Helping people with computers... one answer at a time.

Botnets are implicated in the increase in spam in recent months. Bad news: many are infected and part of the problem. Good news: it's easy to avoid.

How can I identify if my computer is a member of a "Zombie" network created by botnets? Can I use "procexp.exe" to identify if my computer has been captured? If a computer is captured does it have to be on for it to be used and how can a botnet be eliminated. Lastly is there a defense?

You are right to be concerned. Botnets are considered responsible for the massive increase in spam we've all seen in the past years and months.

The really sad part is that it's really easy to protect yourself. The fact that botnets are so successful indicates that too many people still aren't taking the simple steps they need to keep their machines safe.

If you remember nothing else from this article, remember these points:

  • Run anti-spyware software and keep it up to date

  • Run anti-virus software and keep it up to date

  • Keep Windows up to date using Automatic Updates or by visiting Windows Update

  • Use a firewall or a router

  • Use common sense when deciding to open email attachments

As I said, the fact that botnets are as successful as they are indicates that too many people are ignoring some, or all, of that advice.

So what's a "botnet"? A network of bots! OK, that wasn't very helpful.

A 'bot' is a semi-slang term for a software "robot" of sorts - a program that is intended to operate independently to perform some task, often in response to commands sent to it remotely. The term "zombie" simply refers to a machine that is infected with such a bot, since most of the time it lies dormant until it's called on to perform some task.

So a botnet is a networked collection of computers infected with software that can be remotely controlled to awaken and perform some task.

Typically that task is to send email. Lots of email. Lots of spam.

(And yes, if it's infected your computer must be running and connected to the network to participate in a botnet.)

"As always there's still no substitute for common sense."

How can you tell if you're infected? It's not always easy to just look at your machine and figure it out. Your network connection may be very slow because of all the mail that's being sent. Or perhaps with process explorer you'll notice programs that you don't recognize running. Perhaps you can monitor internet activity on your machine, and you see a lot of connections to port 25 on remote machines that you don't recognize. Perhaps your firewall is alerting you to suspicious connections being made by your machine to unknown remote computers.

Or perhaps none of the above are clear and/or obvious.

Fortunately, the best detection turns out to be the same set of steps needed to prevent infection in the first place.

How can you prevent infection? Follow that list of steps I mentioned at the beginning of this article.

You'll note I've been using the term "infection", and that's on purpose. The software used to create botnets is simply a form of spyware or virus. Thus a good anti-virus scanner, coupled with a good anti-spyware scanner, both with up-to-date databases of information, will detect most all bot software that's on or trying to get on your machine.

Keeping Windows up to date is an important part of removing newly discovered vulnerabilities that malware might use to get onto your machine. Using a firewall further protects you from outside intrusion - and a good software firewall might also help alert you that something's wrong after an infection.

As always there's still no substitute for common sense. All the protection in the world can't help you if you insist on opening email attachments that you're not absolutely positive are safe to open. Your anti-spyware and anti-virus programs may catch your mistake but especially in the case of new malware the scanners often take a day or two to update their databases. That means during that time you may still get infected if you open an attachment containing malware that the scanners don't yet know about.

The bottom line is that protecting against botnets is no different than protecting against any other malware. The same basic tools, techniques and habits work for both.

Article C2900 - January 16, 2007 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

The Volg
May 13, 2007 3:32 PM

Hi Leo,

We have implemented a new spam/virus filter at our work. It is setup so that if someone send us an email that is suspected spam or virus, the sender will recieve a reply email informaing them that their email did not make it to us.
Lately people have been sending us emails asking why they are recieving an email reply to an email that they never sent. I always direct them to this article as it clears up all the hassle of explaining to them that they might have a virus. After i direct them here I never hear from them obviouly the points you mention at the start fix everything up!
Keep up the good work! (it makes my job easier!!)

April 7, 2008 2:22 PM

Just read this article about the now largest botnet in the world, Kraken.
I quote: "The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis."

Should I be worried?


July 22, 2009 2:59 AM

In Outlook Express email client, there is a setting under "security option" stating "warn me when other applications try to send mail as me". Is that helping into knowing if my PC is sending spam or the like?.

No. Leave it set, but it only covers a now infrequently used technique where viruses would hijack Outlook Express for your address book. Current malware bypasses email programs completely, in which case that setting has no effect.
- Leo

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.