Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What's a botnet? Or zombie? And how do I protect myself from whatever it is?

Question:

How can I identify if my computer is a member of a “Zombie” network created
by botnets? Can I use “procexp.exe” to identify if my computer has been
captured? If a computer is captured does it have to be on for it to be used and
how can a botnet be eliminated. Lastly is there a defense?

You are right to be concerned. Botnets are considered responsible for the
massive increase in spam we’ve all seen in the past years and months.

The really sad part is that it’s really easy to protect yourself. The fact
that botnets are so successful indicates that too many people still aren’t
taking the simple steps they need to keep their machines safe.

Become a Patron of Ask Leo! and go ad-free!

If you remember nothing else from this article, remember these points:

  • Run anti-spyware software and keep it up to date

  • Run anti-virus software and keep it up to date

  • Keep Windows up to date using Automatic Updates or by
    visiting Windows Update

  • Use a firewall or a router

  • Use common sense when deciding to open email
    attachments

As I said, the fact that botnets are as successful as they are indicates
that too many people are ignoring some, or all, of that advice.

So what’s a “botnet”? A network of bots! OK, that wasn’t very helpful.

A ‘bot’ is a semi-slang term for a software “robot” of sorts – a program
that is intended to operate independently to perform some task, often in
response to commands sent to it remotely. The term “zombie” simply refers to a
machine that is infected with such a bot, since most of the time it lies
dormant until it’s called on to perform some task.

So a botnet is a networked collection of computers infected with software
that can be remotely controlled to awaken and perform some task.

Typically that task is to send email. Lots of email. Lots of spam.

(And yes, if it’s infected your computer must be running and connected to
the network to participate in a botnet.)

“As always there’s still no substitute for common
sense.”

How can you tell if you’re infected? It’s not always easy to just look at
your machine and figure it out. Your network connection may be very slow
because of all the mail that’s being sent. Or perhaps with process explorer
you’ll notice programs that you don’t recognize running. Perhaps you can

monitor internet activity
on your machine, and you see a lot of connections
to port 25 on remote machines that you don’t recognize. Perhaps your firewall
is alerting you to suspicious connections being made by your machine to unknown
remote computers.

Or perhaps none of the above are clear and/or obvious.

Fortunately, the best detection turns out to be the same set of steps needed
to prevent infection in the first place.

How can you prevent infection? Follow that list of steps I mentioned at the
beginning of this article.

You’ll note I’ve been using the term “infection”, and that’s on purpose. The
software used to create botnets is simply a form of spyware or virus. Thus a
good anti-virus scanner, coupled with a good anti-spyware scanner, both with
up-to-date databases of information, will detect most all bot software that’s
on or trying to get on your machine.

Keeping Windows up to date is an important part of removing newly discovered
vulnerabilities that malware might use to get onto your machine. Using a
firewall further protects you from outside intrusion – and a good software
firewall might also help alert you that something’s wrong after an
infection.

As always there’s still no substitute for common sense. All the protection
in the world can’t help you if you insist on opening email attachments that
you’re not absolutely positive are safe to open. Your anti-spyware and
anti-virus programs may catch your mistake but especially in the case of new
malware the scanners often take a day or two to update their databases. That
means during that time you may still get infected if you open an attachment
containing malware that the scanners don’t yet know about.

The bottom line is that protecting against botnets is no different than
protecting against any other malware. The same basic tools, techniques and
habits work for both.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

3 comments on “What's a botnet? Or zombie? And how do I protect myself from whatever it is?”

  1. Hi Leo,

    We have implemented a new spam/virus filter at our work. It is setup so that if someone send us an email that is suspected spam or virus, the sender will recieve a reply email informaing them that their email did not make it to us.
    Lately people have been sending us emails asking why they are recieving an email reply to an email that they never sent. I always direct them to this article as it clears up all the hassle of explaining to them that they might have a virus. After i direct them here I never hear from them again….so obviouly the points you mention at the start fix everything up!
    Keep up the good work! (it makes my job easier!!)

    Reply
  2. Just read this article about the now largest botnet in the world, Kraken.
    I quote: “The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis.”

    Should I be worried?

    Read more at http://www.darkreading.com/document.asp?doc_id=150292&WT.svl=news1_1

    Reply
  3. In Outlook Express email client, there is a setting under “security option” stating “warn me when other applications try to send mail as me”. Is that helping into knowing if my PC is sending spam or the like?.

    No. Leave it set, but it only covers a now infrequently used technique where viruses would hijack Outlook Express for your address book. Current malware bypasses email programs completely, in which case that setting has no effect.

    – Leo
    22-Jul-2009

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.