May is Zombie Awareness Month. While the month is intended to honour the sort of Zombieland, Night of the Living Dead, or Michael Jackson's Thriller type zombies, it also seems like an appropriate time to address PC zombies and how to ensure that the computers on your network don't become compromised and join the zombie hordes.
What is a Zombie?
A zombie computer, also referred to as a bot, allows an unauthorised person to gain control over another user's computer. The infection is typically the result of a hacker, malicious website, email or infected USB thumb drive. The zombie (or bot) sits idly by, patiently waiting to be summoned to perform some malicious task, often as a part of an army of tens of thousands, or even millions of zombie PCs called a botnet.
Attackers are able to access lists of 'zombie' PCs and activate them to help execute DoS (denial-of-service) attacks against Web sites, host phishing attack Web sites or send out thousands of spam email messages. Should anyone trace the attack back to its source, they will find an unwitting victim rather than the true attacker.
Identifying a Zombie Computer
Zombies are good at hiding in the shadows of your computer so they are not noticed. If you could easily detect that something malicious was running on your computer, you would quickly remove or disable it. Zombies often have file and process names that are similar, or even identical, to normal system file names and processes so that users won't think twice even if they do see them.
Fortinet developed The Zombie Awareness Month Computer Survival Guide to help users defend against the zombie invasion. According to the guide, "The most likely way a computer becomes infected is by landing on a malicious link. To give you an example of how links can come from anywhere, take a look at the Koobface botnet that continues to infect Facebook users. That virus was spread through video links via Facebook friend messages."
Short, cryptic messages asking users to watch a video clip, or asking "is this you in this video", and with a shortened or obfuscated link hiding the true destination URL have also plagued other sites, such as Twitter.
Even after clicking on the malicious link you may be unaware that your PC has been compromised or infected. Often, it is your friends that the zombie attempts to propagate to that bring it to your attention. The zombie infection will try to send the same message to your contacts with the same cryptic video link, but your friends may feel that the message seems suspicious, or question why you would send a video link.
The Fortinet guide explains "In either of these cases, a smart friend will ping you and ask, "Why did you send this video to me?" If you know you didn't send a video link to your friend, you can pretty much bet you've become infected or that your account is compromised."
Protecting Your Computer from Zombies
Antimalware software, if it is kept up to date with the latest signatures, will proactively protect PCs from most zombie or bot infections. However, the problem with the signature-based security model is that there is always a lag where your PCs are vulnerable to a new attack while the security vendors develop detection for the new threat.
Fortinet's guide says "While you can't kill a zombie computer by shooting it in the head, the best way to disable it and then kill it is to quarantine it (and the best way to do that is to disconnect the suspected zombie from the network). Then run a virus scan, which, if your software's up to date, should find it and rub it out."
The Zombie Awareness Month Computer Survival Guide sums up with "While real-life zombies aren't too bright or fast on their feet, zombie computers can be quite devious. Therefore, the best line of defence is to prevent infection in the first place; an initial infection can grow worse over time." That means using lines of defence such as antivirus software, firewalls, and unified threat management (UTM) to detect and block malicious threats from your network.
The very best defence, though, is common sense combined with a healthy dose of scepticism. User awareness is an IT administrator's friend. Instead of being the one that clicks on the video link to see what's so funny, or find out if it is, in fact, them in some video they aren't aware of, you want your users to be the friend that contacts the source of that message to let that person know that they received a suspicious message and that there is a good chance the PC is a zombie.
Image credit: by i eated a cookie, Flickr