Helping people with computers... one answer at a time.

If your machine is sending lots of email without you knowing it, it may be a zombie. Zombies are preventable, but may be difficult to clean up.

My computer is a zombie. My IP has been blacklisted as a spammer. I am not and never have been a spammer. I don't know how to liberate my computer. The spammy network grabs control for 48 to 72 hours at a time, and won't let me log on to the internet. My ISP is unfamiliar with zombies.

Unfortunately, while your visible symptoms are more severe than most, what you're experiencing is frighteningly common. It seems like every day there's another study out showing that some incredibly high percentage of machines are infected with malware that can turn them into zombies at a moment's notice.

I'll look at exactly what we mean when we say "zombie", how to tell if your machine is one, how to prevent it and how to try to recover if your machine has been taken over.

If you've ever watched an old B-movie about the dead rising as killer zombies, you've seen them: crowds of the undead shuffling along in a single minded search for "braaaiiins". Get bitten by one, and you too can be a zombie.

Night of the Living Dead: the classic zombie movie

The analogy's not perfect, but it's not bad. Once infected, your computer can also become a zombie and join a legion of other zombie machines with a single minded purpose to follow the instructions provided to it by a "zombie master" - a person remotely controlling a network of infected computers, also often called bots - a botnet.

That single minded purpose? Sending spam. Lots and lots of spam. The remote controller of a botnet will periodically instruct all the infected machines that are part of that network to send spam, or worse.

How do you know if your machine has been infected?

It's not always as obvious as the situation we're faced with here. In this case, the machine becomes unusable for hours at a time, as the spam-sending completely clogs the network connection. Having your ISP "blacklist" your IP address, or as I've also seen, block port 25 so that you can't send mail without additional configuration, is another strong clue.

"Zombies are nothing more than a special class of malware ..."

Zombies are nothing more than a special class of malware like a virus or spyware. That means that in general, the anti-malware software you should be running should be catching any attempts to infect your system and set up a zombie. Naturally, it's critical to keep your machine's anti-malware software up-to-date, both the software and the databases that are used. Like all malware, new forms of zombie infections are cropping up every day, and you need to keep things current to stay on top of it.

How can you prevent an attack of the zombies?

As I said above, zombies are just another form of virus or malware. All of the usual precautions that keep you from getting infected with anything apply to keeping zombies at bay:

  • Keep Windows up-to-date. The majority of successful infections occur on unpatched machines.

  • Get behind a firewall - ideally a router, or a software firewall.

  • Run up-to-date anti-spyware and anti-virus software. I have to stress the up-to-date part - a year old, or even a month old, database won't protect you from this week's latest threats.

  • Practice safe computing. Don't open attachments you're not expecting or aren't 100% sure of. Don't fall for phishing attacks, click on popups you don't know are safe, or visit questionable web sites.

Hopefully, for most of you reading, this means simply "keep doing what you're doing".

What if it's too late, and a zombie has taken over?

Once again, it's just another virus, so all the normal virus cleaning rules apply - including the one we never like to think about: once you're infected with anything, you can never be 100% certain that you've cleaned it off.

And that means that once infected the only way to be sure is to backup, and completely reformat and reinstall Windows and everything else.

That's extreme, and in many cases impractical. The alternative is to scan with multiple different anti-malware tools (at least one of which that detects the infection to start with), and then keep scanning and rescanning until they all report clean.

Hopefully you also have a recent backup at hand in case cleaning is unsuccessful, and you have to reformat anyway, or in case cleaning involves removing something important.

Article C3675 - March 14, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

5 Comments
Mary
March 17, 2009 10:07 AM

The folks at Trend Micro have a couple of free tools that might help: HouseCall and RUBotted.

http:// www.trendsecure.com/portal/en-US/tools/security_tools/housecall

http:// www.trendsecure.com/portal/en-US/tools/security_tools/rubotted

WOFTBO
March 17, 2009 10:18 AM

IF your solution is to wipe and rebuild the computer remember your backup maybe infected.
Use caution when restoring your backed up data.

Duane
March 17, 2009 12:28 PM

I hate to prove my ignorance but I don't see what's good about an image backup to restore from a malware infection. I can see how you might restore data files but you can never use the image to restore anything that has to be installed. Can you? You're back to format, install, update etc. I would say this is almost impossible on a dial-up. You'd be old and gray before you finished and then it might happen again right away. That's why I like to deal face to face with local brick and mortar computer stores. They can fix things.

An image backup is useful in two ways: if you have an image taken from before the infection, you can restore your machine completely to that state in a single operation. If you do have to reformat and reinstall, you're guaranteed that all of the files that were only your machine are on your latest image backup, and thus you can extract and restore individual files, as needed - being careful not to restore infected files.
- Leo
18-Mar-2009

Bob Greene
March 17, 2009 10:37 PM

In prescribing recovery for a machine already infected with malware, Leo counsels a backup for the infected machine before a complete format of its boot drive and reinstallation of Windows.

However, the logic of this escapes me, since the malware almost certainly will be imaged to the backup, and if the image is ever restored, so will be the malware.

The only possible defense of this approach is when the user has NO backup of any kind of system data, and must make one before the format, or lose the data. In that case, the user should restore selectively only the data required, but not the whole image.

Anyone contemplating this process should understand the difference between restoring a full image and a restoring selectively.

You're absolutely correct. The sad truth is that most people don't backup. And they should. It's scary. So I counsel a full image backup prior to a reformat/reinstall to capture any and all files and data that might be required later for individual, and careful, recovery.
- Leo
18-Mar-2009
vvidi
April 28, 2010 4:40 PM


These are very helpful tips and i would like to another.
If you purchased a computer second hand you may have received very genuine looking restore disks that were silk screened by a resourceful scammer.

Always purchase restore media from the manufacturer's site secure and time-saving as all the needed drivers are in one place.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.