How Zombie Computers Work

Zombie Typing on a Computer Laptop — Zombie computers are computers that have been taken over by a hacker without the knowledge of the owner. Donald Iain Smith / Getty Images

Imagine that the Internet is a city. It would undoubtedly be the most remarkable and diverse city on the planet, but it would also be incredibly seedy and dangerous. You could find the world's most comprehensive libraries there alongside X-rated theaters.

Inside this city, you would also discover that not everyone is who they seem to be -- even yourself. You might find out that you've been misbehaving, although you don't remember it. Like the unwitting agent in "The Manchurian Candidate," you discover you've been doing someone else's bidding, and you have no idea how to stop it.

A zombie computer is very much like the agent in "The Manchurian Candidate." A cracker -- a computer hacker who intends mischief or harm -- secretly infiltrates an unsuspecting victim's computer and uses it to conduct illegal activities. The user generally remains unaware that his computer has been taken over -- he can still use it, though it might slow down considerably. As his computer begins to either send out massive amounts of spam or attack Web pages, he becomes the focal point for any investigations involving his computer's suspicious activities.

The user might find that his Internet Service Provider (ISP) has cancelled his service, or even that he's under investigation for criminal activity. Meanwhile, the cracker shrugs off the loss of one of his zombies because he has more. Sometimes, he has a lot more -- one investigation allegedly discovered that a cracker's single computer controlled a network of more than 1.5 million computers [source: TechWeb].

In this article we'll look at how crackers can commandeer your computer, why they do it and the best way to protect yourself from malicious attacks.

Hacking a Computer

Crackers transform computers into zombies by using small programs that exploit weaknesses in a computer's operating system (OS). You might think that these crackers are cutting-edge Internet criminal masterminds, but in truth, many have little to no programming experience or knowledge. (Sometimes people call these crackers "script kiddies" because they are young and show no proficiency in writing script or code.) Investigators who monitor botnets say that the programs these crackers use are primitive and poorly programmed. Despite the ham-handed approach, these programs do what the crackers intended them to do -- convert computers into zombies.

In order to infect a computer, the cracker must first get the installation program to the victim. Crackers can do this through e-mail, peer-to-peer networks or even on a regular Web site. Most of the time, crackers disguise the malicious program with a name and file extension so that the victim thinks he's getting something entirely different. As users become savvier about Internet attacks, crackers find new ways to deliver their programs. Have you ever seen a pop-up ad that included a "No Thanks" button? Hopefully you didn't click on it -- those buttons are often just decoys. Instead of dismissing the annoying pop-up ad, they activate a download of malicious software.

Once the victim receives the program, he has to activate it. In most cases, the user thinks the program is something else. It might appear to be a picture file, an MPEG or some other recognizable file format. When the user chooses to run the program, nothing seems to happen. For some people, this raises alarm bells and they immediately follow up with a flurry of virus and spyware scanner activity. Unfortunately, some users simply think they received a bad file and leave it at that.

Meanwhile, the activated program attaches itself to an element of the user's operating system so that every time the user turns on his computer, the program becomes active. Crackers don't always use the same segment of an operating system's initializing sequence, which makes detection tricky for the average user.

The program either contains specific instructions to carry out a task at a particular time, or it allows the cracker to directly control the user's Internet activity. Many of these programs work over an Internet Relay Chat (IRC), and in fact there are botnet communities on IRC networks where fellow crackers can help one another out -- or attempt to steal another cracker's botnet.

Once a user's computer is compromised, the cracker pretty much has free reign to do whatever he likes. Most crackers try to stay below the radar of users' awareness. If a cracker alerts a user to his presence, the cracker risks losing a bot. For some crackers, this isn't much of a problem since some networks number in the hundreds of thousands of zombies.

In the next section, we'll look at the relationship between zombie computers and spam.

