ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Is Your Computer a Zombie or Part of a Botnet?

Updated on February 19, 2018

Published: November 3, 2011

Edited: November 5, 2011

Botnets burst into notoriety through the mainstream media in the year 2007 with the discovery of a Trojan named Peacomm and nicknamed Storm by the research community. The Trojan was nicknamed Storm because of a common theme of the subject header contained in the e-mail that delivers the Trojan: “230 dead as storm batters Europe (Hidalgo, 2007). Why is there so much concern over a simple e-mail?

The e-mail is not the concern but the delivery mechanism of the threat, which is a Trojan that delivers a rootkit with the end goal of joining the computer to a botnet. Botnets, however, exist in relative obscurity because the vast majority of computer users do not know what botnets are or the threat they pose. The threat of botnets recently resurfaced with renewed media attention attributed to the proliferation of the Stuxnet worm, which took out a nuclear processing plant in Iran and the Dunadup worm, which has infiltrated over 20 million computers by some estimates.

The Stuxnet worm targeted a specific type of Programmable Logic Controller (PLC) and Dunadup affects Windows systems with unpatched vulnerabilities. Does this mean that you are vulnerable to these threats if you do not use PLCs and your Windows systems are up to date? Of course not but there are other vulnerabilities and threats that should raise your state of concern. The first of these threats is that of rootkit download.

Defining Rootkits

The term rootkit is derived from the UNIX operating system, in which root is either the highest access privilege or directory level, depending on the context. When used in the context of a rootkit, root refers to the highest level of access to the system.

Dowada (2006) reported that a rootkit is used to conceal the presence of the intruder by concealing system data, files, and processes. With the intruder's presence hidden, that intruder may then perform system-level, administrative, or root functions on the host computer without the fear of detection. The user has no idea that a hacker has taken control of the system. Operating systems vulnerable to rootkit infection include Windows, Linux, and Solaris.

In layman’s terms, a rootkit is a module injected into an operating system by a third party to take over specific tasks of the operating system and is not necessarily malicious in nature. Many rootkits were originally designed as aids for developers in Unix environments. Therefore, there are some valid uses for a limited number of rootkits.

The threat that rootkits pose is determined by the intentions of the hackers who use them. There are two basic types of rootkits: persistent and non-persistent rootkits. The difference between the two is that persistent rootkits have the ability to load and run following a system reboot whereas non-persistent rootkits do not. For the discussion of the threat of botnets, rootkits are assumed to be of the persistent type.

Well Known Rootkits

Some well-known rootkits frequently turn up on infected machines. As stated earlier, rootkits do not gain entry to a system but permit re-entry to an infected system. Examining the functions of some of the well-known rootkits sheds light on how they help the intruder accomplish the notorious purpose for the intrusion. These rootkits are listed here along with brief descriptions of their functions:

  • Hidden32 hides applications (Schiller, 2007)
  • HideUserv2 adds an invisible user to the administrative group (Schiller, 2007)
  • HideWindow hides instances of the Microsoft IRC client (Bacher, Holz, Ketter, and Wichershi, 2005)
  • FU hides processes (Dawada, 2006)
  • Hacker defender in some newer versions will render some anti-virus and rootkit applications ineffective (Dawada, 2006)
  • Sony BMG DRM introduced by Sony corporation as a form of copy-protection for CDs (Dawada, 2006)
  • Apropos Spyware prevents un-installation or removal of payload packages (Dawada, 2006)

Rootkits are used by hackers to mask the presence of payload modules they install, add invisible users with root or administrative privileges, and disable the effectiveness of antivirus and rootkit detection tools. This kind of power enables the hacker to regain access to an infected system and perform any desired actions, which leads to the next section.

Rootkits Create Zombies and Botnets

Once a system is compromised and a number of rootkits installed, the hacker is then free to download payload applications to perform the hackers will without the knowledge or permission of the legal user. A system that has been compromised in this way becomes a zombie computer because the computer is no longer under the control of the rightful user but rather the hacker, and the user may have absolutely no idea what the computer is in fact doing. Zombie is a term that refers to the infected computer, the more common reference in the security industry is to the programs that perform the hacker’s purpose. These zombie programs are known as bots.

