October 1, 2008  

Zombies at war

Botnets can do more than attack enemy networks

A botnet is a geographically distributed group of computers, individually called zombies, which mindlessly perform instructions provided by a single computer called the command-control. In the past, botnets have been leveraged with great success by spammers: The command-control instructs thousands of zombies to send hundreds of e-mails to random e-mail addresses, resulting in a deluge of spam.

However, since early 2007, spammers have been using their botnets to temporarily and illegally knock various anti-spamming Web sites off the Internet, inadvertently demonstrating the capability of botnets to act as weapons in cyberspace.

Nations must be prepared to engage in cyberconflicts, and botnets may prove to be indispensable for the U.S. military to add to its cyberarsenal. In “Carpet bombing in cyberspace” [AFJ, May], Air Force Col. Charles W. Williamson III made a compelling argument for the use of botnets to disable small sections of the Internet belonging to the enemy using techniques similar to the ongoing attacks being waged by spammers. This targeted cyberattack is the most well-known military use for botnets. However, botnets can also serve other offensive and defensive purposes, such as concealing the activities and locations of U.S.-organized hacking efforts or secretly performing reconnaissance on enemy networks.

Leveraging these other capabilities requires a paradigm shift. The prevailing view of botnets considers all zombies as belonging to a large, mindless horde of computers that, like legions of zombies portrayed in movies, wreaks destruction simply by overwhelming and overrunning its hapless victims. Spamming strategies spring from this paradigm: Each zombie mindlessly floods as many inboxes as possible with random e-mails in much the same way as movie zombies chomp down on as many humans as possible before being dispatched with a blow to the head. Similarly, the much publicized cyberattack that Williamson describes works by pointing the botnet zombie horde in the direction of a single computer. The victim expends so much effort dealing with the zombies assailing it that it cannot respond to any other computers on the network. When the target is a server or router, it effectively vanishes from the network during the attack, taking all the resources it manages with it.

The trouble with the horde view of botnets is its failure to recognize that zombies actually do differ according to the location and ownership of the computer. A zombie in an accountant’s office in Des Moines, Iowa, has a very different view of the world compared with a zombie sitting in a Chinese government research laboratory in Beijing. The information on their respective hard drives, the computers they are near, and the people and applications that make use of them are all dramatically different. Viewed in this way, zombies are outposts whose strategic value is largely determined by the network to which they belong and the jobs with which they are routinely entrusted. Correctly designed, a botnet can leverage its zombies as outposts in order to provide very powerful military capabilities.

One such capability is the concealment of nationally organized hacking efforts. Hacking is a precise technique capable of obtaining classified or otherwise secret information, or seizing control over aspects of enemy infrastructure that can be used for a variety of purposes. Though the major objective of hacking is to gain access to some set of resources on a target computer, an important measure of success is whether the attack was perpetrated without the identity of the hacker being discovered. Were the source of the attack determined, ramifications could include enemy retaliation, international condemnation of the perpetrator or public outcry. Attacks made through a zombie outpost near to the target computer guarantee the anonymity of the hacker because the attack could only be traced back to the zombie, not to the location from which the attack was launched. If the selected zombie outpost belongs to the enemy, it might also be possible to mask the fact that an attack had occurred.


Whereas hacking necessarily involves breaking into a computer, zombie outposts can also be used for passive reconnaissance in which no detectable action by the outpost need be taken. By quietly monitoring the data flowing through the network to which it belongs, a zombie outpost can collect information about the nature of the network. Many zombies, globally distributed, reporting back to the command-control computer would collectively be functioning as a distributed listening device. Such a configuration could provide a variety of useful services ranging from Internet “weather” reporting to determining how enemy network usage changes over time to detecting and warning of cyberattacks before they arrive at their target.

However, achieving these attractive capabilities requires government invasiveness on a global scale that many will find unacceptable. The utility of a botnet is directly proportional to the extent to which it has zombies spread throughout the Internet. For a computer to become a zombie, it must be infected with a special virus program called an agent that responds to whatever instructions the command-control provides. Thus, a powerful government botnet will implicitly consist of a vast, global legion of agent-infected computers. For such a botnet to be able to provide discrete hacking outposts worldwide and to have the ability to detect the status of any network in the world, it must have zombies situated in every corner of the Internet. This means the zombie-making agent must infect computers indiscriminately — seeking all computers with equal intent, whether they be laptops of CEOs, office desktops in Europe, laboratory computers in Japan or home entertainment systems in America.

This indiscriminate and ubiquitous compromise of privacy and digital autonomy for national security is, certainly, a very high price to pay for a fully functional botnet. However, in the coming years, cyberconflicts may escalate in their frequency and severity, and the U.S. may have to consider weapons to defend itself. Future generations of botnets, designed with the ability to leverage the resources of individual zombies, offer tremendous capabilities for fast, precise and effective military action in cyberspace.

Derek Ruths is a computer scientist at Rice University in Houston.