How do you know if your computer, or any of the computers in the network you manage, has become infected with zombie code? After all, the programs that turn a computer into an undead slave for spammers and phishers don't install a desktop icon or an entry on the Windows Start menu. A survey of experts reveals some agreement on basic steps you can take to reduce the risk of having your machines join the army of the evil botnet undead.
Step one: Pare down the virus factor
"At the end of the day, what you have on your hands is a basic security issue," says Barracuda Networks Vice President of Product Management Steve Pao, "and you have to do whatever it takes to prevent intrusions from happening in the first place."
Richi Jennings, Ferris Research's lead analyst for e-mail security, agrees. Jennings says, "Hopefully you're running an antivirus program that will warn you when the program loads initially, but if it doesn't, it should warn you on a subsequent scan." He says that if you keep your program's virus signatures up to date, you should be safe. Over at Symantec, Dean Turner, the company's senior manager of security response, agrees, and adds, "You should scan your system every day and update your signatures more often than that."
Step two: Listen to the drumbeats
At Ironport, Vice President of Technology Patrick Patterson says that just keeping virus signatures current isn't enough, even in the corporate world the company services. "When we install at a new client we often see that up to 50 percent of the corporate desktops are infected with some sort of malware," he says, "and we see some pretty nasty stuff out there."
Peterson recommends some straightforward analytical techniques that will tell enterprise IT managers or those charged with security in a smaller company that they've got a botnet problem. Network and IT managers often get their first glimpse of a botnet infection by keeping an eye on the help lines. "Find out how many people are calling in because their PCs are becoming unusable, either because they are too slow or there is a lot of popup activity," he advises. Individual home and small-business users can observe this for themselves.
Peterson says that there's something like a 10-to-1 chance that such behavior indicates the PC is part of a botnet. Enterprise network administrators can also keep a close watch for suspicious outbound activity using their network-monitoring software.
He also suggests you get very concerned if your IP address becomes a member of a blacklist -- a sign that trouble may be emanating from your network. There are several sites on the Web that will check a wide array of registered blacklists for you (Spamhaus is the most commonly used site). You can also sign up for e-mail feedback loops maintained by MSN, AOL and Yahoo that will tell you if there is any indication that spam traffic arriving at those networks is emanating from your IP. A flag from any of those services should prod you to find the zombie(s) in your midst.
Step three: Scan the horizon
Ironport was the first company to offer its enterprise clients outbound e-mail scanning a few years ago and the offering has been duplicated by other spam-fighting companies. Peterson thinks you should use it in your company because it detects a spam or virus attack when it is launched from your network. In that case, it should be pretty easy to find the compromised PC.
One last recommendation from Peterson is implemented in Ironport security devices, but is also available to other users including individuals: detection monitoring. Intrusion-detection software looks for any behavior that might resemble malware activity, including botnet activity. These intrusions are outside the capability of a normal firewall's ability to detect, and require additional software, such as is found in Ironport's S-series Web security appliance or Norton Internet Security 2007.