2005 was not an exceptional year for Windows security—or
Internet security in general, for that matter—and 2006 isn’t looking
to be much better. While the year may gave been profitable for Internet
security companies, corporations and average computer users continued to suffer
from virus and worm outbreaks and the continuously growing threat of malware.
It didn’t help that 2005 went out with a bang, when a zero-day Windows
exploit that emerged during the holiday season caused a mad dash to secure
systems. The critical vulnerability, which stems from how the OS renders Windows Meta File images, caught everyone by
surprise, resulting in more than a million compromised PCs.
In fact, a few antivirus and security companies, including
the SANS Institute’s Internet Storm Center and F-Secure, recommended installing an
unofficial fix authored by Russian software developer Ilfak Guilfanov rather
than wait for Microsoft to get around to releasing the patch. It was a rare
move from security vendors, and I don’t recall it ever happening before.
However, it only highlights the serious nature of the
vulnerability. Zero-day vulnerabilities are critical threats, and they genuinely
require immediate attention. In the end, Microsoft actually released its fix for
the WMF vulnerability several days earlier
than expected, but not before many users turned to the unofficial fix.
Of course, in retrospect, the zero-day exploit isn’t too
surprising. Malware authors love the holidays—what better time to increase the
likelihood of a worm or virus spreading?
And then there’s all those brand-new Windows systems connecting
to the Internet for the first time. While most TechRepublic member know that
preinstalled Windows systems are vulnerable to a variety of exploits and recognize
that someone could remotely take over the system within minutes of connecting
to the Internet, it’s important to remember that the majority of mainstream
computer users do not share this knowledge.
And depending on the malware, a newly infected computer can
mean much more than annoying pop-ups. More than a few viruses and worms connect
to an Internet Relay Chat (IRC) channel to listen for instructions—and join a
legion of other compromised Windows systems.
Known as botnets,
these groups of compromised computers are a growing threat on the Internet.
They are the tools of the trade for all manners of extortion and junk e-mail
relaying on the Internet, and they are growing in numbers.
In fact, law enforcement has long been aware of this immense
threat and has been actively working to shut down botnets for a while. For
example, the objective of Operation Spam
Zombies, a U.S.-sponsored initiative launched by the Federal Trade
Commission (FTC) last year, is to put a stop to the compromised Windows
computers used to relay junk e-mail.
However, I’ve been critical of this proposal from the start
because it doesn’t highlight the real risk of these so-called zombie systems, which malicious hackers
can control remotely for their own nefarious deeds. In reality, junk e-mail comes
in at the bottom of my list of Internet security threats—but compromised
computers controlled through IRC are at the top.
Botnets are useful for all kinds of destructive Internet
activity, either by individuals or organized cyberspace criminal gangs. The recent guilty plea
of Jeanson James Ancheta, who operated a large botnet for both extortion
attempts and installing spam-relaying malware, is only one person in the highly
organized “Botmaster Underground,” a covert group of hackers skilled
in bot attacks that regularly rent the
use of their zombie Windows systems for all types of illicit activity.
Of course, spam relaying is undoubtedly annoying, but it’s
merely a byproduct of these botnets controlled from a single source. And while
law enforcement should continue to focus on shutting down botnets, we can’t
stop looking for a way to prevent compromised Windows systems in the first
But this problem, unfortunately, is much more difficult to
solve. I planned to gather some statistics about these compromised Windows
systems until a coworker reported that CipherTrust had
beaten me to the punch. CipherTrust’s
ZombieMeter tracks traffic from zombie PCs around the world.
Regardless of statistics, it should be clear that Internet
security as a whole almost entirely depends on the security of Microsoft
Windows—whether it’s actually your chosen OS. This alone has led many users to
suggest a potential antivirus conspiracy; they argue that entire sectors of the
“Microsoft economy” centered around Internet security would collapse
if Windows was truly secure.
While I tend to disagree,
compromised Windows systems do represent the largest threat to the Internet as
a whole. Organized and controlled as botnets, these systems are essentially
Internet weapons of mass destruction. And that’s why, when it comes to programs
such as Operation Spam Zombies and other law enforcement initiatives, junk
e-mail needs to take a back seat to the more insidious threat of botnets.
Miss an issue?
Check out the Internet Security Focus
Archive, and catch up on the most recent editions of Jonathan Yarden’s
Want more advice for
locking down your network? Stay on top of the latest security issues and
industry trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.