Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Is your PC part of a Zombie Botnet? Check now!

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Bots, Botnets and Botmaster

A malicious bot short for a RoBOT or a zombie is a computer that allows someone other than the actual owner to gain complete control over itself. The attacker takes control of the target computer by infecting it with malicious code designed for the purpose. A virtual network of such compromised machines that are controlled by one or more outside sources are known as botnets. Botnets can consist of a few hundred to several thousand compromised machines. The person who remotely controls the botnets is called a Botmaster.

Most security experts consider botnets as the number one security threat on the Internet today. It has become easier to recruit botmasters for sophisticated botnet attack services. The botnets are very dynamic in nature and very difficult to detect, as they adapt their behavior to go around common security perimeter.

Image courtesy

Image courtesy

How Are Botnets Created?

Botnet creation begins with the download of a software program called a “bot” (for example, IRCBot, SGBot, or AgoBot) along with an embedded exploit (or payload) by an unsuspecting user, who might click an infected e-mail attachment or download infected files or freeware from peer-to-peer (P2P) networks or malicious Websites.

Once the bot and exploit combination is installed, the infected machine contacts a public server that the botmaster has set up as a control plane to issue commands to the botnet. A common technique is to use public Internet Relay Chat (IRC) servers, but hijacked servers can also issue instructions using Secure HTTP (HTTPS), Simple Mail Transfer Protocol (SMTP), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP) strings. Control planes are not static and are frequently moved to evade detection; they run on machines (and by proxies) that are never owned by the botmaster.

Using the control plane, the botmaster can periodically push out new exploit code to the bots. It can also be used to modify the bot code itself in order to evade signature-based detection or to accommodate new commands and attack vectors.

Initially, however, the botmaster’s primary purpose is to recruit additional machines into the botnet. Each zombie machine is instructed to scan for other vulnerable hosts. Each new infected machine joins the botnet and then scans for potential recruits. In a matter of hours, the size of a botnet can grow very large, sometimes comprising millions of PC’s on diverse networks around the world.

Armed with this zombie army, the botmaster is now ready to launch the first major attack. Practically anyone with a computer is an attack target, whether a small business, a home user, a corporate office, or a retail point-of-sale terminal. Locating the botmaster is an extremely tricky task. The botmaster typically proxies the control commands through several compromised machines on diverse networks. Proxy connections, as well as the control plane, are changed often to make it nearly impossible to track down the botmaster. Botnets: The New Threat Landscape White Paper [Threat Control] – Cisco Systems

Undetected, unless one is looking for certain symptoms, bots are often used in various internet based criminal activities including DDOS (Distributed Denial of service) attacks and distribution of malware and spam.

The three most common bot variants used are:

  • Agobot/Phatbot/Forbot/XtremBot
  • SDBot/RBot/UrBot/UrXBot/
  • mIRC-based Bots

Botnet Activities

The possible uses of a botnet are criminal in nature and confined only the imagination of the botmaster. Some of the common activities perpetrated are:

  • Infecting and adding other systems to the botnet
  • Distributed Denial-of-Service Attacks
  • Spam
  • Key logging
  • Spreading new malware
  • Installing Adware
  • Committing Clickfraud
  • Manipulation of online polls/games
  • Phishing
  • Distributing Warez and other illegal downloads

Symptoms of Bot(net) Malware – Are you Infected?

  • Basically your computer is made part of a botnet by infecting it with a worm exploiting system vulnerabilities. This Malware is unlikely to disable the host computer, because the bot computer must be connected to the Internet for the botnet to survive. However they might cause your computer to slow down, crash or display unexpected messages. The symptoms are mostly similar to other malware infections. Refer to our Symptoms of Malware Infection.

  • Botnets congest network connections, investigate your system if the internet connection appears to be slow and when you notice anomalous network activity when you are not using the Internet. Your system may be used by the botnet agent to send and receive data.

  • Check your email “outbox” and “sent items” folder for unrecognized messages.

  • Query the anti-spam databases and see if your IP address is listed. If it is listed as a source of Spam or other abuse in multiple blacklists, it might be an indication of a botnet infection. Robtex provides a free service to check an IP in multiple blacklists.

    spam blacklist

    Substitute the xxx with your IP in the following URL to check the its on the blacklists.

  • Bothunter and TrendMicro RUBotted are two free specialized tools that helps in discovering real-time stealth botnet activity on the system.


