Zombie Computers
By Fernando de la Cuadra, Panda Software
Friday, 1 April 2005 14:39 EST
Friday, 1 April 2005 14:39 EST
Voodoo followers are convinced that the dead can come back to life and use rituals, potions and dances for this. However, rather than coming back as normal people, these supposedly dead individuals return as slaves, who obey the voodoo master's every command.
These types of dead people brought back to life are known as "zombies", although this term is perhaps more readily associated with horror movies than Caribbean witchcraft.
So what does a man brought back from the dead have to do with computers? Simply put, it is possible that you may have a computer at home or at the office which has become a zombie. However, these are not computers that appear to have been damaged and become operational once again after the repair service, but rather PCs that, as a result of malware, have been converted into slaves and are now controlled by a hacker.
Opening an email with a Trojan, downloading a supposed plug-in to access any website or carrying out any other action which results in a virus infection will be sufficient to produce the above-mentioned state. Unfortunately, software that converts the system into a zombie does not show any particular message as it wants to remain concealed from the user for as long as possible.
The type of software which will enslave your PC falls comfortably within the category of traditional definitions of malware. As with Trojans, the software that has hijacked your system has been given free rein by you; as soon as you careless, it is activated and allows another person to perform different actions. The consequences of a computer hijacked in this way are widespread, with it all depending on the ill intent of the person offering you such software.
In some cases the zombie starts to send email messages, becoming an authentic spammer. Generally, spam tries to hide its true source but, naturally, your email messages have no reason to conceal this. Spam sent with your name and address will result in an avalanche of incoming mail, both erroneous address notifications and user complaints. However, the biggest problem is that you may fall foul of the law, since spammers hide themselves so they cannot be detected easily, while you are offering every facility possible to enable location.
Another dangerous consequence is hackers using your computer to launch an attack on another system. If a hacker has access to your PC, they may enter a particular order in order to perform certain actions, such as a DoS (Denial of Services) attack. As with spam, in the eyes of the law it will be you who is carrying out the attack, not the hacker who gave the order.
There are many more actions that can be performed, although those previously indicated are the most common types for computers converted into zombies; it all depends on the ability of the hacker or their intentions. Zombies have software that listens to a communication through a specific port, which does not interfere with the TCP/IP communication. This enables the computer to send email, launch an attack, conceal the hacker etc.
In practice there are 65,536 destination ports which applications use to communicate with one another. In a zombie computer, apart from normal ports that known applications use (as seen above), it is possible that other applications may be listening through other ports. A firewall makes sure that only standard ports are used and notifies the user if listening occurs through an unknown port.
In order to avoid such a situation, it is necessary to have a system installed in the computer that protects not only against viruses but also all types of malicious code and intrusions which, by exploiting any open port in your PC, try to convert your system into a zombie.
To see which ports are open and what they are doing with any particular computer, Windows has a very useful tool called NETSTAT. This command, inherited from UNIX, enables the checking of the status of the ports of your TCP/IP connection. By typing "NETSTAT" in an MS-DOS window, information will be displayed on which ports are listening, which simply have a connection established or which are awaiting data.
Once your computer has an application that hijacks it and a listening port, it will become controlled by a hacker. And it may not just be you; there are cases of entire networks of zombie computers at the mercy a hacker. Ultimately, there may be tens or hundreds of computers with a "bot" (programs used to enslave PCs).
It is important to never drop your guard. Although it appears unbelievable, in 2004 more "bots" were detected than any other type of malicious code. There are already thousands of malware specimens which have the word "bot" in their name, with hundreds of versions. As their source code is found on the Internet, many ill-intentioned individuals modify and distribute it, probably exploiting a zombie network.
As already commented, the solution normally involves having an antivirus (which not only detects and eliminates viruses, but also bots and other malware) with a firewall incorporated. It would also be very useful to include another type of preventive technology in your defense system, capable of detecting all types of unknown malware.