How to Prevent a Zombie Apocalypse: 5 Deadly Cyberthreats ExplainedJuly 17, 2014 by Daniel Humphries
A common lament in IT security is that, in most organizations, there’s a huge language gap between business executives and security experts. Let’s face it: terms such as “bot,” “zombie,” and “threat vector” sound like something from a video game, not a board meeting.
So, even though a 2014 McAfee study estimated that the annual cost to the global economy of cybercrime could be as high as $575 billion, a recent SIM IT trends survey of 500 IT leaders in large organizations revealed that while security was the second-ranked concern of Chief Information Officers (CIOs), it ranked seventh for the businesses overall.
Here at Software Advice, we wondered: What if all this “nerd-speak” is part of the problem? If the boardroom understood these terms better, would they take all this stuff a little more seriously? To help, we asked IT security experts to bridge the communication gap with storytelling, analogies and examples of real-life consequences of five common cyberthreats.
But beware—these are no bedtime stories. If one of these threats struck your business, it could be the stuff of nightmares.
Threat #1: The Trojan
Rich Barger, chief intelligence officer at Cyber Squared Inc: “Trojan horse programs,” or “trojans,” are named after the Greek tale of subterfuge, where Trojan warriors were snuck into the city of Troy within the belly of a seemingly benign wooden horse. The same concept applies in the digital age.
Here’s the scenario: You get an email from someone who appears to be your company’s human resources director. It includes an attachment purporting to contain important information—let’s say, about pay raises. You click the attachment, and notice that there are a few flickers of the screen, or that it takes a few minutes for the document to load.
What’s happening? The malicious Trojan is installing silently in the background; once on your computer and network, it phones home back to the attacker. Now connected to all of your data, the attacker can do everything you can do on that computer—and more.
Andrew Avanessian, VP of global professional services at Avecto: When the Greeks wanted to capture the seemingly impenetrable city of Troy, they built a giant wooden horse, hiding soldiers inside. The people of Troy brought the horse inside their city walls, and the Greek soldiers crept out at night and opened the gates to let the rest of the army inside.
In the modern world, the computer acts as the city of Troy, secured by firewalls and network defenses. The Trojan horse is malicious software hiding inside a seemingly legitimate application. These applications could appear to be useful free tools or even antivirus software—however, when you run one of the applications, it will silently open a virtual back door in your computer, allowing the attackers in.
The moral of the story is: No matter how sophisticated your defenses are, users could always bring a threat inside the organization via a USB drive, malicious email or website download. Educating users about social engineering and threats, restricting users’ privileges and using application control—which guards computing devices and servers against unauthorized applications and malware—can prevent or limit the damage caused by Trojans.
Threat #2: The Zombie
Dr. Engin Kirda, co-founder of Lastline Labs and professor at Northeastern University: As everyone knows, zombies lie dormant—until a delicious person arrives and makes noise or moves into their field of view. Then the zombie awakens and attacks, infecting the unsuspecting or unscrupulous victim.
Remember, however, that zombies were once innocent people who fell prey to other zombies. In the case of cybersecurity, “zombies” are formerly innocent computers that are infected with code that turns them into “threat vectors.”
For example, the device you’re reading this on may not have adequate security in place—in which case, zombie-army creators may have infected it, so that it lies in wait to be called into battle. Your home or work PC could be a zombie right now and you wouldn’t know it, because zombies wait to distribute spam or viruses until they’re directed to by the zombie-army creators.
Some people notice their computer is slow or behaves erratically when left online. This could be because it has been infected and is now a part of the zombie army, spreading spam or viruses to make other zombies and also to infiltrate other systems for cybercriminals in a way that is very difficult to trace back to the perpetrator.
Barger: When people think about zombies, many conjure up AMC’s TV show “The Walking Dead,” where survivors blast and slice away at an army of groaning ghouls. In the digital world, it’s your computer that gets “turned” if it gets bit. Zombie hosts are simply computers mindlessly doing the bidding of the attacker, looking for other hosts to infect.
As the army of zombie computers grows, the attacker can harness the total computing power of these zombies to send spam, or conduct Distributed Denial of Service attacks (DDoS; we’ll get to that in a minute). Often your computer is infected and made vulnerable from clicking on a bad link, or by visiting a site that looks okay, but has something lurking underneath.