BotHunter – is “designed to track the two-way communication flows between internal assets and external entities, developing an evidence trail of data exchanges that match a state-based infection sequence model. BotHunter consists of a correlation engine that is driven by a customized and augmented release of Snort version 2, which tracks the underlying actions that occur during the malware infection process: inbound scanning, exploit usage, egg downloading, outbound bot coordination dialog, outbound attack propagation, and malware P2P communication.

The BotHunter correlator then ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection. When a sequence of evidence is found to match BotHunter’s infection dialog model, a consolidated report is produced to capture all the relevant events and event sources that played a role during the infection process.”

trendmicro rubotted

RUBotted – Trend Micro – “RUBotted monitors your computer for suspicious activities and regularly checks with an online service to identify behavior associated with Bots. Upon discovering a potential infection, RUBotted prompts you to scan and clean your computer.”

How to remove a Botnet infection

An effective antivirus and an antispyware program with updated signatures should be able to scan and clean your system of the bot agents.

  1. Download, install, update, scan and remove any malware found with any one of the recommended free antivirus software;
    Avira AntiVir Personal – FREE Antivirus
    AVG Anti-Virus Free Edition or
    avast! antivirus Home Edition.

    Alternatively an online malware scanner like Trend Micro HouseCall or Windows Live OneCare safety scanner may also be used to scan your system for bot infection.

  2. Download, install, update, scan and remove any malware found with any one of the recommended free antimalware software;
    MalwareBytes’s Anti-Malware or

    Microsoft® Windows® Malicious Software Removal Tool focuses on the detection and removal of active malicious software.

How to prevent Botnet infections

Secure software and smart security practices are the keys to protect your system from becoming a zombie computer in a face less bot network.

  • Run antivirus and antispyware software – Always run antivirus and antispyware software. It is important to keep them regularly updated.
  • Windows Update – Enable automatic updates to keep the operating system patched against known vulnerabilities.
  • Patch software applications – In addition to the operating system, it is essential to keep software installed in your system patched against the known vulnerabilities. Security patches are usually free and can be downloaded from the software vendors. Secunia Personal Software Inspector (PSI), a free-for-home software perfectly supplements the Windows Update as it informs about missing patches for thousands of third party programs.
  • Use a Personal Firewall – A full fledged Personal Firewall can protect your computer from unauthorized access when configured correctly.
  • Follow good security practices – There is no substitute for common sense when you are on the world wide web.
  1. Disconnect your computer from the Internet, when you are not using it.
  2. Exercise caution when opening attachments or following links in emails and on Websites.
  3. Research before downloading new, unknown software, especially if it is a security or registry related software.
  4. Never reveal your passwords over phone or via email.

Acknowledgement: Know your Enemy: Tracking Botnets | The Honeynet Project

{ 4 comments… read them below or add one }

st2430 September 5, 2009 at 5:38 PM

I’ve seen similar descriptions in the past, and they all seem to miss the more important aspect of malware like this, namely HOW and WHERE they install themselves! It’s never been made clear whether a user running with, for example, an XP limited account is as vulnerable to get infected as a user with administrative rights. The answer is most likely no, but why is the answer no and what threats apply to the limited user then? And why is there never a recommendation to always access the internet from a limited account? For those of us somewhat technically minded it would be great to get an insight in what actually these malware are doing to infect a system, especially with a limited account. TIA.


Ron September 7, 2010 at 1:36 AM

This is how I got my zombie-PC disinfected.
Run TCPView from sysinternals and have a look at how many open connection you have. When there is plenty activity, your part of the bot.
Step 2) Download Microsoft® Windows® Malicious Software Removal Tool, this will remove the bots.
Step 3) Download Malwarebytes’ Anti-Malware this will remove the rest.


Ross April 27, 2012 at 3:13 AM

lol, “mIRC-based bots”. Those aren’t malware. mIRC is an IRC(Internet Relay Chat) client. An IRC bot is just a user that sits in a chatroom and provides help/functions for other users in the chatroom. mIRC bots are so sandboxed from the overall system that they couldn’t cause a problem at all.


Shanmuga April 27, 2012 at 9:59 AM

“mIRC-based bots” are fairly common. Remotely controlling a mIRC client on an infected PC utilizing mIRC scripts…and a few .dlls, gives you a “mIRC-based bot”.

Leave a Comment

{ 1 trackback }

Previous post:

Next post: