Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How do I stop my computer from being a zombie?

Question:

My computer is a zombie. My IP has been blacklisted as a spammer. I
am not and never have been a spammer. I don't know how to liberate my
computer. The spammy network grabs control for 48 to 72 hours at a
time, and won't let me log on to the internet. My ISP is unfamiliar
with zombies.

Unfortunately, while your visible symptoms are more severe than
most, what you're experiencing is frighteningly common. It seems like
every day there's another study out showing that some incredibly high
percentage of machines are infected with malware that can turn them
into zombies at a moment's notice.

I'll look at exactly what we mean when we say "zombie", how to tell
if your machine is one, how to prevent it and how to try to recover if
your machine has been taken over.

]]>

If you've ever watched an old B-movie about the dead rising as killer zombies, you've seen them: crowds of the undead shuffling along in a single minded search for "braaaiiins". Get bitten by one, and you too can be a zombie.

Night of the Living Dead: the classic zombie movie

The analogy's not perfect, but it's not bad. Once infected, your computer can also become a zombie and join a legion of other zombie machines with a single minded purpose to follow the instructions provided to it by a "zombie master" - a person remotely controlling a network of infected computers, also often called bots - a botnet.

That single minded purpose? Sending spam. Lots and lots of spam. The remote controller of a botnet will periodically instruct all the infected machines that are part of that network to send spam, or worse.

How do you know if your machine has been infected?

It's not always as obvious as the situation we're faced with here. In this case, the machine becomes unusable for hours at a time, as the spam-sending completely clogs the network connection. Having your ISP "blacklist" your IP address, or as I've also seen, block port 25 so that you can't send mail without additional configuration, is another strong clue.

"Zombies are nothing more than a special class of malware ..."

Zombies are nothing more than a special class of malware like a virus or spyware. That means that in general, the anti-malware software you should be running should be catching any attempts to infect your system and set up a zombie. Naturally, it's critical to keep your machine's anti-malware software up-to-date, both the software and the databases that are used. Like all malware, new forms of zombie infections are cropping up every day, and you need to keep things current to stay on top of it.

How can you prevent an attack of the zombies?

As I said above, zombies are just another form of virus or malware. All of the usual precautions that keep you from getting infected with anything apply to keeping zombies at bay:

  • Keep Windows up-to-date. The majority of successful infections occur on unpatched machines.

  • Get behind a firewall - ideally a router, or a software firewall.

  • Run up-to-date anti-spyware and anti-virus software. I have to stress the up-to-date part - a year old, or even a month old, database won't protect you from this week's latest threats.

  • Practice safe computing. Don't open attachments you're not expecting or aren't 100% sure of. Don't fall for phishing attacks, click on popups you don't know are safe, or visit questionable web sites.

Hopefully, for most of you reading, this means simply "keep doing what you're doing".

What if it's too late, and a zombie has taken over?

Once again, it's just another virus, so all the normal virus cleaning rules apply - including the one we never like to think about: once you're infected with anything, you can never be 100% certain that you've cleaned it off.

And that means that once infected the only way to be sure is to backup, and completely reformat and reinstall Windows and everything else.

That's extreme, and in many cases impractical. The alternative is to scan with multiple different anti-malware tools (at least one of which that detects the infection to start with), and then keep scanning and rescanning until they all report clean.

Hopefully you also have a recent backup at hand in case cleaning is unsuccessful, and you have to reformat anyway, or in case cleaning involves removing something important.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

5 comments on “How do I stop my computer from being a zombie?”

  1. IF your solution is to wipe and rebuild the computer remember your backup maybe infected.
    Use caution when restoring your backed up data.

    Reply
  2. I hate to prove my ignorance but I don’t see what’s good about an image backup to restore from a malware infection. I can see how you might restore data files but you can never use the image to restore anything that has to be installed. Can you? You’re back to format, install, update etc. I would say this is almost impossible on a dial-up. You’d be old and gray before you finished and then it might happen again right away. That’s why I like to deal face to face with local brick and mortar computer stores. They can fix things.

    An image backup is useful in two ways: if you have an image taken from before the infection, you can restore your machine completely to that state in a single operation. If you do have to reformat and reinstall, you’re guaranteed that all of the files that were only your machine are on your latest image backup, and thus you can extract and restore individual files, as needed – being careful not to restore infected files.

    – Leo
    18-Mar-2009
    Reply
  3. In prescribing recovery for a machine already infected with malware, Leo counsels a backup for the infected machine before a complete format of its boot drive and reinstallation of Windows.

    However, the logic of this escapes me, since the malware almost certainly will be imaged to the backup, and if the image is ever restored, so will be the malware.

    The only possible defense of this approach is when the user has NO backup of any kind of system data, and must make one before the format, or lose the data. In that case, the user should restore selectively only the data required, but not the whole image.

    Anyone contemplating this process should understand the difference between restoring a full image and a restoring selectively.

    You’re absolutely correct. The sad truth is that most people don’t backup. And they should. It’s scary. So I counsel a full image backup prior to a reformat/reinstall to capture any and all files and data that might be required later for individual, and careful, recovery.

    – Leo
    18-Mar-2009
    Reply
  4. These are very helpful tips and i would like to another.
    If you purchased a computer second hand you may have received very genuine looking restore disks that were silk screened by a resourceful scammer.

    Always purchase restore media from the manufacturer’s site secure and time-saving as all the needed drivers are in one place.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.