This is a post to guide users through finding out if their machine is acting as a “zombie” to engage in malicious botnet activity without even knowing it. This only applies to Windows users as Mac and Linux users are significantly less susceptible to being infected, if even at all. A great way you can monitor this type of activity is to set up an account at www.projecthoneypot.org and they will send you reports upon your request about suspicious activity occurring on your network. Some symptoms you might notice if you are a part of a botnet are:
1. Your computer is constantly using resources when you actually aren’t using any. Your RAM might be processing information even when idle, your computer is still high in temperature even when idle, or you can hear your hard drive working when idle. Also, don’t confuse these symptoms with just a simply out of date computer.
2. Your network connection is active even though you aren’t running any applications that are accessing the internet, or browsing the internet. An easy way to look for this is to simply go to your task manager and monitor your network performance while idle.
3. You remember falling for a phishing scheme of some sort, or have browsed the internet without
Here is a systematic approach that I have come up with to detect if you are a part of a botnet:
1. Update to the latest definitions and run a full scan of your favorite spyware and virus scanners in SAFE MODE.
I use Spybot Search and Destroy and Lavasoft Ad-Aware for spyware scanners. I also use both Avast! and Threat Fire anti-virus. These are all free products because I am a poor college student, you might have better luck if you actually spent some dough.
2. Restart your computer and don’t open any other applications besides the ones set to run at start up. Go to your command line, start >> run >> “cmd”. Run the command “netstat -n” and see what network connections are being established on your computer. The results are listed in the ip.address:port# format. If you see any unrecognized IP addresses, go to http://ip-lookup.net/ and do a look up on what your computer is actually connecting to. If you are connecting to a computer in Romania or some other foreign country, chances are it is something that you aren’t using for anything productive. On the IP lookup site, you can also see a host name of the suspicious IP and it might turn out to be associated with a legitimate application you are using. The Project Honey Pot site also has a place to lookup an IP address, where it would compare it to any other suspicious activity reported by that particular IP.
3. If you followed steps 1 and 2 and have found that your computer is indeed connecting to foreign sources without your consent, then your computer is infected with some sort of malicious entity and it is quite possible that your computer is a “zombie.” If you only found maybe 1 or 2 suspicious connections, I would encourage you to dig deeper to find an answer for what the connections are doing. You can go to www.projecthoneypot.org and they have lists of suspicious IP ranges for you to compare to along with oodles of information about spam.
4. If you decide that you are infected, I don’t recommend to manually remove any of the threats as re-infection would be likely. As much of a pain it might be for you, I would back up all of your personal files on a separate hard drive and re-image your computer completely.
I hope that this method works for someone who finds out they are indeed infected because as of a very recent study, 48% of machines are infected with some form of malware and you can bet that over 80% are running Windows. RECENT ARTICLE ON INFECTIONS