How Zombie Computers Work

Hacking a Computer

­Crackers transform computers into zombies by using small­ programs that exploit weaknesses in a computer's operating system (OS). You might think that these crackers are cutting-edge Internet criminal masterminds, but in truth, many have little to no programming experience or knowledge. (Sometimes people call these crackers "script kiddies" because they are young and show no proficiency in writing script or code.) Investigators who monitor botnets say that the programs these crackers use are primitive and poorly programmed. Despite the ham-handed approach, these programs do what the crackers intended them to do -- convert computers into zombies.

In order to infect a computer, the cracker must first get the installation program to the victim. Crackers can do this through e-mail, peer-to-peer networks or even on a regular Web site. Most of the time, crackers disguise the malicious program with a name and file extension so that the victim thinks he's getting something entirely different. As users become savvier about Internet attacks, crackers find new ways to deliver their programs. Have you ever seen a pop-up ad that included a "No Thanks" button? Hopefully you didn't click on it -- those buttons are often just decoys. Instead of dismissing the annoying pop-up ad, they activate a download of malicious software.


Once the victim receives the program, he has to activate it. In most cases, the user thinks the program is something else. It might appear to be a picture file, an MPEG or some other recognizable file format. When the user chooses to run the program, nothing seems to happen. For some people, this raises alarm bells and they immediately follow up with a flurry of virus and spyware scanner activity. Unfortunately, some users simply think they received a bad file and leave it at that.

Meanwhile, the activated program attaches itself to an element of the user's operating system so that every time the user turns on his computer, the program becomes active. Crackers don't always use the same segment of an operating system's initializing sequence, which makes detection tricky for the average user.

The program either contains specific instructions to carry out a task at a particular time, or it allows the cracker to directly control the user's Internet activity. Many of these programs work over an Internet Relay Chat (IRC), and in fact there are botnet communities on IRC networks where fellow crackers can help one another out -- or attempt to steal another cracker's botnet.

Once a user's computer is compromised, the cracker pretty much has free reign to do whatever he likes. Most crackers try to stay below the radar of users' awareness. If a cracker alerts a user to his presence, the cracker risks losing a bot. For some crackers, this isn't much of a problem since some networks number in the hundreds of thousands of zombies.

In the next section, we'll look at the relationship between zombie computers and spam.