Net of the Living Dead

by Rob Zorn
from the September 2004 Actrix Customer Newsletter

From Lucio Fulci's movie: Zombie!There's been a fair bit of news around lately regarding zombie machines and their contribution to the Spam and virus problem. In this article I want to explain what zombies are, how they are harvested, what they do, and how you can protect yourself from having your PC harvested and "zombified."

What are zombies?

Zombies are machines that have been deliberately "possessed" by someone else, and there are literally hundreds of thousands of them on the Internet. No doubt there are plenty here in New Zealand, and no doubt they include some belonging to Actrix customers. The frightening thing is that the owners are not likely to realise that their PC has been hijacked by someone else for nefarious purposes. That's part and parcel of the whole zombie experience.

A machine becomes a zombie when a nasty program (usually referred to as a Trojan) is installed on it. The Trojan normally gets there when the machine becomes infected with a virus that opens a doorway for someone else on the Internet to use to access the machine remotely. It's called a Trojan after the story of the horse of Troy, of course.

Recent viruses such as Sobig, MyDoom and Bagle all contained this sort of code (sometimes also known as malware). While the machines' owners are innocently writing e-mails and surfing websites, their computers are broadcasting a message out onto the Internet that they're open for evil business to anyone who knows how to connect to them through the new backdoor.

What do the hackers want?

In most cases these days, the hackers behind the zombies are not primarily after sensitive information on your PC, though they'd certainly be capable of getting your credit card number if you had it stored there. What they seem to want most is to set up a proxy mail servers on the zombie machines so that they can use it to send Spam.

The world is cracking down on Spammers and many countries are putting strict laws and penalties in place. ISPs tend to be watching customers' sending volumes and closing the accounts of anyone suddenly sending out massive amounts of e-mails. In order to evade the law and to hide themselves, these hackers will use the zombie machine to send out the Spam in their stead. That way the spam can't be traced back to them, and someone else has to pay any traffic bills associated with the millions of e-mails sent!

Some experts estimate that 40% of all Spam originates from zombies, and some go as far as to suggest that 80% of it comes from these poor bedevilled computers. Of course, in a sort of "zombie-get-zombie" scheme, the infected machine will also be used to send out more viruses and copies of the Trojan that now controls it.

Zombies can also be used for what is called a DDoS attack. DDoS is short for "distributed denial of service." A DDoS attack is used to bog down another computer on the Internet so that it can no longer function. If a hacker wanted to attack Microsoft, for example, he or she would get hundreds of zombie machines under his or her control to send lots of useless or corrupt information to Microsoft servers all at once.  The servers become so busy trying to make sense of the massive data influx that they can't do their normal work. In effect, the server would go "down."

Lately, it has become common for people who have remote control over hundreds of zombies to "rent them out" to anyone who wants to use them for a day, an afternoon or a week. It's becoming quite a profitable little underground business.

What Should You Do?

There are several things you can do to reduce the risk of becoming a zombie yourself. None of this advice is new, but many people are slow to move on these matters, and this is the very reason that the evil zombie overlords are able to keep on getting away with it.

Windows Update: The first thing you have to do (and I can't stress enough how essential this is) is to keep your PC up-to-date with the latest patches from Microsoft. Viruses, malware, Trojans; they all exploit weaknesses in your software. As these weaknesses are discovered, Microsoft releases patches that you can download to correct them. When you correct them, the malware sent to you can't do its business because the flaw that it is designed to exploit isn't there anymore. Updating your software is even more important than running anti-virus programs. To visit the Windows Update page (which will analyse your machine and tell you what you need to download) open Internet Explorer. Click Tools and then Windows Update. You can surf to the page by using http://windowsupdate.microsoft.com.

Ant-Virus: The second thing to do is run your own personal anti-virus software. Actrix CyberScan will catch most viruses that come via e-mail, but these days, viruses can connect to you straight across the Internet (if your machine is unpatched), and Actrix is not usually able to catch these for you. Your personal anti-virus program should also help protect you from malware that comes on floppy disks, though this seems to be less of a problem these days. Anti-Virus software needn't cost you big money. Free software is available at http://www.grisoft.com and at www.clamwin.net

Firewall: Lastly, you may want to think about a firewall. The advantages of a firewall are twofold. Firstly, they hide you while you are online by disallowing any program on your computer from accessing the Internet without your knowledge and consent. This means that your computer won't reply to any hacker scanning for vulnerable machines. They don't even know you're there.

Firewalls such as Zone Alarm (http://www.zonelabs.com/store/content/home.jsp) can be downloaded for free, but they come with problems of their own, and people unfamiliar with how the Internet works can sometimes struggle to wrap their heads around them. You may want to get someone knowledgeable to help you install a firewall, if that might be you. However, an up-to-date patched machine is enough of a disincentive for any hacker. There are plenty of easier targets for them out there.