Malware

Programs designed to harm or compromise a computer are called malware (as in malicious software). Malware includes a wide array of nasty batches of code that can wreak havoc to your computer, your network and even the Internet itself. Some common forms of malware that might turn your computer into a zombie include:

Computer viruses - programs that disable the victim's computer, either by corrupting necessary files or hogging the computer's resources
Worms - programs that spread from one machine to another, rapidly infecting hundreds of computers in a short time
Trojan horse - a program that claims to do one thing, but actually either damages the computer or opens a back door to your system
Rootkits - a collection of programs that permits administrator-level control of a computer; not necessarily malware on its own, crackers use rootkits to control computers and evade detection
Backdoors - methods of circumventing the normal operating-system procedures, allowing a cracker to access information on another computer
Key loggers - programs that record keystrokes made by a user, allowing crackers to discover passwords and login codes

Zombie computer code usually is part of a virus, worm or Trojan horse. Zombie computers often incorporate other kinds of malware as part of its processes.

Spam Distribution

Spam continues to be a huge problem. It's a frustrating experience to open your e-mail and sort through dozens of examples of junk mail. Where does all that spam come from? According to FBI estimates, a large percentage of it comes from networked zombie computers.

If spam came from one centralized source, it would be relatively easy to track it down and either demand the corresponding ISP shut down that computer's access to the Internet or charge the user for sending out illegal spam. To get around these pitfalls, crackers rely on zombie computers. The zombie computer becomes a proxy, meaning the cracker is one step removed from the origin of spam e-mails. A cracker with a large botnet can send millions of spam messages every day.

Crackers might set up a spam botnet to deliver a computer virus or Trojan program to as many computers as possible. They also can use spam to send phishing messages, which are attempts to trick users into sharing personal information (we'll talk more about phishing later).

When sending out ads in spam mail, the cracker either sets up the botnet specifically for a client or he rents it out on an hourly basis. Clients who wish to advertise their products (and who don't care how intrusive or illegal their advertisements might be) pay the crackers to send out e-mail to thousands of people.

The majority of e-mail recipients usually can't figure out where the spam is coming from. They might block one source only to receive the same spam from a different zombie in the botnet. If the e-mail includes a message that says something like "Click here to be removed from this e-mail list," they might fall prey to exposing their computer to even more spam. Users savvy enough to track the e-mail back may not notice that the sender's computer is part of a larger network of compromised machines. For someone who knows what he's doing, it's not always impossible to figure out if a sender is a single user sending out spam or if a cracker is controlling the computer remotely. It is, however, time consuming.

A zombie-computer owner might realize a cracker is controlling his machine remotely if spam recipients write to complain about the junk mail or if his own e-mail outbox is full of messages he didn't write. Otherwise, the owner is likely to remain blissfully unaware that he's part of a ring of spammers. Some users don't seem to care if their machines are being used to spread spam mail as if it were someone else's problem and many more don't take the necessary precautions to avoid becoming part of a botnet.

In the next section, we'll talk about another vicious use of botnets -- distributed denial of service attacks.

A Zombie by Any Other Name

Some people think the term "zombie computer" is misleading. A zombie, after all, seems to have no consciousness and pursues victims on instinct alone. A zombie computer can still behave normally, and every action it takes is a result of a cracker's instructions (though these instructions might be automated). For this reason, these people prefer the term "bot." Bot comes from the word "robot," which in this sense is a device that carries out specific instructions. A collection of networked bots is called a "botnet," and a group of zombie computers is called an "army."

Distributed Denial of Service Attacks

Sometimes a cracker uses a network of zombie computers to sabotage a specific Web site or server. The idea is pretty simple -- a cracker tells all the computers on his botnet to contact a specific server or Web site repeatedly. The sudden increase in traffic can cause the site to load very slowly for legitimate users. Sometimes the traffic is enough to shut the site down completely. We call this kind of an attack a Distributed Denial of Service (DDoS) attack.

Some particularly tricky botnets use uncorrupted computers as part of the attack. Here's how it works: the cracker sends the command to initiate the attack to his zombie army. Each computer within the army sends an electronic connection request to an innocent computer called a reflector. When the reflector receives the request, it looks like it originates not from the zombies, but from the ultimate victim of the attack. The reflectors send information to the victim system, and eventually the system's performance suffers or it shuts down completely as it is inundated with multiple unsolicited responses from several computers at once.

From the perspective of the victim, it looks like the reflectors attacked the system. From the perspective of the reflectors, it seems like the victimized system requested the packets. The zombie computers remain hidden, and even more out of sight is the cracker himself.

