Zombies and Botnets

Sang Tran
IT 386 Critical Issues in Information Technology
Central Washington University
Terrence Linkletter



2

Table of Contents
Executive Summary Page 3
Introduction Page 4
What is a Zombie? Page 4
What is a Botnet? Page 5
How Bots Work Page 6
How to tell if Your Computer is Infected Page 6
10 Most Wanted Botnets Page 8
Protect Against Bots Page 10
Conclusion Page 11
Work Cited Page 12



3




Executive Summary
The purpose of this paper is to inform about zombies and botnets. It defines what
zombies and botnets are, what they do, and how they work. It will also talk about ways to detect
if a computer is infected, top 10 botnets and the damage they have done, and ways to protect a
PC from being infected.



4
Introduction
Today, criminals all over the world have taken advantage of a technology that plays a
major role in most people's everyday life. This technology is the computer, and criminals have a
way to use this to do their bidding through the use zombies and botnets. Zombies and Botnets are
one of the most sophisticated and popular types of cybercrime today. They allow hackers to take
control of many computers at a time, and allow them to spread viruses, generate spam, and
commit other types of online crime and fraud (Symantec).
What is a Zombie?
A zombie, or drone, is a computer that has been secretly compromised by hacking tools
which allow a third party to control the computer and its resources remotely. When the zombie
computer connects to the Internet the remote hacker can clandestinely make contact with the
computer to mine data from it or use it for any number of purposes. Communication between the
hacker and the computer travels through back channels of the targeted system, keeping these
processes hidden from the owner (wiseGeek).
Most of the time, owners of computers that have been infected by a zombie malware is
unaware that it is being exploited by an external party. "The increasing prevalence of high speed
connections makes home computers appealing targets for attack. Inadequate security measures
make access relatively easy for an attacker. For example, if an Internet port has been left open, a
small Trojan horse program can be left there for future activation" (SearchMidMarketSecurity)..
There are a few other kinds of zombies: in one form of denial of service attack, a zombie
is an insecure Web server on which malicious people have placed code that, when triggered at
the same time as other zombie servers, will launch an overwhelming number of requests toward
an attacked Web site, which will soon be unable to service legitimate requests from its users.


5
A pulsating zombie is one that launches requests intermittently rather than all at once
(SearchMidMarketSecurity).
The hacking tools used to establish hidden control in a remote computer are referred to as
a rootkit. Rootkit is a set of software tools that provide access to the computer and its resources
that it is installed in. A rootkit isnt considered malware, as there are legitimate uses for rootkits
in networking. However, rootkits can also be used to target random computers on the Internet.
Once a computer has a malicious rootkit installed, it becomes an unwilling accomplice of the
hacker, blindly following instructions, leading to the name zombie computer (wiseGeek).
When a computer is infected, the hacker can be many things. "He or she can copy, infect,
corrupt or even erase the entire hard drive. He or she can also install tools that will report
everything typed into the zombie computer, including usernames, passwords and financial data
like credit card numbers and bank accounts. This private information can be used to commit
fraud, identity theft, or can be sold or traded to others" (wiseGeek).

What is a Botnet?
A botnet is essentially a group of zombies working together under one command. Also
known as Web robots, bots are usually part of a network of infected machines which is
typically made up of victim machines that stretch across the globe. The cybercriminals that
control these bots are called botherders or botmasters . Some botnets might have a few hundred
or a couple thousand computers, but others have tens and even hundreds of thousands of zombies
at their disposal. Many of these computers are infected without their owners' knowledge
(Symantec).


6

How Bots Work

Bots sneak onto a persons computer in many ways. Bots often spread themselves across
the Internet by searching for vulnerable, unprotected computers to infect. When they find an
exposed computer, they quickly infect the machine and then report back to their master. Their
goal is then to stay hidden until they are instructed to carry out a task.
After a computer is taken over by a bot, it can be used to carry out a variety of automated
tasks, including the following:
Sending:
- spam, viruses, spyware

Stealing:
- steals information and sends it back to the malicious usercredit card numbers, bank credentials,
other sensitive information

DoS:

- Launch DoS attacks against a specified target

- Extort money from site owners in exchange for regaining control

- Common targets are everyday users for simple thrill

ClickFraud:

- Use bots to boost web advertising billings by automatically clicking on Internet ads

(Symantec)
How to tell if Your Computer is Infected
It's not always easy to tell if your computer has been infected with malware. If it is
unusually slow, crashes or stops responding frequently, for example, these problems might be


7
signs that your computer has been infected. However, the same problems might also point to
hardware or software issues that have nothing to do with malware. Symptoms include:
Pop-up advertisements all the time. Some unwanted software will bombard you with pop-up
ads that aren't related to a particular website you're visiting. These ads are often for adult or other
websites you may find objectionable. If you see pop-up ads as soon as you turn on your
computer or when you're not even browsing the web, you might have spyware or other unwanted
software on your computer.
Changed Settings and unable to change back. Some unwanted software can change your home
page or search page settings. Even if you adjust these settings, you might find that they revert
back every time you restart your computer.
Web browser containing plug-ins not installed by owner. Spyware and other unwanted
software can add toolbars to your web browser that you don't want or need. Even if you remove
these toolbars, they might return each time you restart your computer.
Computer seems sluggish. Spyware and other unwanted software are not designed to be
efficient. The resources these programs use to track your activities and deliver advertisements
can slow down your computer and errors in the software can make your computer crash. If you
notice a sudden increase in the number of times a certain program crashes, or if your computer is
slower than normal at performing routine tasks, you may have spyware or other unwanted
software on your machine.
(Microsoft)



8
10 Most Wanted Botnets
No. 1: Zeus
Compromised U.S. computers: 3.6 million
Main crime use: The Zeus Trojan uses key-logging techniques to steal sensitive data such as user
names, passwords, account numbers and credit card numbers. It injects fake HTML forms into
online banking login pages to steal user data.
No. 2: Koobface
Compromised U.S. computers: 2.9 million
Main crime use: This malware spreads via social networking sites MySpace and Facebook
with Faked Messages or comments from "friends." When a user is enticed into clicking on a
provided link to view a video, the user is prompted to obtain a necessary update, like a codec --
but it's really malware that can take control over the computer.
No. 3: TidServ
Compromised U.S. computers: 1.5 million
Main crime use: This downloader Trojan spreads through spam e-mail, arriving as an
attachment. It uses rootkit techniques to run inside common Windows services (sometimes
bundled with fake antivirus software) or in Windows safe mode, and it can hide most of its files
and registry entries.
No. 4: Trojan.Fakeavalert


9
Compromised U.S. computers: 1.4 million
Main crime use: Formerly used for spamming, this botnet has shifted to downloading other
malware, with its main focus on fake alerts and rogue antivirus software.
No. 5: TR/Dldr.Agent.JKH
Compromised U.S. computers: 1.2 million
Main crime use: This remote Trojan posts encrypted data back to its command-and-control
domains and periodically receives instruction. Often loaded by other malware,
TR/Dldr.Agent.JKH currently is used as a clickbot, generating ad revenue for the botmaster
through constant ad-specific activity.
No. 6: Monkif
Compromised U.S. computers: 520,000
Main crime use: This crimeware's current focus is downloading an adware BHO (browser helper
object) onto a compromised system.
No. 7: Hamweq
Compromised U.S. computers: 480,000
Main crime use: Also known as IRCBrute, or an autorun worm, this backdoor worm makes
copies of itself on the system and any removable drive it finds -- and anytime the removable
drives are accessed, it executes automatically. An effective spreading mechanism, Hamweq
creates registry entries to enable its automatic execution at every startup and injects itself into
Explorer.exe. The botmaster using it can execute commands on and receive information from the
compromised system.
No. 8: Swizzor
Compromised U.S. computers: 370,000
Main crime use: A variant of the Lop malware, this Trojan dropper can download and launch
files from the Internet on the victim's machine without the user's knowledge, installing an adware
program and other Trojans.
No. 9: Gammima
Compromised U.S. computers: 230,000


10
Main crime use: Also know as Gamina, Gamania, Frethog, Vaklik and Krap, this crimeware
focuses on stealing online game logins, passwords and account information. It uses rootkit
techniques to load into the address space of other common processes, such as Explorer.exe, and
will spread through removable media such as USB keys. It's also known to be the worm that got
into the International Space Station in the summer of 2008.
No. 10: Conficker
Compromised U.S. computers: 210,000
Main crime use: Also called Downadup, this downloader worm has spread significantly
throughout the world, though not so much in the U.S. It's a complex downloader used to
propagate other malware. Though it has been used to sell fake antivirus software, this crimeware
currently seems to have no real purpose other than to spread. Industry watchers fear a more
dangerous purpose will emerge.
(NetworkWorld)
Protect Against Bots

To safeguard against malicious bots, security experts the following advice:
1. Install top-rated security software (such as Norton 360) and Norton Internet Security.
2. Configure your software's settings to update automatically.
3. Increase the security settings on your browser.
4. Limit your user rights when online.
5. Never click on attachments unless you can verify the source.
6. Ensure that your system is patched with the most current Microsoft Windows Update.
7. Set your computers security settings to update automatically, to
ensure you always have the most current system patches.
8. Use Firewall.
9. Delete spam without opening it.
10. Avoid installing programs from untrusted sources.


11
11. Dont allow untrusted websites to install software.
12. Use strong passwords and keep them secret.
(Symantecs and wiseGeek)
Conclusion
There are undeniable proofs that zombies and botnets can do devastating things in the
hands of criminals. It can ruin lives while enriching themselves. But as sophisticated as zombies
and botnets are, law enforcement agencies are also becoming better to detect such things. While
criminals are always finding new ways to do incriminating acts, law enforcement agencies are
making it harder for criminals to do popular tactics today so this issue is not as much widespread.
The average PC users are also being informed and educated on ways to not get infected by
malicious malware so it helps greatly in fighting zombies and botnets.



12
Work Cited
Microsoft. How to Better Protect Your PC from botnets and malware. Retrieved from
http://www.microsoft.com/security/pc-security/botnet.aspx
NetworkWorld. (July 22, 2009). America's 10 Most Wanted Botnets. Retrieved from
http://www.networkworld.com/article/2260410/network-security/america-s-10-most-
wanted-botnets.html
SearchMidMarketSecurity. Zombie (bot). Retrieved from
http://searchmidmarketsecurity.techtarget.com/definition/zombie
Symantec. Bots and Botnets - A Growing Threat. Retrieved from
http://securityresponse.symantec.com/norton/theme.jsp?themeid=botnet
wiseGeek. What is a Computer Zombie? Retrieved from http://www.wisegeek.com/what-is-a-
zombie-computer.htm