Free program can rescue computers
Monday, October 8, 2007
Computer scientists in Menlo Park are releasing a free diagnostic program today to help network administrators find PCs infected with an insidious new type of virus that has already tainted millions of computers and used them to generate billions of spam e-mails.
Since this malicious program, variously called Peacomm or the Storm Worm, appeared in January, it has infected upward of a million PCs, each capable of sending out about 28,000 spam e-mails a day, according to Phil Porras and Vinod Yegneswaran, computer scientists at SRI International in Menlo Park, the nonprofit think tank that is releasing the newest version of its BotHunter tool.
A botnet is the nickname given to illicit computer networks created by malicious hackers who write a type of program called malware. Once the malware gets onto a PC, it hides and creates a sort of electronic alter ego that surfs or otherwise connects to the Internet - without the knowledge or involvement of the PC's human owner.
These infected PCs are called zombies because they take orders from afar, and what makes Peacomm such a particular annoyance is that it uses infected PCs to send out spam e-mails, which not only annoy recipients but slow down the infected PC in subtle ways that may escape the attention of the owner, Porras said.
Peacomm also uses some new tricks to cloak the Internet server, or mother ship that controls its vast network of zombies. Porras said this has helped it grow, because the current bot-killing strategy - trace commands back to server and take it off the Internet - has not worked because the mother ship has so far been able to conceal its location.
So the new SRI tool tries to attack the problem from the other end, by giving network administrators at corporations, schools and other institutions the ability to find infected computers on their networks and take steps to cleanse them, Porras said.
But the tool is not intended for use by consumers who get their high-speed connection from Internet service provider such as Comcast or AT&T. Instead, it would be up to the ISPs to download this tool, or use some other means to find Peacomm-infected PCs, said Johannes Ullrich, chief research officer for the Internet Storm Center, a network security organization.
But even if an ISP finds Peacomm-infected zombies in its network, there is no cheap or easy way for the company to fix the consumer's problem, Ullrich said.
"When the user calls in, it costs about $50 and wipes out one year of profit from that customer," Ullrich said.
Not surprisingly, the Bay Area's big ISPs, Comcast and AT&T, were eager to point consumers to their Web sites and suggest that all the protections and answers were to be found there.
Comcast spokesman Andrew Johnson said all of the company's Internet subscribers have access to a free copy of the McAfee anti-virus program that, he said, could detect and defeat Peacomm. AT&T Spokesman John Britton pointed consumers to a similar set of online protections available through its alliance with Yahoo.
Ben Greenbaum, senior research manager for Symantec, another security program vendor, said his company's anti-virus tools can also detect and defeat Peacomm.
But the SRI researchers who put out the BotHunter tool say this particular malware changes itself so often that they fear anti-virus tools may be falling behind, which put more onus on network administrators - whether they run a corporate net or an Internet service community - to scour their networks for Peacomm.
"This is very close to a vaccine," said Rick Wesson, an Internet security expert with Support Intelligence in San Francisco.
How to keep your PC bot-free
The new SRI tool is designed to be used by network administrators, who can download it for free at www.cyberta .org/BotHunter.
Here are some simple ways for individual users to safeguard home PCs against bots that turn them into remotely controlled zombies.
-- Never open an e-mail message from an unknown sender.
-- Install and regularly run an anti-virus program.
-- Turn on the firewall in your Windows PC and consider installing a hardware firewall as well.
-- Comcast customers with security questions can visit www.comcast.net/security.
-- AT&T customers with security questions can visit onlineprotection .yahoo.com/sbc.
E-mail Tom Abate at firstname.lastname@example.org.
This article appeared on page C - 1 of the San Francisco Chronicle