How can I identify if my computer is a member of a “Zombie” network created
by botnets? Can I use “procexp.exe” to identify if my computer has been
captured? If a computer is captured does it have to be on for it to be used and
how can a botnet be eliminated. Lastly is there a defense?
You are right to be concerned. Botnets are considered responsible for the
massive increase in spam we’ve all seen in the past years and months.
The really sad part is that it’s really easy to protect yourself. The fact
that botnets are so successful indicates that too many people still aren’t
taking the simple steps they need to keep their machines safe.
Become a Patron of Ask Leo! and go ad-free!
If you remember nothing else from this article, remember these points:
Run anti-spyware software and keep it up to date
Run anti-virus software and keep it up to date
Keep Windows up to date using Automatic Updates or by
visiting Windows Update
Use common sense when deciding to open email
As I said, the fact that botnets are as successful as they are indicates
that too many people are ignoring some, or all, of that advice.
So what’s a “botnet”? A network of bots! OK, that wasn’t very helpful.
A ‘bot’ is a semi-slang term for a software “robot” of sorts – a program
that is intended to operate independently to perform some task, often in
response to commands sent to it remotely. The term “zombie” simply refers to a
machine that is infected with such a bot, since most of the time it lies
dormant until it’s called on to perform some task.
So a botnet is a networked collection of computers infected with software
that can be remotely controlled to awaken and perform some task.
Typically that task is to send email. Lots of email. Lots of spam.
(And yes, if it’s infected your computer must be running and connected to
the network to participate in a botnet.)
How can you tell if you’re infected? It’s not always easy to just look at
your machine and figure it out. Your network connection may be very slow
because of all the mail that’s being sent. Or perhaps with process explorer
you’ll notice programs that you don’t recognize running. Perhaps you can
monitor internet activity on your machine, and you see a lot of connections
to port 25 on remote machines that you don’t recognize. Perhaps your firewall
is alerting you to suspicious connections being made by your machine to unknown
Or perhaps none of the above are clear and/or obvious.
Fortunately, the best detection turns out to be the same set of steps needed
to prevent infection in the first place.
How can you prevent infection? Follow that list of steps I mentioned at the
beginning of this article.
You’ll note I’ve been using the term “infection”, and that’s on purpose. The
software used to create botnets is simply a form of spyware or virus. Thus a
good anti-virus scanner, coupled with a good anti-spyware scanner, both with
up-to-date databases of information, will detect most all bot software that’s
on or trying to get on your machine.
Keeping Windows up to date is an important part of removing newly discovered
vulnerabilities that malware might use to get onto your machine. Using a
firewall further protects you from outside intrusion – and a good software
firewall might also help alert you that something’s wrong after an
As always there’s still no substitute for common sense. All the protection
in the world can’t help you if you insist on opening email attachments that
you’re not absolutely positive are safe to open. Your anti-spyware and
anti-virus programs may catch your mistake but especially in the case of new
malware the scanners often take a day or two to update their databases. That
means during that time you may still get infected if you open an attachment
containing malware that the scanners don’t yet know about.
The bottom line is that protecting against botnets is no different than
protecting against any other malware. The same basic tools, techniques and
habits work for both.