Practicing good Internet hygiene (making sure we are protecting and maintaining systems and devices and using cybersecurity best practices); configuring a personal small router at home or in your office that goes in-between your computer and the Internet; keeping your security updated; and using reputable anti-virus software can significantly reduce the risk of your computer being “bitten” and turned into a zombie.
Threat #3: The Botnet
Avanessian: Cybercriminals are limited in what they can do as individuals: If they directly attack an organization, it will be noticed, and they could be blocked or tracked down. Their solution is to build up an army of zombies or “bots” to do their bidding, and provide a wall to hide behind; this army is referred to as a “botnet.”
Now, managing real people in an evil cyber-army would be hard work—but managing zombies is easy, because they do as they are told and are dispensable. In fact, this strategy is so popular, an underground market exists for buying or renting zombie computers. Cybercriminals are offering virtual armies for sale, with hundreds of thousands of zombies available all for a low monthly fee. Companies are often preferred zombie recruits, as their fast Internet connections and powerful servers can be exploited to conduct a wide range of cybercrimes.
Botnets are becoming such an issue in cyberspace that the FBI has been leading a multinational campaign to disrupt their operations. The efforts have been focused on blocking the criminals in charge from communicating with the zombie machines. This communications blackout gives zombie-machine users a chance to remove the malicious software from their machines and escape the botnet.
Jared Schemanski, security information and event management (SIEM) administrator for Nuspire Networks: The largest botnet known to exist was the BredoLabs botnet/Trojan, which had over 30 million computers in its zombie slave-bot network. The BredoLab botnet was used for mass email spamming, which is still the most widely used purpose for botnets. BredoLabs was sending as many as 3 billion junk and infected emails per month through its zombie network of bots.
If a business computer has been compromised and turned into a zombie bot, one result could be a lack of productivity from the user of the system—due to slowness not only of the computer itself, but of the Internet connection, as well. Farther-reaching effects would include a general network slowdown because the infected bot computer is performing tasks assigned by the hacker and owner of the bot network. Another repercussion could be the business getting blacklisted or shut down by their internet service provider (ISP) because of heavy network traffic.
Network administrators should keep an eye out for any system on the network that is using more bandwidth than other systems, and especially for a system that is “uploading” a lot of data, which could be a sign that the compromised system is a bot that is spreading spam out to the internet.
Threat #4: Spyware
Avanessian: When cybercriminals want to gain access to your personal information, spyware allows them to do this. Spyware acts like an enemy agent, blending into the surroundings and trying to gather as much useful intel as possible. By camouflaging itself on a computer system, spyware tends to go unnoticed by the user. While the spyware is operational, it may be logging your keyboard presses, stealing login credentials or watching you through a webcam. The information it captures could vary from Facebook logins to intellectual property or even bank account details.
Sometimes the attacker may act directly on information, but more often, data is sold on the black market for others to exploit. The recent case of PF Chang’s is a prime example of the damage this type of malware can do to an organization. Hiding in the company’s POS system, the spyware siphoned away customers’ credit card data to be sold on the black market.
As with real-world security, you have to be looking out for things or people that shouldn’t belong on your systems. A key part of this is controlling access and privileges, using “whitelisting” technologies to prevent unauthorized programs from running and making sure that you know and trust all the applications and users on your systems.
Threat #5: Distributed Denial of Service (DDoS)
Daniel Weis, penetration tester/security specialist, Kiandra IT: A DDoS attack is a process wherein an attacker will harness a bunch of compromised machines (usually bots) to perform an attack that would prevent the target from being able to respond to legitimate requests. An example could be a website that gets flooded with bogus network or Web traffic, thus rendering the website unable to respond to legitimate client requests. This can also be used by attackers to shut down a company through saturation of the network’s bandwidth and services.
Andrew Bagrin, founder and CEO of My Digital Shield: Imagine that your business or Internet connection is an interstate that is very effective at moving all sorts of vehicles from their source to their destination. We learn to rely on this very useful tool (the interstate) to move goods and people to and from the necessary places for doing business and living our lives. Now imagine that all of a sudden, everyone’s GPS in the country told them to go on the same interstate that you rely on! The interstate would be rendered completely useless.
