SoftScan, an anti-virus, anti-spam company, told the New York Times recently that zombified machines belonging to college students are behind a rise in spam that was observed last month.
The Times quotes Diego d’Ambra, CTO at SoftScan, as saying that students are coming back to school pre-infected. Once they plug into the high-speed networks available at campus, their systems are turned into zombies that start spewing spam—which SoftScan said increased 39 percent in September.
It’s not that students don’t turn their machines on all summer, mind you.
Rather, bot herders have sophisticated technology in place that can detect how fast a bot’s connection is. If that connection changes over time—if, say, a student is poking around at her parent’s house with dial-up all summer and then comes back to school and the campus network’s zippy broadband—the herder detects the increased bandwidth, and that zombie PC suddenly becomes a much more useful tool for sending spam or engaging in other nefarious activities, as pointed out by SecureWorks Director of Development Wayne Haber when I asked him about it.
I talked to Craig Schmugar, threat research manager for McAfee’s Avert Labs. He noted that a period a couple years ago was the heyday of self-executing worms, such as Sasser. If you put an unpatched box on a network it would be pwned very quickly. But nowadays, infection by malware such as the Storm worm requires more interaction—a student would have to do something like click on an invitation to view an online greeting, for example, and would then visit a site and get infected with the programs necessary to turn his box into a bot.
That manual interaction has slowed the rate at which infections occur.
On top of that, with broadband use growing, it’s unlikely that a huge mass of students, when they return to school, are moving off of dial-up to become newly enticing targets with their much faster connections.
“[The switch to faster networks] probably still plays a factor; just not as extreme as a few years back,” Schmugar said in a recent conversation. “Worms don’t propagate automatically like that” anymore.
If there is in fact a spike in the number of students’ systems that are being herded into botnets when they return to school in the fall, it’s likely due to the fact that a box on a campus network is the jumping-off point to potentially thousands of other targets.
“If you’re on the inside of a university network, and your machine is in a dorm, you may have access to dozens or hundreds of local machines, which [malware and botnet herders] can start attacking as well,” Haber said.
“The more significant factor is to take a machine that was the only system, or one of two to three, on a home network, and to move it to an environment of hundreds or thousands of machines on a network in different states of being patched and of running security software,” Schmugar said. “The new students coming in, there’s a greater chance of having new computers, and those might not have firewalls. It’s a more diverse network environment, with a greater opportunity for machines to be attacked. Maybe not successfully, but at least there’s more traffic thrown at machines.”
Another helpful thing about campuses, of course, is that they have loads of systems left on around the clock in their labs. Universities also have the added stickiness of trying to administer security policies for a constantly shifting population, with visiting scholars coming and going and a variable range of access rights necessary for staff and students.
So there you have it: Campuses full of zombie PCs adding to the botnet plague. As if university network system administrators didn’t already have enough to worry about.