting consumer and business PCs, many computer criminals have turned their attention to creating zombies. They do so by tricking people into loading malicious code by hiding it in e-mail attachments or in music, video or other files that people download online – or even within data transferred when clicking on an infected Web site.
How Zombie PCs Operate: A Graphical Explanation. Click image to download (Microsoft PowerPoint file, 1.1 MB)
Illegal spam sent by zombie computers has increased dramatically in recent months and as of this summer now accounts for more than half of all spam, according to studies conducted by industry groups. In addition, computer criminals can use zombie computers to launch phishing attacks that try to steal personal information, such as Social Security and credit-card numbers.
As more people sign up for high-speed Internet connections at home, computer criminals have set their sights on a growing population of potential zombies that never sleep. “High-speed connections are an extremely convenient and powerful way to access the Internet, but people need to realize that their connections don’t turn off when they walk away from their computers,” says Aaron Kornblum, Microsoft’s Internet-safety enforcement attorney.
In less than three weeks, the Microsoft lab’s zombie computer received more than 5 million requests to send 18 million spam e-mails. These requests contained advertisements for more than 13,000 unique domains, Cranton says. On a regular computer, these spam mails would have ended up in e-mail inboxes or, if nabbed by a spam filter, in junk e-mail folders. But Microsoft’s researchers quarantined the zombie machine, preventing it from sending any spam onto the public Internet, he says.
“We were startled by the quantity of data directed at this single machine,” says Kornblum, who helped lead the zombie investigation. “Even a lone spam zombie can spew huge volumes of illegal e-mail across the Internet.”
Taking Spammers to Court
Microsoft maintains more than 130,000 MSN Hotmail “trap” accounts to investigate patterns within spam. These accounts catch e-mail sent by spammers to potential e-mail addresses. But, as all spam investigators quickly learn, investigating spam after it’s delivered is like tracing an unwanted letter with an illegible (or fake) return address. Most spammers protect their identities by sending mail through zombies or using other masquerading tricks, making it fruitless to trace spammers based on the name listed in the “From” line in the e-mail’s header.
But Microsoft’s zombie investigation gave the company new insight into how it, as a technology developer and e-mail provider, can fight spam and zombies, as well as how to fight the creators of zombies in court.
“By inserting ourselves in the spammers’ path and looking upstream, we have been able to see things we have never been able to see before,” Cranton says.
Specifically, Microsoft was able to uncover the IP addresses of the computers that were sending spamming requests to the quarantined zombie, along with the addresses of the Web sites advertised in the spam.
To prove these spamming requests were not isolated examples, Microsoft compared the Web sites advertised in the quarantined zombie’s spam to those listed in spam in the MSN Hotmail trap accounts.
Cranton says the researchers found numerous identical matches, and were able to determine that approximately 13 distinct spamming operations either helped create or exploit the zombie code placed on the quarantined computer.
These spammers, who are currently unidentified, are named as “John Doe” defendants in the civil lawsuit Microsoft filed in state court in King County, Wash., on Aug. 17. Filing a “John Doe” lawsuit allows Microsoft to use legal discovery tools – such as third-party subpoenas – to help learn the defendants’ true identities.
Capturing the Attention of Busy Consumers
Because the potential threat is so great, the anti-zombie campaign stresses prevention as the best defense against spam and zombie attacks. All three partners in the “Don’t Get Tricked on Halloween” campaign are urging consumers (See “Stop Zombie PC Attacks in their Tracks,” this page) to ensure their computers have the latest software for detecting and preventing computer viruses and spyware. The partners also are stressing the importance of installing a software firewall, programs on a computer or network of computers that examine e-mails and other incoming information to determine if they pose a threat before they are delivered within the computer.
The anti-zombie campaign promotes educational Web sites run by Microsoft and the FTC. The federal consumer-protection agency recently launched OnGuardOnline.gov, a Web site that provides tips, articles and videos to help protect computer users and their information from online threats. The new site builds on “Operation Spam Zombies,” a campaign the FTC launched in May, along with 35 government partners from more than 20 countries, to encourage Internet service providers (ISPs) to take zombie-prevention measures.
Microsoft and other organizations who mount consumer education campaigns know they need much more than technical know-how to change the way millions of people use the Internet.
“It’s easy for new and increasingly sophisticated online threats to overwhelm people.” Cranton says. “We hope this Halloween safety warning will capture the public’s attention and ensure the lessons stick, so more people take advantage of the resources that are available to help protect them online.”
Ken McEldowney, executive director of Consumer Action, says the Halloween-related theme of the current campaign is important because it will help reach people who aren’t as focused on technology and are still learning their way around the Internet. “Folks who are computer savvy are not going to be fooled by phishing attacks” sent by zombie computers, he said. “It’s everybody else that we need to reach. That’s where the challenge is.”
McEldowney credits Microsoft for “now dealing with security up front…making it very clear that security has become a very prime focus.” But the fact that a U.S. government agency and a consumer organization are leading the anti-zombie campaign alongside Microsoft demonstrates the danger of the threat – and increases the chances that people will hear the message.
“By working together, you can be much more effective,” he says. “Our message has much more credibility, and we can bring the strengths of the partners together to achieve the goals of the campaign.”
In addition to educational efforts, such as the anti-zombie campaign, with government and other organizations, Microsoft has invested hundreds of millions of dollars in recent years on research and development of new security features and tools for its existing products. The company also has acquired new products and technologies, including Microsoft Windows AntiSpyware, to provide consumers additional layers of protection.
