How Zombie Computers Work

Zombie Typing on a Computer Laptop
Zombie computers are computers that have been taken over by a hacker without the knowledge of the owner. Donald Iain Smith / Getty Images

­Imagine that the Internet is a city. It would undoubtedly be the most remarkable and diverse city on the planet, but it would also be incredibly seedy and dangerous. You could find the world's most comprehensive libraries there alongside X-rated theaters.

Inside this city, you would also discover that not everyone is who they seem to be -- even yourself. You might find out that you've been misbehaving, although you don't remember it. Like the unwitting agent in "The Manchurian Candidate," you discover you've been doing someone else's bidding, and you have no idea how to stop it.

Advertisement

A zombie computer is very much like the agent in "The Manchurian Candidate." A cracker -- a computer hacker who intends mischief or harm -- secretly infiltrates an unsuspecting victim's computer and uses it to conduct illegal activities. The user generally remains unaware that his computer has been taken over -- he can still use it, though it might slow down considerably. As his computer begins to either send out massive amounts of spam or attack Web pages, he becomes the focal point for any investigations involving his computer's suspicious activities.

­The user might find that his Internet Service Provider (ISP) has cancelled his service, or even that he's under investigation for criminal activity. Meanwhile, the cracker shrugs off the loss of one of his zombies because he has more. Sometimes, he has a lot more -- one investigation allegedly discovered that a cracker's single computer controlled a network of more than 1.5 million computers [source: TechWeb].

In this article we'll look at how crackers can commandeer your computer, why they do it and the best way to protect yourself from malicious attacks.

Hacking a Computer

­Crackers transform computers into zombies by using small­ programs that exploit weaknesses in a computer's operating system (OS). You might think that these crackers are cutting-edge Internet criminal masterminds, but in truth, many have little to no programming experience or knowledge. (Sometimes people call these crackers "script kiddies" because they are young and show no proficiency in writing script or code.) Investigators who monitor botnets say that the programs these crackers use are primitive and poorly programmed. Despite the ham-handed approach, these programs do what the crackers intended them to do -- convert computers into zombies.

In order to infect a computer, the cracker must first get the installation program to the victim. Crackers can do this through e-mail, peer-to-peer networks or even on a regular Web site. Most of the time, crackers disguise the malicious program with a name and file extension so that the victim thinks he's getting something entirely different. As users become savvier about Internet attacks, crackers find new ways to deliver their programs. Have you ever seen a pop-up ad that included a "No Thanks" button? Hopefully you didn't click on it -- those buttons are often just decoys. Instead of dismissing the annoying pop-up ad, they activate a download of malicious software.

Advertisement

Once the victim receives the program, he has to activate it. In most cases, the user thinks the program is something else. It might appear to be a picture file, an MPEG or some other recognizable file format. When the user chooses to run the program, nothing seems to happen. For some people, this raises alarm bells and they immediately follow up with a flurry of virus and spyware scanner activity. Unfortunately, some users simply think they received a bad file and leave it at that.

Meanwhile, the activated program attaches itself to an element of the user's operating system so that every time the user turns on his computer, the program becomes active. Crackers don't always use the same segment of an operating system's initializing sequence, which makes detection tricky for the average user.

The program either contains specific instructions to carry out a task at a particular time, or it allows the cracker to directly control the user's Internet activity. Many of these programs work over an Internet Relay Chat (IRC), and in fact there are botnet communities on IRC networks where fellow crackers can help one another out -- or attempt to steal another cracker's botnet.

Once a user's computer is compromised, the cracker pretty much has free reign to do whatever he likes. Most crackers try to stay below the radar of users' awareness. If a cracker alerts a user to his presence, the cracker risks losing a bot. For some crackers, this isn't much of a problem since some networks number in the hundreds of thousands of zombies.

In the next section, we'll look at the relationship between zombie computers and spam.

­

Spam Distribution

Crackers sometimes turn unsuspecting victims' computers into zombie computers to spread e-mail across the world. E-mail recipients usually can't trace the e-mail back to its source.
©2007 HowStuffWorks

Spam continues to be a huge problem. It's a frustrating experience to open your e-mail and sort through dozens of examples of junk mail. Where does all that spam come from? According to FBI estimates, a large percentage of it comes from networked zombie computers.

If spam came from one centralized source, it would be relatively easy to track it down and either demand the corresponding ISP shut down that computer's access to the Internet or charge the user for sending out illegal spam. To get around these pitfalls, crackers rely on zombie computers. The zombie computer becomes a proxy, meaning the cracker is one step removed from the origin of spam e-mails. A cracker with a large botnet can send millions of spam messages every day.

Advertisement

Crackers might set up a spam botnet to deliver a computer virus or Trojan program to as many computers as possible. They also can use spam to send phishing messages, which are attempts to trick users into sharing personal information (we'll talk more about phishing later).

When sending out ads in spam mail, the cracker either sets up the botnet specifically for a client or he rents it out on an hourly basis. Clients who wish to advertise their products (and who don't care how intrusive or illegal their advertisements might be) pay the crackers to send out e-mail to thousands of people.

