Why Your Zombie Computer Went Evil
ALISON STEWART, host:
The word "botnet" is one of them there (inaudible), the combo of words "robot" and "network," to create a name for a big collection of computer applications, network, software that does things autonomously. A botnet - sounds good in theory, unless a botnet goes evil, then the botnet can turn computers into what those in the biz call "zombies." Botnets are making a rise in the world of malware.
By one count, 40 percent of the 800 million computers connected to the Internet are bots behaving badly, sending spam, stealing information, and then infecting others, and they just creep right up on you, and you might not even notice it. To help us better understand the botnet, both good and evil, we've called up Joe Stewart, senior security researcher with SecureWorks, an information security firm. Hi, Joe.
Mr. JOE STEWART (Senior Security Researcher, SecureWorks): Hi, Alison.
STEWART: So, I gave a really basic definition of a botnet. Will you flesh that out for us a bit?
Mr. STEWART: Sure. Well, a botnet is a group of bots, which are just automated computer programs, and they're sometimes called zombies, as you mentioned, or some people call them "drones." But the key thing about the botnet is that all of these bots are controlled by one individual, or sometimes a group, and they act in a coordinated way. So, they're able to carry out tasks that a single computer by itself couldn't do.
STEWART: For example?
Mr. STEWART: Well, see, botnets could be used for good or bad, so, for instance, you might look at the botnet that's run by Stanford. They try to solve problems that could lead to cures for diseases, and there's run by the SETI Project, where bots look for unusual signals in the data that are captured by SETI's radio telescopes.
STEWART: So, those are the good uses of botnets, but like many things, there are unintended consequences, and botnets can be used for evil. Can you give me an example?
Mr. STEWART: So, the kind of botnets that might be run by criminals are the ones that most people are talking about when they use the term botnet. So they might be talking about the Storm Botnet, which is one that has been big in the news here. It's gone back for several years. I looked at one called "So Big." There's one in the news lately called "Mega D." So there's lots of different botnets out there all doing different things.
STEWART: All right. Explain to our folks why Storm Botnet is in the news for behaving badly.
Mr. STEWART: Well, Storm just came on the scene last year, and it really just made a big impact in the amount of email it was generating. So Storm is designed to send spam, but it also sends links to itself so that it can infect more users.
STEWART: So it kind of feeds itself?
Mr. STEWART: Yeah. It just had such a big email list, and trying to go out there and collect new users, and every time a new user would get infected, all the email addresses from that person's hard drive would then be used to send it out to more people. So, it just grew really big, really fast.
STEWART: You mentioned a couple of different botnets. Are there just loads of them out there waiting to infect my computer?
Mr. STEWART: Yeah. There actually are loads of them out there. There's just hundreds of them. And there's a few big ones, there are a lot of small ones, and they're all out there just to do one of just a few different things, basically.
STEWART: Now, is there any way that I can figure out that my home computer has been commandeered by a botnet - has been brought into the botnet army and turned evil?
Mr. STEWART: It's difficult. Sometimes you might be able to tell. Let's say, if they're sending out a lot of spam, it might actually slow your computer down and it may be a little more unresponsive than normal. But usually you don't see any indication that tells you. They don't want you to know that you're infected because they want to stay on your computer as long as they can.
STEWART: We have a question coming out of our control room wanting to know if Macs are vulnerable.
Mr. STEWART: Macs, they are vulnerable, but they're not as big of a target. So anybody can write a program and run it on any operating system, whether it's Windows, or Mac or Linux, so they can certainly write bots for Mac, and a few people have, but there's not as many Mac users out there. It's mainly Windows users that are the target right now.
STEWART: We're talking to Joe Stewart, who's a senior security research with SecureWorks, an information security firm. And we should point out that part of what your business is, is to fight these botnets. How does one do that?
Mr. STEWART: Well, the way that most people have to fight them is to on one hand try to identify the users that are infected with them. So we try to detect the kind of traffic they're sending out on the network, and try to identify anybody that's infected, and get them clean. And on the other hand, it's trying to shut down their command and control points. So we try to identify where they're being controlled from, and go to those ISPs and get those command points shut down.
STEWART: Now, at this point, people who use botnets for malicious use, are they breaking laws? Which laws are they breaking, if they are?
Mr. STEWART: Usually they're breaking laws, at least in the U.S., but unfortunately, a lot of these botnet owners are located in countries where it's either not against the law, or the authorities don't really care about it that much.
STEWART: Is there something that I can do personally to my computer? Is there some sort of botnet prophylactic? Is there any way that I can keep my computer from getting infected?
Mr. STEWART: Well, unfortunately, no. As long as there are people out there that want to send spam or steal money, they need botnets. So you're never going to be completely safe. They are always going to try to find a way around your defenses. But you can reduce your risk of being infected if you do several things. So, you might already have an anti-virus scanner, right? But these - they're just not as effective as they used to be at catching these things early on.
That's because the criminals have anti-virus, too, so they're going to make sure their bots not going to be detected before they even send it out. So you might not detect that you're infected for a week or a month later, and there's a good chance that it might have even disabled your anti-virus. So you've got to take additional steps.
You have to look at how this stuff gets on your computer in the first place, and it's one of two ways usually, either they are going to try and trick you into running a program, or they are going to get you automatically when you visit a website by taking advantage of weaknesses in your web browser, where they can get something to automatically install.
STEWART: All right, so the thing I can do personally is not to get tricked into clicking through to some website.
Mr. STEWART: Exactly, so you have to be suspicious of just about everything you receive. So, even if it's from someone you know, because, you know, guess what? Your friend might be infected with a bot, and the bad guys might be using his or her address book to find new victims, you know. This is what Storm did. So if you get an email with an attachment that you didn't expect from anybody, you know, email them back first and ask them about it.
STEWART: Good advice.
Mr. STEWART: Same goes for links.
STEWART: Good advice. Joe Stewart is a senior security researcher for SecureWorks. Thanks, Joe.
Mr. STEWART: You're welcome.
STEWART: Joe Stewart is also my dad's name. It was kind of fun to just call him Joe there.
NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.