The list of DDoS attack victims includes some pretty major names. Microsoft suffered an attack from a DDoS called MyDoom. Crackers have targeted other major Internet players like Amazon, CNN, Yahoo and eBay. The DDoS names range from mildly amusing to disturbing:

Ping of Death - bots create huge electronic packets and sends them on to victims
Mailbomb - bots send a massive amount of e-mail, crashing e-mail servers
Smurf Attack - bots send Internet Control Message Protocol (ICMP) messages to reflectors, see above illustration
Teardrop - bots send pieces of an illegitimate packet; the victim system tries to recombine the pieces into a packet and crashes as a result

Once an army begins a DDoS attack against a victim system, there are few things the system administrator can do to prevent catastrophe. He could choose to limit the amount of traffic allowed on his server, but this restricts legitimate Internet connections and zombies alike. If the administrator can determine the origin of the attacks, he can filter the traffic. Unfortunately, since many zombie computers disguise (or spoof) their addresses, this isn't always easy to do.

In the next section we'll look at some other ways crackers use zombie computers.

Click Fraud

Some crackers aren't interested in using zombie computers to send spam or cripple a particular target. Many take control of computers as a method of phishing, which is where a cracker tries to uncover secret information, particularly identification information. Crackers might steal your credit card information or search through your files for other sources of profit. The cracker might use a key logging program to track everything you type, then use it to discover your passwords and other confidential information.

Sometimes crackers will use zombie computers in ways that don't directly harm the victim of the initial attack or even the ultimate target, though the end goal is still pretty sneaky and unethical.

You've probably seen or even participated in several Internet-based polls. Perhaps you've even seen one where the results seemed unusual or counter-intuitive, particularly when it comes to a contest. While it's entirely possible the poll wasn't ever attacked, crackers have been known to use zombie computers to commit click fraud. Click fraud refers to the practice of setting up a botnet to repeatedly click on a particular link. Sometimes, crackers will commit click fraud by targeting advertisers on their own Web sites. Since Web advertisers usually pay sites a certain amount of money for the number of clicks an ad gets, the cracker could stand to earn quite a few dollars from fraudulent site visits.

Zombie computers and the crackers responsible for them are pretty scary. You could end up being the victim of identity theft or unknowingly participate in an attack on an important Web site. It's important to learn how to protect yourself from crackers as well as what you should do if you find out your computer has been compromised.

In the next section, we'll look at what security measures you should employ to prevent your computer from becoming a zombie.

Preventing Zombie Computer Attacks

You don't want your computer to become a zombie, so what do you do to prevent it? The most important thing to remember is that prevention is an ongoing process -- you can't just set everything up and expect to be protected forever. Also, it's important to remember that unless you employ common sense and prudent Internet habits, you're courting disaster.

Antivirus software is an absolute necessity. Whether you purchase a commercial package like McAfee VirusScan or download a free program like AVG Anti-Virus Free Edition, you need to activate it and make sure your version remains current. Some experts say that to be truly effective, an antivirus package would need to update on an hourly basis. That's not practical, but it does help stress the importance of making sure your software is as up to date as possible. For more information, read our article on How Computer Viruses Work.

Install spyware scanners to search for malicious spyware. Spyware includes programs that monitor your Internet habits. Some go even further, logging your keystrokes and recording everything you do on your computer. Get a good anti-spyware program like Ad-Aware from Lavasoft. Like the antivirus software, make sure the program stays up to date. To learn more, read our article on How Spyware Works.

Install a firewall to protect your home network. Firewalls can be part of a software package or even incorporated into some hardware like routers or modems. To learn more about firewalls, be sure to read our article on How Firewalls Work.

You should also make sure that your passwords are difficult or impossible to guess, and you shouldn't use the same password for multiple applications. This makes remembering all those passwords a pain, but it gives you an added layer of protection.

If your computer has already been infected and turned into a zombie computer, there are only a few options open to you. If you have access to tech support who can work on your computer for you, that would be the best option. If not, you can try to run a virus removal program to kill the connection between your computer and the cracker. Unfortunately, sometimes the only option you have is to erase everything on your computer and reload its operating system, then starting from scratch. You should make backup disks of your hard drive on a regular basis just in case. Remember to scan those files with an antivirus program to make sure none of them are corrupted.