The majority of e-mail recipients usually can't figure out where the spam is coming from. They might block one source only to receive the same spam from a different zombie in the botnet. If the e-mail includes a message that says something like "Click here to be removed from this e-mail list," they might fall prey to exposing their computer to even more spam. Users savvy enough to track the e-mail back may not notice that the sender's computer is part of a larger network of compromised machines. For someone who knows what he's doing, it's not always impossible to figure out if a sender is a single user sending out spam or if a cracker is controlling the computer remotely. It is, however, time consuming.

A zombie-computer owner might realize a cracker is controlling his machine remotely if spam recipients write to complain about the junk mail or if his own e-mail outbox is full of messages he didn't write. Otherwise, the owner is likely to remain blissfully unaware that he's part of a ring of spammers. Some users don't seem to care if their machines are being used to spread spam mail as if it were someone else's problem and many more don't take the necessary precautions to avoid becoming part of a botnet.

In the next section, we'll talk about another vicious use of botnets -- distributed denial of service attacks.

Distributed Denial of Service Attacks

©2007 HowStuffWorks

Sometimes a cracker uses a network of zombie computers to sabotage a specific Web site or server. The idea is pretty simple -- a cracker tells all the computers on his botnet to contact a specific server or Web site repeatedly. The sudden increase in traffic can cause the site to load very slowly for legitimate users. Sometimes the traffic is enough to shut the site down completely. We call this kind of an attack a Distributed Denial of Service (DDoS) attack.

Some particularly tricky botnets use uncorrupted computers as part of the attack. Here's how it works: the cracker sends the command to initiate the attack to his zombie army. Each computer within the army sends an electronic connection request to an innocent computer called a reflector. When the reflector receives the request, it looks like it originates not from the zombies, but from the ultimate victim of the attack. The reflectors send information to the victim system, and eventually the system's performance suffers or it shuts down completely as it is inundated with multiple unsolicited responses from several computers at once.

Advertisement

From the perspective of the victim, it looks like the reflectors attacked the system. From the perspective of the reflectors, it seems like the victimized system requested the packets. The zombie computers remain hidden, and even more out of sight is the cracker himself.

The list of DDoS attack victims includes some pretty major names. Microsoft suffered an attack from a DDoS called MyDoom. Crackers have targeted other major Internet players like Amazon, CNN, Yahoo and eBay. The DDoS names range from mildly amusing to disturbing:

  • Ping of Death - bots create huge electronic packets and sends them on to victims
  • Mailbomb - bots send a massive amount of e-mail, crashing e-mail servers
  • Smurf Attack - bots send Internet Control Message Protocol (ICMP) messages to reflectors, see above illustration
  • Teardrop - bots send pieces of an illegitimate packet; the victim system tries to recombine the pieces into a packet and crashes as a result

Once an army begins a DDoS attack against a victim system, there are few things the system administrator can do to prevent catastrophe. He could choose to limit the amount of traffic allowed on his server, but this restricts legitimate Internet connections and zombies alike. If the administrator can determine the origin of the attacks, he can filter the traffic. Unfortunately, since many zombie computers disguise (or spoof) their addresses, this isn't always easy to do.

In the next section we'll look at some other ways crackers use zombie computers.

Click Fraud

Some crackers aren't interested in using zombie computers to send spam or cripple a particular target. Many take control of computers as a method of phishing, which is where a cracker tries to uncover secret information, particularly identification information. Crackers might steal your credit card information or search through your files for other sources of profit. The cracker might use a key logging program to track everything you type, then use it to discover your passwords and other confidential information.

Sometimes crackers will use zombie computers in ways that don't directly harm the victim of the initial attack or even the ultimate target, though the end goal is still pretty sneaky and unethical.

Advertisement

You've probably seen or even participated in several Internet-based polls. Perhaps you've even seen one where the results seemed unusual or counter-intuitive, particularly when it comes to a contest. While it's entirely possible the poll wasn't ever attacked, crackers have been known to use zombie computers to commit click fraud. Click fraud refers to the practice of setting up a botnet to repeatedly click on a particular link. Sometimes, crackers will commit click fraud by targeting advertisers on their own Web sites. Since Web advertisers usually pay sites a certain amount of money for the number of clicks an ad gets, the cracker could stand to earn quite a few dollars from fraudulent site visits.

Zombie computers and the crackers responsible for them are pretty scary. You could end up being the victim of identity theft or unknowingly participate in an attack on an important Web site. It's important to learn how to protect yourself from crackers as well as what you should do if you find out your computer has been compromised.

In the next section, we'll look at what security measures you should employ to prevent your computer from becoming a zombie.

Preventing Zombie Computer Attacks

You don't want your computer to become a zombie, so what do you do to prevent it? The most important thing to remember is that prevention is an ongoing process -- you can't just set everything up and expect to be protected forever. Also, it's important to remember that unless you employ common sense and prudent Internet habits, you're courting disaster.

Antivirus software is an absolute necessity. Whether you purchase a commercial package like McAfee VirusScan or download a free program like AVG Anti-Virus Free Edition, you need to activate it and make sure your version remains current. Some experts say that to be truly effective, an antivirus package would need to update on an hourly basis. That's not practical, but it does help stress the importance of making sure your software is as up to date as possible. For more information, read our article on How Computer Viruses Work.

