Zombies
NOTE: The opinions expressed on this page are those of the author and not of SpamCop.
The term
zombie is used to describe a computer that has been subverted by a criminal in order to be used secretly for nefarious purposes. The term is very apt, being derived from the legendary "walking dead" of Voodoo mythology, who can be "programmed" to carry out tasks on behalf of their masters with no will of their own. Zombie computers are also often called
open proxies (because they are "open" to criminals for use as network "proxies"), or
bots (for their role in
botnets).
Who are the zombies?
Computers vulnerable to "zombification" generally exhibit most or all of the following characteristics:
- They are owned by home users or small businesses, and are thus not shielded by strong institutional network security measures (e.g., web proxies, port blocks, enforced virus protection).
- They are running around the clock, and connected to broadband internet services.
- They are running vulnerable software or operating systems, and have not been updated or patched to improve their security against outsider attacks.
- Their owners or users follow poor computer-security practices, such as opening untrustworthy mail attachments, downloading and running questionable software applications, and visiting websites that harbor malware attacks.
Most zombies, like most computers in general, run Microsoft Windows. Many versions of Windows are vulnerable to various types of malware attack, some not easily detected or stopped by users. Other types of computers (e.g., Mac OS or Unix-like systems) can also be subverted; although they are not as vulnerable to virus attack as Windows systems, their owners may employ very flimsy password security, allowing the attackers to "crack" the systems and assign themselves advanced (i.e., "root") privileges. Also, when such systems run services that are accessible from the public network (for example, FTP or web service), these services can sometimes be attacked and exploited by the criminal.
How zombies work (and what they do)
The zombie "kit" includes a means for back-channel communication to the zombie controller or
botherder; in the past, internet relay chat (IRC) was commonly used for this purpose, although many botherders have moved to less obvious and detectable communications channels (such as HTTP or SSH (secure shell)). This back channel essentially provides the "strings" by which the botherder controls the zombie "puppet."
Most zombies wind up as part of a
botnet, where they can be used to distribute spam mail, camouflage spam operations, or perform other anti-social or criminal acts. Refer to the
Wiki page on botnets for more info on the career of a typical zombie.
Zombie countermeasures
It goes without saying that computer users need to take every precaution to ensure that their machines are not running as zombies. Otherwise, they are helping to create and sustain a nuisance for everyone on the internet (including themselves), and they risk trouble with their internet providers or others. They also risk theft of important personal information from their computers when the zombie is used by the botherder to gather such information by monitoring keystrokes or snooping in disk files.
Unfortunately, detecting and removing zombie kits is not as easy as we would like it to be. It is seldom a matter of finding and deleting one or two key files; the zombies are very robust, and a concerted effort is ususally required to weed them from the computer.
Generally, owners or users of zombie machines do not know that their machines are infested; it would not pay a botherder to create an attack that left obvious traces of its activity. However, many users may learn of the zombie nature of their computers when they experience unexplained loss of performance from their computers or internet connections (caused by the simultaneous activities of the bot).
Many zombie kits take extreme measures to keep users from eradicating them; they may go so far as to block access to well-known virus control websites, and they may inhibit or kill standard virus-detection scanning programs. Often, infested systems have to be painstakingly cleaned by experts, or else just "scraped" in favor of a fresh installation of the operating system and application software.
CategorySpamCopGlossaryWikiZ
There are no comments on this page. [Add comment]