2.2.2 Botnets and Zombies

A botnet is a collection of computers that have been taken over by an attacker and then used for malicious purposes. The compromised computers are called zombies or zombie drones and could have been compromised by a number of different methods including tricking the user into installing a Trojan horse. Once the attacker, called the botmaster, gains remote access control to a computer, the botmaster downloads a bot software program, such as IRCBot. The computer is recruited to find other vulnerable computers to join the botnet.

The botmaster uses servers to issue commands to the botnet. Instructions can use a number of protocols including Transmission Control Protocol (TCP), Internet Relay Chat (IRC), and Simple Mail Transfer Protocol (SMTP).

Once the botnet is large enough (thousands and possibly even millions of zombies), the botmaster will launch an attack. Typically it is a DDoS attack but botnets are also known to send out vast quantities of spam or infect millions of computers with viruses or worms. Zombies can scan for vulnerable servers that can be hijacked to host phishing sites, which impersonate legitimate services in order to steal passwords and other identity data.

Botnets are hard to detect because the botmaster typically proxies the control commands through several compromised machines on different networks and changes those often. Botnet detection tools analyze traffic and flag abnormal traffic patterns. DNS log analysis, anomaly detection, and "honeypots" are also used to detect botnets.

If a user notices that their computer has become sluggish, the user should use anti-virus and anti-spyware software to scan files.