Your computer is a great resource. Sadly, crackers think the same thing -- they want to make your computer their own resource. If you practice careful Internet habits and follow the tips we've described on this page, your chances of your computer remaining secure are very good.

To learn more about zombie computers and how to avoid them, check out the links on the next page.

Spam Statistics

Here are some sobering spam statistics from the 2007 Symantic Internet Security Threat Report:

Between July 1 and Dec. 31, 2006, 59 percent of all monitored e-mail traffic was spam.
Spam written in English makes up 65 percent of all spam.
The United States is the origin of 44 percent of all the world's spam.
Ten percent of all e-mail zombies are in the United States, making the U.S. the zombie computer capital of the world.
One out of every 147 blocked spam e-mails contained some kind of malicious code.

Lots More Information

Sources

"A good bot roast." The Economist Online. June 21, 2007. http://www.economist.com/world/international/displaystory.cfm?story _id=9375697
"Botnets and Hackers and Spam (Oh My)! OnGuard Online. http://onguardonline.gov/botnet.html
"Bots, Drones, Zombies, Worms and other things that go bump in the night." SwatIt.org. http://www.swatit.org/bots/
"Operation: Bot Roast." Federal Bureau of Investigations. June 13, 2007. http://www.fbi.gov/page2/june07/botnet061307.htm
"Virtual attacker arrested in Hanoi." Thanh Nien. August 1, 2006. http://www.thanhniennews.com/education/?catid=4&newsid=18363
"Your computer could be a 'spam zombie.'" CNN.com. http://www.cnn.com/2004/TECH/ptech/02/17/spam.zombies.ap/
Acohido, Bryan and Swartz, Jon. "Are hackers using your PC to spew spam and steal?" USA Today. September 8, 2004. http://www.usatoday.com/tech/news/computersecurity/2004-09-08- zombieuser_x.htm
Bächer, Paul, et al. "Know your Enemy: Tracking Botnets." The Honeynet Project & Research Alliance. March 13, 2005. http://www.honeynet.org/papers/bots/
Berger, Sandy. "Zombie Computers Abount." AARP Online. http://www.aarp.org/learntech/computers/howto/zombie.html
Biever, Celeste. "Spies infiltrate zombie computer networks." NewScientist. March 16, 2005. http://www.newscientist.com/article.ns?id=dn7158
Chapman, Greg. "As the Worm Turns...Your Computer into a Zombie." TechTrax. http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=218
Durkota, Michael D. "Recovering from a Trojan Horse or Virus." United States Computer Emergency Readiness Team. http://www.us-cert.gov/reading_room/trojan-recovery.pdf
How to remove a Trojan, Virus, Worm or other Malware. Bleeping Computer. May 18, 2005. http://www.bleepingcomputer.com/tutorials/tutorial101.html
Markoff, John. "Attack of the Zombie Computers Is Growing Threat." The New York Times. January 7, 2007. http://www.nytimes.com/2007/01/07/technology/07net.html?ex= 1325826000&en=cd1e2d4c0cd20448&ei=5090
Raisbeck, Fiona. "Postini: Spam, botnet levels soar." SC Magazine. January 10, 2007. http://www.scmagazine.com/us/news/article/625355/
Reid, Tim. "Spam King and the zombie computers." TimesOnline. June 2, 2007. http://technology.timesonline.co.uk/tol/news/tech_and_web/article 1873105.ece
Spring, Tom. "Spam Slayer: Slaying Spam-Spewing Zombie PCs." PC World. June 20, 2005. http://www.pcworld.com/article/id,121381-page,1/article.html
Stopping Zombies Before They Attack: Microsoft Teams with Federal Trade Commission and Consumer Action to Promote PC Protection. Microsoft. http://www.microsoft.com/presspass/features/2005/oct05/10-27 Zombie.mspx
Turner, Dean, et al. "Symantec Internet Security Threat Report: Trends for July-December 06." Volume XII, published March 2007. http://www.symantec.com/enterprise/theme.jsp?themeid=threatreport
Tynan, Daniel. "Zombie PCs: Silent, Growing Threat." PCWorld. http://www.pcworld.com/article/id,116841-page,1/article.html
US-CERT http://www.us-cert.gov