How Zombie Computers Work

Hacking a Computer

Crackers transform computers into zombies by using small programs that exploit weaknesses in a computer's operating system (OS). You might think that these crackers are cutting-edge Internet criminal masterminds, but in truth, many have little to no programming experience or knowledge. (Sometimes people call these crackers "script kiddies" because they are young and show no proficiency in writing script or code.) Investigators who monitor botnets say that the programs these crackers use are primitive and poorly programmed. Despite the ham-handed approach, these programs do what the crackers intended them to do -- convert computers into zombies.

In order to infect a computer, the cracker must first get the installation program to the victim. Crackers can do this through e-mail, peer-to-peer networks or even on a regular Web site. Most of the time, crackers disguise the malicious program with a name and file extension so that the victim thinks he's getting something entirely different. As users become savvier about Internet attacks, crackers find new ways to deliver their programs. Have you ever seen a pop-up ad that included a "No Thanks" button? Hopefully you didn't click on it -- those buttons are often just decoys. Instead of dismissing the annoying pop-up ad, they activate a download of malicious software.

Once the victim receives the program, he has to activate it. In most cases, the user thinks the program is something else. It might appear to be a picture file, an MPEG or some other recognizable file format. When the user chooses to run the program, nothing seems to happen. For some people, this raises alarm bells and they immediately follow up with a flurry of virus and spyware scanner activity. Unfortunately, some users simply think they received a bad file and leave it at that.

Meanwhile, the activated program attaches itself to an element of the user's operating system so that every time the user turns on his computer, the program becomes active. Crackers don't always use the same segment of an operating system's initializing sequence, which makes detection tricky for the average user.

The program either contains specific instructions to carry out a task at a particular time, or it allows the cracker to directly control the user's Internet activity. Many of these programs work over an Internet Relay Chat (IRC), and in fact there are botnet communities on IRC networks where fellow crackers can help one another out -- or attempt to steal another cracker's botnet.

Once a user's computer is compromised, the cracker pretty much has free reign to do whatever he likes. Most crackers try to stay below the radar of users' awareness. If a cracker alerts a user to his presence, the cracker risks losing a bot. For some crackers, this isn't much of a problem since some networks number in the hundreds of thousands of zombies.

In the next section, we'll look at the relationship between zombie computers and spam.

Malware

Programs designed to harm or compromise a computer are called malware (as in malicious software). Malware includes a wide array of nasty batches of code that can wreak havoc to your computer, your network and even the Internet itself. Some common forms of malware that might turn your computer into a zombie include:

Computer viruses - programs that disable the victim's computer, either by corrupting necessary files or hogging the computer's resources
Worms - programs that spread from one machine to another, rapidly infecting hundreds of computers in a short time
Trojan horse - a program that claims to do one thing, but actually either damages the computer or opens a back door to your system
Rootkits - a collection of programs that permits administrator-level control of a computer; not necessarily malware on its own, crackers use rootkits to control computers and evade detection
Backdoors - methods of circumventing the normal operating-system procedures, allowing a cracker to access information on another computer
Key loggers - programs that record keystrokes made by a user, allowing crackers to discover passwords and login codes

Zombie computer code usually is part of a virus, worm or Trojan horse. Zombie computers often incorporate other kinds of malware as part of its processes.