That is exactly what happens in a DDoS attack. Hackers will tell zombies to start sending a huge amount of traffic to a specific location. If it’s a Web server, such as Amazon.com, then regular users won’t be able to use that website because it’s overwhelmed. If it’s Visa, people won’t be able to process credit cards.
Schemanski: A DDoS attack uses hundreds or thousands of computers in the botnet to send data or requests to a website or network service, such as email, in a continuous loop. The objective of the attack is to overwhelm a system with activity until a particular service (i.e., email, point-of-sale system, company website etc.) either responds too slowly for use or crashes completely.
Many times, a company will be contacted by the hacker, demanding money in exchange for stopping the DDoS attack—and because the flood is coming from so many globally dispersed, individual systems, it’s not easy to stop the attack by blocking IP addresses from a certain region or country. Hackers in control of large botnets wield a lot of power in the hacking community. A persistent DDoS attack can even put a company out of business. The best defense for a DDoS attack is to have another set of servers—with a different IP address—to switch a website or service to.
A DDoS attack can happen to any type of business (i.e., retailer, franchise, corporation etc.), but a good example of this is a retail store that is attacked at the peak of the holiday season. The overwhelming activity forces a system shutdown, and the retailer loses the ability to use its computer systems. One of the more recent cases of a large DDoS attack was on the news-feed website Feedly, where the assault swarmed the website’s RSS (Rich Site Summary) provider to take over its server and, in turn, shut down the site.
These attacks don’t always result in the theft of information, but the downtime in a company’s system can result in lost revenue, a standstill in productivity and damage to customer loyalty. If the attack is personal, it can continue even after a website or service has moved to an alternate IP range. This has happened with some companies that ultimately went out of business because they were not able to stop the attack.
And so, as our experts have made clear, it’s a dangerous world out there on the Internet—where many villains are lurking in the shadows, and possibly even on your own computer. The good news is that although it may be impossible to guarantee safety, it is possible to greatly reduce the chances that you’ll fall victim to their nefarious schemes.
As Schemanksi points out, a little forethought and caution can go a long way: “The best defense is a good offense, and users need to be proactive in maintaining their security online. If you avoid untrusted software and layer your defenses well, you can mitigate the vast majority of threats out there. Learn the lessons of history, and don’t end up as a zombie fighting for the enemy.”
And look on the bright side: maintaining good cybersecurity is a lot less messy than shooting the actual undead in the head.
Meet Our Experts
Rich Barger is the chief intelligence officer and director of threat intelligence at Cyber Squared Inc, in addition to being a former U.S. Army intelligence analyst and security consultant. In 2011, Barger launched the advanced threat intelligence platform ThreatConnect. Barger maintains a variety of professional industry certifications, and holds a Bachelor’s of Science (B.S.) degree in information-system security.
Andrew Avanessian is vice president of global professional services at Avecto. Prior to joining Avecto, Avanessian worked for a leading radio frequency identification (RFID) systems integrator, where he held a number of senior roles, including head of solutions architecture and consultancy services. Avanessian holds a B.S.honors degree in computer science, along with a number of industry-recognized qualifications, including Microsoft MCSE, MCSA, MCP and ITIL certification.
Dr. Engin Kirda is co-founder and chief architect at advanced malware protection provider Lastline and a computer science professor at Northeastern University. He has co-authored more than 90 peer-reviewed scholarly publications and served on program committees of numerous well-known international conferences and workshops.
Jared Schemanski has been with Nuspire Networks since January 2012, where he serves as a security information and event management (SIEM) administrator on the security analytics team, specializing in research and development.
Daniel Weis has over 17 years of experience in IT in a range of different industries, and was hand-picked by the EC Council to be one of the first 10 in the world to undertake the “Certified Ethical Hacker Version 7 (CEH v7)” training. Weis holds an additional 18 industry certifications, and in his spare time, undertakes research on the cybercrime underground.
Andrew Bagrin is the founder and CEO of My Digital Shield (MDS), a provider of Security-as-a-Service (SECaaS) for small businesses. With more than 17 years of experience in the IT security industry, Bagrin started MDS in 2013 to bring cloud-based, enterprise-level security technology to small businesses at an affordable price. Prior to founding MDS, Bargin worked for Fortinet, Regal Entertainment Group and for Check Point Software Technologies.
‘Zombie’ icon created by Jarrett Matthews. Image designed by Stephanie Hall.