“In its most basic form, a bot is simply an automated computer program, or robot. In the context of botnets, bots refer to computers that are able to be controlled by one, or many, outside sources” (McDowell, 2006). Valid uses for bots include web-crawlers that search the web for new sites to index so not all bots are bad. Botnet refers to grouping a collection of zombie computers into a network of directed bots. Botnets are a major threat to individual users and organizations alike and their malicious functions can have far reaching effects.

Attackers can use rootkits and botnets to access and modify personal information, attack other computers, and commit other crimes, all while remaining undetected. By using multiple computers, attackers increase the range and impact of their crimes. Because each computer in a botnet can be programmed to execute the same command, an attacker can have each of them scanning multiple computers for vulnerabilities, monitoring online activity, or collecting the information entered in online forms. (McDowell, 2006).

Developing Botnets

Actively seeking out vulnerable systems is not a typical method that hackers use to develop botnets. Many of the vulnerabilities that enabled hackers to actively seek out the targets for their exploits have been patched in the targeted applications and operating systems. This state of technology and the availability of exploit kits to deliver Trojans led to a method using social-engineering techniques to infect computers. Refer to McDowell, (2004) for methods to avoid social engineering attacks. Hackers entice users to download Trojans using spam containing links to malware or by enticing users to visit malicious web sites.

A hacker who controls a botnet is called a bot-herder. After successfully gaining control of a number of bots, the bot-herder needs a method to control the bots. The most common method, as illustrated by Schiller (2007), is to employ a Command and Control (C&C) system that communicates with the bots using Internet Relay Chat (IRC). A discussion of this C&C structure follows.

Botnet Command and Control

According to Schiller (2007), the first thing that a new bot does is to call home using a process known as rallying and designed to protect the bot herder by passing information through an IRC server. This provides the hacker or bot-herder a layer of protection by preventing the bot-herder from communicating directly with the bot. The bot may be discovered but not the bot-herder. When the rallying process is complete the bot takes up station to monitor the C&C channel for commands.

According to Gu, Zang, and Lee (n.d.), the C&C channel for IRC-based bots conforms to one of two styles, which are the push or pull botnet IRC command and control methods. Whichever style the particular botnet follows, the bot-herder loads the commands on the C&C server. The C&C server then pushes commands to the botnet and waits for responses from individual bots or the bots contact the server and requests commands depending on whether the push or pull style is used.

These commands are used to cause a bot client to update its software and initiate other activities, including the following:

  • participate in a DDoS attack
  • participate in various money-making schemes
  • search for and infect other systems
  • control other systems
  • store and distribute stolen software, movies or music
  • gather identification and authorization information
  • retrieve new spam email templates
  • update the list of future command and control servers

The list of commands is unique to each bot family, but all bots share some functionality related to things that most bots do. (Schiller, 2007).

The C&C structure of bots varies between the specific bot families but regardless of the type of bot, the bot herder leverages a great deal of control over the bot sometimes including the ability to command the bot to deactivate and cover the tracks left behind if the bot-herder believes that the bot has been discovered or has aged to the point where the bot’s usefulness is limited. The one good characteristic of bots is that they function for a limited amount of time.

What are your thoughts?

As always, the author appreciates all comments.


    0 of 8192 characters used
    Post Comment
    • Dumbledore profile imageAUTHOR

      This Old Guy 

      8 years ago from Somewhere in Ohio

      Thanks for the comment, Pcunix.

      There is one surefire way to discover a persistamt rootkit but that involves booting up a forensick kit from removable media.

    • Pcunix profile image

      Tony Lawrence 

      8 years ago from SE MA

      The very best rootkits would, of course, be completely undetectable - that's the real scary part!


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
    ClickscoThis is a data management platform studying reader behavior (Privacy Policy)