How can I identify if my computer is a member of a “Zombie” network created by botnets? Can I use “procexp.exe” to identify if my computer has been captured? If a computer is captured does it have to be on for it to be used and how can a botnet be eliminated. Lastly is there a defense?
You are right to be concerned. Botnets are considered responsible for the massive increase in spam we’ve all seen in the past years and months.
The really sad part is that it’s really easy to protect yourself. The fact that botnets are so successful indicates that too many people still aren’t taking the simple steps they need to keep their machines safe.
If you remember nothing else from this article, remember these points:
-
Run anti-spyware software and keep it up to date
-
Run anti-virus software and keep it up to date
-
Keep Windows up to date using Automatic Updates or by visiting Windows Update
-
Use common sense when deciding to open email attachments
As I said, the fact that botnets are as successful as they are indicates that too many people are ignoring some, or all, of that advice.
•
So what’s a “botnet”? A network of bots! OK, that wasn’t very helpful.
A ‘bot’ is a semi-slang term for a software “robot” of sorts – a program that is intended to operate independently to perform some task, often in response to commands sent to it remotely. The term “zombie” simply refers to a machine that is infected with such a bot, since most of the time it lies dormant until it’s called on to perform some task.
So a botnet is a networked collection of computers infected with software that can be remotely controlled to awaken and perform some task.
Typically that task is to send email. Lots of email. Lots of spam.
(And yes, if it’s infected your computer must be running and connected to the network to participate in a botnet.)
•
How can you tell if you’re infected? It’s not always easy to just look at your machine and figure it out. Your network connection may be very slow because of all the mail that’s being sent. Or perhaps with process explorer you’ll notice programs that you don’t recognize running. Perhaps you can Monitor internet activity on your machine, and you see a lot of connections to port 25 on remote machines that you don’t recognize. Perhaps your firewall is alerting you to suspicious connections being made by your machine to unknown remote computers.
Or perhaps none of the above are clear and/or obvious.
Fortunately, the best detection turns out to be the same set of steps needed to prevent infection in the first place.
•
How can you prevent infection? Follow that list of steps I mentioned at the beginning of this article.
You’ll note I’ve been using the term “infection”, and that’s on purpose. The software used to create botnets is simply a form of spyware or virus. Thus a good anti-virus scanner, coupled with a good anti-spyware scanner, both with up-to-date databases of information, will detect most all bot software that’s on or trying to get on your machine.
Keeping Windows up to date is an important part of removing newly discovered vulnerabilities that malware might use to get onto your machine. Using a firewall further protects you from outside intrusion – and a good software firewall might also help alert you that something’s wrong after an infection.
As always there’s still no substitute for common sense. All the protection in the world can’t help you if you insist on opening email attachments that you’re not absolutely positive are safe to open. Your anti-spyware and anti-virus programs may catch your mistake but especially in the case of new malware the scanners often take a day or two to update their databases. That means during that time you may still get infected if you open an attachment containing malware that the scanners don’t yet know about.
•
The bottom line is that protecting against botnets is no different than protecting against any other malware. The same basic tools, techniques and habits work for both.
Hi Leo,
We have implemented a new spam/virus filter at our work. It is setup so that if someone send us an email that is suspected spam or virus, the sender will recieve a reply email informaing them that their email did not make it to us.
Lately people have been sending us emails asking why they are recieving an email reply to an email that they never sent. I always direct them to this article as it clears up all the hassle of explaining to them that they might have a virus. After i direct them here I never hear from them again….so obviouly the points you mention at the start fix everything up!
Keep up the good work! (it makes my job easier!!)
In Outlook Express email client, there is a setting under “security option” stating “warn me when other applications try to send mail as me”. Is that helping into knowing if my PC is sending spam or the like?.
22-Jul-2009