FTC plans international 'zombie'-awareness campaign

The U.S. Federal Trade Commission (FTC), in conjunction with regulatory bodies in about 30 countries, is about to launch a new education campaign directed at ISPs. Its message? The zombies are out of control.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

These "zombie" networks account for a large percentage of unsolicited e-mail being sent on the Internet, said Don Blumenthal, Internet lab coordinator at the FTC. "I've seen estimates that anywhere from 80 to 90 percent of the spam out there is processed through (zombie networks)," he said. "It is certainly a critical problem."

Attackers use malicious software distributed over the Internet to gain control over unsecured PCs and servers. They then use these "zombie" systems to do things like launch denial of service (DoS) attacks, or send unsolicited e-mail, generally without the knowledge of the system's owner.

An average of 157,000 new zombies are identified each day, and much of the unwanted zombie activity is now coming from outside of the U.S., according to security company CipherTrust Inc.

The FTC will launch the campaign Tuesday in conjunction with many of the same agencies that participated in its "secure your server" antispam campaign last year, including agencies from Europe, Asia, and Latin America, Blumenthal said.

As part of the campaign, the FTC will send out letters to about 3,000 ISPs asking them to examine the flow of their network traffic in order to identify potential spammers and to prevent some users from setting up servers that use the Internet standard "port 25" number to identify themselves as e-mail servers.

The FTC has also entered into a six-month contract with ICG Inc. to help notify ISPs of potential spam problems on their networks, Blumenthal said. Starting in about a month, the Princeton, N.J., cyber-investigation company will begin searching for the sources of unsolicited e-mail and notifying ISPs around the world of any problems that can be traced to their networks.

Many of the FTC's recommendations are already being implemented by ISPs, but the agencies involved would like to see them more widely adopted. Corporate e-mail administrators would benefit from adopting the techniques as well, Blumenthal said.

Blumenthal would not comment on what, if any, regulatory measures the FTC was considering to address the zombie problem. "This is an educational campaign, and that's really all it is," he said.