In the movie “Night of the Living Dead,” (the precursor to “The Walking Dead”) zombies are walking around the city attacking humans. If the humans are infected, they become zombies, too, and join in the chaos.
Strangely enough, the cyber world has exactly the same thing, except it is not fiction. It is real. It usually starts out with users getting this great free software program or clicking on a link that advertised an unbelievable deal. This means it sometimes comes in as a “Trojan Horse.” A Trojan Horse is an actual application that works as advertised, but it also has additional malware functionality that goes with it. The malware may also be distributed by using an email with a malicious hyperlink. The hackers have various methods to infect your machine.
Once infected, the fun begins. First, the software searches your computer for any useful information like credit card, bank account or other critical information. Critical information might be relatives’ names, birthdays, hometowns and other similar data that might help them answer your security questions. The information is sent to the hacker’s Command and Control (C2) server.
The really bad part about being a zombie victim is the C2 is not finished with you once it has your information. You are now part of the zombie botnet, which is a network of computing devices that infect other computers — perhaps everyone in your email address book. Or they might control your computer to perform a denial of service attack on a large corporation, rendering their network unusable.
You may ask how the C2 server can control your laptop once you are infected. The malware running on your computer is sending a “beacon” back to the C2 server. The activecountermeasures.com website defines beaconing as “the practice of sending short and regular communications from an infected host to an attacker-controlled host to communicate that the infected host malware is alive, functioning, and ready for instructions.” In other words when your device is a zombie, your system communicates with the C2 server to see if there is any nefarious work for your device to perform.
Remember that the Trickbot network we discussed a couple weeks back had over a million devices on their network. There are many other botnets with hundreds of thousands of devices. It’s very common. Almost all devices show no indication that they’ve been compromised, even though they are controlled by hackers. It’s shocking to think some of your devices may be part of the “Internet of Things” appliances botnet. Imagine that your refrigerator or your coffee maker could be a zombie in one of these botnets!
Unfortunately, most managed service providers are not looking for beacons, even though they are prevalent. Anti-virus won’t stop it, and firewalls won’t block them. In order to detect them, you need to be looking for them. Beacons have very specific characteristics. They phone home periodically at regular intervals and similar message sizes. Beacons can be detected, and there are some managed security service providers that know how to hunt them down and take them out.
Unlike the zombies in the “Night of the Living Dead,” there is a cure for this sickness in the cyber world. We do have the cyber equivalent of the Zombie Apocalypse Response Team.