Advertisement

Install spyware scanners to search for malicious spyware. Spyware includes programs that monitor your Internet habits. Some go even further, logging your keystrokes and recording everything you do on your computer. Get a good anti-spyware program like Ad-Aware from Lavasoft. Like the antivirus software, make sure the program stays up to date. To learn more, read our article on How Spyware Works.

Install a firewall to protect your home network. Firewalls can be part of a software package or even incorporated into some hardware like routers or modems. To learn more about firewalls, be sure to read our article on How Firewalls Work.

You should also make sure that your passwords are difficult or impossible to guess, and you shouldn't use the same password for multiple applications. This makes remembering all those passwords a pain, but it gives you an added layer of protection.

If your computer has already been infected and turned into a zombie computer, there are only a few options open to you. If you have access to tech support who can work on your computer for you, that would be the best option. If not, you can try to run a virus removal program to kill the connection between your computer and the cracker. Unfortunately, sometimes the only option you have is to erase everything on your computer and reload its operating system, then starting from scratch. You should make backup disks of your hard drive on a regular basis just in case. Remember to scan those files with an antivirus program to make sure none of them are corrupted.

Your computer is a great resource. Sadly, crackers think the same thing -- they want to make your computer their own resource. If you practice careful Internet habits and follow the tips we've described on this page, your chances of your computer remaining secure are very good.

To learn more about zombie computers and how to avoid them, check out the links on the next page.

Lots More Information

Related How Stuff Works Articles:

More Great Links

  • "A good bot roast." The Economist Online. June 21, 2007. http://www.economist.com/world/international/displaystory.cfm?story _id=9375697
  • "Botnets and Hackers and Spam (Oh My)! OnGuard Online. http://onguardonline.gov/botnet.html
  • "Bots, Drones, Zombies, Worms and other things that go bump in the night." SwatIt.org. http://www.swatit.org/bots/
  • "Operation: Bot Roast." Federal Bureau of Investigations. June 13, 2007. http://www.fbi.gov/page2/june07/botnet061307.htm
  • "Virtual attacker arrested in Hanoi." Thanh Nien. August 1, 2006. http://www.thanhniennews.com/education/?catid=4&newsid=18363
  • "Your computer could be a 'spam zombie.'" CNN.com. http://www.cnn.com/2004/TECH/ptech/02/17/spam.zombies.ap/
  • Acohido, Bryan and Swartz, Jon. "Are hackers using your PC to spew spam and steal?" USA Today. September 8, 2004. http://www.usatoday.com/tech/news/computersecurity/2004-09-08- zombieuser_x.htm
  • Bächer, Paul, et al. "Know your Enemy: Tracking Botnets." The Honeynet Project & Research Alliance. March 13, 2005. http://www.honeynet.org/papers/bots/
  • Berger, Sandy. "Zombie Computers Abount." AARP Online. http://www.aarp.org/learntech/computers/howto/zombie.html
  • Biever, Celeste. "Spies infiltrate zombie computer networks." NewScientist. March 16, 2005. http://www.newscientist.com/article.ns?id=dn7158
  • Chapman, Greg. "As the Worm Turns...Your Computer into a Zombie." TechTrax. http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=218
  • Durkota, Michael D. "Recovering from a Trojan Horse or Virus." United States Computer Emergency Readiness Team. http://www.us-cert.gov/reading_room/trojan-recovery.pdf
  • How to remove a Trojan, Virus, Worm or other Malware. Bleeping Computer. May 18, 2005. http://www.bleepingcomputer.com/tutorials/tutorial101.html
  • Markoff, John. "Attack of the Zombie Computers Is Growing Threat." The New York Times. January 7, 2007. http://www.nytimes.com/2007/01/07/technology/07net.html?ex= 1325826000&en=cd1e2d4c0cd20448&ei=5090
  • Raisbeck, Fiona. "Postini: Spam, botnet levels soar." SC Magazine. January 10, 2007. http://www.scmagazine.com/us/news/article/625355/
  • Reid, Tim. "Spam King and the zombie computers." TimesOnline. June 2, 2007. http://technology.timesonline.co.uk/tol/news/tech_and_web/article 1873105.ece
  • Spring, Tom. "Spam Slayer: Slaying Spam-Spewing Zombie PCs." PC World. June 20, 2005. http://www.pcworld.com/article/id,121381-page,1/article.html
  • Stopping Zombies Before They Attack: Microsoft Teams with Federal Trade Commission and Consumer Action to Promote PC Protection. Microsoft. http://www.microsoft.com/presspass/features/2005/oct05/10-27 Zombie.mspx
  • Turner, Dean, et al. "Symantec Internet Security Threat Report: Trends for July-December 06." Volume XII, published March 2007. http://www.symantec.com/enterprise/theme.jsp?themeid=threatreport
  • Tynan, Daniel. "Zombie PCs: Silent, Growing Threat." PCWorld. http://www.pcworld.com/article/id,116841-page,1/article.html
  • US-CERT http://www.us-cert.gov