A zombie is security geekspeak for a PC that has been infected by a bot or agent, so that it’s added to a network of compromised machines (a botnet) under the control of a remote attacker (often referred to as a botmaster or botherder, though strictly speaking, botherding is just one of the system administration chores that even criminal hackers have to do). Once a PC is added to the botnet, it can be used for all sorts of antisocial jobs such as spam and scam distribution, DDoS (Distributed Denial of Service) attacks, click fraud and so on.
In other words, when a victim is sitting at the keyboard wondering why his PC is running so slowly, it’s often because it’s become one of a whole network of compromised PCs doing more work for the cybercriminal underworld than it is for him.
There are some useful resources on the Internet Industry Association page, though I should probably point out that we also have a range of products that are pretty good at bot detection and removal (available in a shiny new version, too).
Still, since this a complicated topic that I happen to have spent quite a lot of time researching and writing about, I thought some of you might find an additional resource useful. "Net of the Living Dead" is a paper by myself, Andrew Lee and Cristian Borghello available here. It’s pretty long (28 pages) and comprehensive, but if you need even more detail and have a few pennies to spare, there are a couple of books you might find of some use: in particular,
"Botnets: the Killer Web App" by Craig Schiller and Jim Binkley et al. (yes, I did make a small contribution to that one). The "AVIEN Malware Defense Guide" to which I also contributed (and also edited) also has quite a lot of relevant material, some by myself and Tony Bradley.
"OK, enough with the commercial breaks," I hear you say, "what the heck is botherding?" Strictly speaking, it’s a term applied to the moving of zombies (infected machines) from one C&C (Command and Control) location to another when a C&C box (server) becomes unavailable.
A C&C channel is used for communication between the bot controller and the drone (zombie) PCs that constitute his botnet, so that he can control the compromised machines and direct attacks. The C&C box is a server used to maintain those communications.
Aren’t you glad you asked?
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
Author David Harley, ESET