My computer is a zombie. My IP has been blacklisted as a spammer. I
am not and never have been a spammer. I don’t know how to liberate my
computer. The spammy network grabs control for 48 to 72 hours at a
time, and won’t let me log on to the internet. My ISP is unfamiliar
with zombies.
Unfortunately, while your visible symptoms are more severe than
most, what you’re experiencing is frighteningly common. It seems like
every day there’s another study out showing that some incredibly high
percentage of machines are infected with malware that can turn them
into zombies at a moment’s notice.
I’ll look at exactly what we mean when we say “zombie”, how to tell
if your machine is one, how to prevent it and how to try to recover if
your machine has been taken over.
]]>
<
The analogy’s not perfect, but it’s not bad. Once infected, your computer can also become a zombie and join a legion of other zombie machines with a single minded purpose to follow the instructions provided to it by a “zombie master” – a person remotely controlling a network of infected computers, also often called bots – a botnet.
That single minded purpose? Sending spam. Lots and lots of spam. The remote controller of a botnet will periodically instruct all the infected machines that are part of that network to send spam, or worse.
How do you know if your machine has been infected?
It’s not always as obvious as the situation we’re faced with here. In this case, the machine becomes unusable for hours at a time, as the spam-sending completely clogs the network connection. Having your ISP “blacklist” your IP address, or as I’ve also seen, block port 25 so that you can’t send mail without additional configuration, is another strong clue.
Zombies are nothing more than a special class of malware like a virus or spyware. That means that in general, the anti-malware software you should be running should be catching any attempts to infect your system and set up a zombie. Naturally, it’s critical to keep your machine’s anti-malware software up-to-date, both the software and the databases that are used. Like all malware, new forms of zombie infections are cropping up every day, and you need to keep things current to stay on top of it.
How can you prevent an attack of the zombies?
As I said above, zombies are just another form of virus or malware. All of the usual precautions that keep you from getting infected with anything apply to keeping zombies at bay:
-
Keep Windows up-to-date. The majority of successful infections occur on unpatched machines.
-
Get behind a firewall – ideally a router, or a software firewall.
-
Run up-to-date anti-spyware and anti-virus software. I have to stress the up-to-date part – a year old, or even a month old, database won’t protect you from this week’s latest threats.
-
Practice safe computing. Don’t open attachments you’re not expecting or aren’t 100% sure of. Don’t fall for phishing attacks, click on popups you don’t know are safe, or visit questionable web sites.
Hopefully, for most of you reading, this means simply “keep doing what you’re doing”.
What if it’s too late, and a zombie has taken over?
Once again, it’s just another virus, so all the normal virus cleaning rules apply – including the one we never like to think about: once you’re infected with anything, you can never be 100% certain that you’ve cleaned it off.
And that means that once infected the only way to be sure is to backup, and completely reformat and reinstall Windows and everything else.
That’s extreme, and in many cases impractical. The alternative is to scan with multiple different anti-malware tools (at least one of which that detects the infection to start with), and then keep scanning and rescanning until they all report clean.
Hopefully you also have a recent backup at hand in case cleaning is unsuccessful, and you have to reformat anyway, or in case cleaning involves removing something important.
The folks at Trend Micro have a couple of free tools that might help: HouseCall and RUBotted.
http:// http://www.trendsecure.com/portal/en-US/tools/security_tools/housecall
http:// http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted
IF your solution is to wipe and rebuild the computer remember your backup maybe infected.
Use caution when restoring your backed up data.
I hate to prove my ignorance but I don’t see what’s good about an image backup to restore from a malware infection. I can see how you might restore data files but you can never use the image to restore anything that has to be installed. Can you? You’re back to format, install, update etc. I would say this is almost impossible on a dial-up. You’d be old and gray before you finished and then it might happen again right away. That’s why I like to deal face to face with local brick and mortar computer stores. They can fix things.
18-Mar-2009
In prescribing recovery for a machine already infected with malware, Leo counsels a backup for the infected machine before a complete format of its boot drive and reinstallation of Windows.
However, the logic of this escapes me, since the malware almost certainly will be imaged to the backup, and if the image is ever restored, so will be the malware.
The only possible defense of this approach is when the user has NO backup of any kind of system data, and must make one before the format, or lose the data. In that case, the user should restore selectively only the data required, but not the whole image.
Anyone contemplating this process should understand the difference between restoring a full image and a restoring selectively.
18-Mar-2009
These are very helpful tips and i would like to another.
If you purchased a computer second hand you may have received very genuine looking restore disks that were silk screened by a resourceful scammer.
Always purchase restore media from the manufacturer’s site secure and time-saving as all the needed drivers are in one place.