Summary: If your machine is sending lots of email without you knowing it, it may be a zombie. Zombies are preventable, but may be difficult to clean up.
My computer is a zombie. My IP has been blacklisted as a spammer. I am not and never have been a spammer. I don't know how to liberate my computer. The spammy network grabs control for 48 to 72 hours at a time, and won't let me log on to the internet. My ISP is unfamiliar with zombies.
•
Unfortunately, while your visible symptoms are more severe than most, what you're experiencing is frighteningly common. It seems like every day there's another study out showing that some incredibly high percentage of machines are infected with malware that can turn them into zombies at a moment's notice.
I'll look at exactly what we mean when we say "zombie", how to tell if your machine is one, how to prevent it and how to try to recover if your machine has been taken over.
•
If you've ever watched an old B-movie about the dead rising as killer zombies, you've seen them: crowds of the undead shuffling along in a single minded search for "braaaiiins". Get bitten by one, and you too can be a zombie.
The analogy's not perfect, but it's not bad. Once infected, your computer can also become a zombie and join a legion of other zombie machines with a single minded purpose to follow the instructions provided to it by a "zombie master" - a person remotely controlling a network of infected computers, also often called bots - a botnet.
That single minded purpose? Sending spam. Lots and lots of spam. The remote controller of a botnet will periodically instruct all the infected machines that are part of that network to send spam, or worse.
How do you know if your machine has been infected?
It's not always as obvious as the situation we're faced with here. In this case, the machine becomes unusable for hours at a time, as the spam-sending completely clogs the network connection. Having your ISP "blacklist" your IP address, or as I've also seen, block port 25 so that you can't send mail without additional configuration, is another strong clue.
Zombies are nothing more than a special class of malware like a virus or spyware. That means that in general, the anti-malware software you should be running should be catching any attempts to infect your system and set up a zombie. Naturally, it's critical to keep your machine's anti-malware software up-to-date, both the software and the databases that are used. Like all malware, new forms of zombie infections are cropping up every day, and you need to keep things current to stay on top of it.
How can you prevent an attack of the zombies?
As I said above, zombies are just another form of virus or malware. All of the usual precautions that keep you from getting infected with anything apply to keeping zombies at bay:
-
Keep Windows up-to-date. The majority of successful infections occur on unpatched machines.
-
Get behind a firewall - ideally a router, or a software firewall.
-
Run up-to-date anti-spyware and anti-virus software. I have to stress the up-to-date part - a year old, or even a month old, database won't protect you from this week's latest threats.
-
Practice safe computing. Don't open attachments you're not expecting or aren't 100% sure of. Don't fall for phishing attacks, click on popups you don't know are safe, or visit questionable web sites.
Hopefully, for most of you reading, this means simply "keep doing what you're doing".
What if it's too late, and a zombie has taken over?
Once again, it's just another virus, so all the normal virus cleaning rules apply - including the one we never like to think about: once you're infected with anything, you can never be 100% certain that you've cleaned it off.
And that means that once infected the only way to be sure is to backup, and completely reformat and reinstall Windows and everything else.
That's extreme, and in many cases impractical. The alternative is to scan with multiple different anti-malware tools (at least one of which that detects the infection to start with), and then keep scanning and rescanning until they all report clean.
Hopefully you also have a recent backup at hand in case cleaning is unsuccessful, and you have to reformat anyway, or in case cleaning involves removing something important.
Related:
-
What's a botnet? Or zombie? And how do I protect myself from whatever it is? Botnets are implicated in the increase in spam in recent months. Bad news: many are infected and part of the problem. Good news: it's easy to avoid.
-
Internet Safety: How do I keep my computer safe on the internet? Internet Safety is difficult and yet critical. Here are the seven key steps to internet safety - steps to keep your computer safe on the internet.
-
My anti-virus performed a virus removal but I still have a symptom, how do I get rid of it? Your anti-virus program may claim successful virus removal, but if symptoms remain then clearly the job's not really done.
Article C3675 - March 14, 2009
The folks at Trend Micro have a couple of free tools that might help: HouseCall and RUBotted.
http:// www.trendsecure.com/portal/en-US/tools/security_tools/housecall
http:// www.trendsecure.com/portal/en-US/tools/security_tools/rubotted
Posted by: Mary at March 17, 2009 10:07 AMIF your solution is to wipe and rebuild the computer remember your backup maybe infected.
Posted by: WOFTBO at March 17, 2009 10:18 AMUse caution when restoring your backed up data.
I hate to prove my ignorance but I don't see what's good about an image backup to restore from a malware infection. I can see how you might restore data files but you can never use the image to restore anything that has to be installed. Can you? You're back to format, install, update etc. I would say this is almost impossible on a dial-up. You'd be old and gray before you finished and then it might happen again right away. That's why I like to deal face to face with local brick and mortar computer stores. They can fix things.
18-Mar-2009
In prescribing recovery for a machine already infected with malware, Leo counsels a backup for the infected machine before a complete format of its boot drive and reinstallation of Windows.
However, the logic of this escapes me, since the malware almost certainly will be imaged to the backup, and if the image is ever restored, so will be the malware.
The only possible defense of this approach is when the user has NO backup of any kind of system data, and must make one before the format, or lose the data. In that case, the user should restore selectively only the data required, but not the whole image.
Anyone contemplating this process should understand the difference between restoring a full image and a restoring selectively.
18-Mar-2009