Friday, June 09, 2006


Day of the Dead

Now that we understand how your computer can become a "zombie", why don't we look at how zombies work? After all, you have a router/firewall box on your home network, and you're also using firewall software on your PC itself. So how can the bad guys send commands to your computer, and make it do their bidding?

The answer is that your firewalls (if they're properly configured) block connections to your computers from the Internet. But they intentionally allow connections to the Internet from your computers. The zombie software relies on this. The software contains the Internet addresses of one or more computers that act as command-and-control systems. Periodically — perhaps at random intervals, to avoid sudden floods of activity that would be noticeable and might be investigated — the zombie software wakes up and contacts one of those systems, initiating the connection from your end so that it passes your firewall. The control system gives instructions to the zombie computer: send this spam message to this list of recipients; at a given time, participate in a denial-of-service attack against that company; start showing this popup advertisement to the user on every tenth use of his web browser. The controller will even give the zombie a new list of controllers, allowing them to move around the Internet to avoid discovery.

These webs of zombie computers, or "botnets", are of unknown size and complexity — some estimates put them in the millions — and they can be very hard to track down and deactivate. As in the George Romero films whence this set of posts gets its titles, they tend to take over. Your best defense is just that: defense; do not get infected in the first place.

Install effective antivirus software, and keep it up to date. There are several major brands of AV software and they're all good, but only if you subscribe to and install the updates. I have mine checking for updates every day. Too many people use what was pre-installed on that new computer they bought, but then let the updates expire and don't renew. Renew the subscription; it's worth the small cost.

Install effective firewall software, and pay attention to what it tells you. The first time the zombie program tries to contact the controller, your firewall software will warn you. It's very hard to understand what's going on there, but if you don't know why a program is trying to talk to the Internet, you should say no. If it persists, you should have someone who does understand the situation check your computer out.

If you have broadband, use a router in addition to the firewall software on your computers. Routers are cheap enough these days (watch for rebate offers), and give you lots of flexibility in addition to extra protection.

Keep your operating system and web browser up to date. Microsoft makes it easy with their free automated update service. Use it. If you use Linux or Mac-OS, keep up to date on those (yes, most "malware" is written for Windows, because of its ubiquity, but don't become complacent). If you use Firefox or Opera, or some other browser instead of Internet Explorer, be sure you keep that up to date too.

The same goes for your email program: keep it up to date. Also, configure it, if you can, not to retrieve content from the Internet automatically. That can be another vector for infection.

Never, never, never open any email attachment, unless you know who's sending it and you're expecting it and know what it is. Do not open an unexpected attachment just because you know the sender: it could be faked, or your buddy's computer could be infected and could be trying to pass it on to you.

Know what web site you're going to, and be wary of random sites. Those "phishing" messages that are trying to get your bank-account information are also trying to infect your computer; don't click on the links just out of curiousity, because you might be smart enough not to fall for the "log in here", but you might wind up as a zombie anyway.

It sounds scary, and it is. Practice safe Internet.

No comments: