How Do I Determine If My PC is a Zombie?

Captain Chad wonders: "With the recent news of a 1.5-million node botnet, as well as the AIM rootkit worm, I'm getting a bit concerned about whether my PC may be a zombie. I'm seeing a lot of internet activity, even when nothing is running, and I've checked the process explorer for obvious tasks to no avail. I apply patches as soon as they're released, and my antivirus/spyware programs report nothing. How do I determine if my PC is a zombie, and if it is, how would I de-infect it?" On this same vein, college campuses are often prime breeding grounds for undead-boxen. bcrowell adds: "I'm a teacher at a community college where Windows is the only supported OS -- if you ask the school to put machine on your desk, you get a Windows box. Faculty who want to run MacOS or Linux have had to provide their own machines, and those who want to do PowerPoint presentations for their classes have been told that they have to buy their own laptops and bring them in.

Now Academic Computing has announced a new policy: any unauthorized use of the network, such as plugging in your own computer to a port, is prohibited, and will result in disciplinary action. There are supposedly plans to enforce this rule automatically with hardware and software. Great consternation has ensued in the faculty senate, and the manager who wrote the policy has explained that it is basically aimed at the problem of improperly maintained teachers' machines getting '0wned'. A little ironic, because the Windows boxes maintained by the computing folks keep getting infected by worms. Still, it's not an unreasonable concern; many teachers are clueless. In fact, I wouldn't pretend to know enough to keep a Windows machine secure on a public network, although I haven't had any problem with the FreeBSD box on my desk. Any suggestions on how to deal with this? Effective arguments to use? Good educational resources to point people to so they can learn how to keep their Windows boxes secure? Many of my colleagues seem to think that security mainly involves buying antivirus software."

Use ethereal to check out your network traffic

[neillewis]

Hook up another box on a hub and check the network traffic. Obvious signs are connections to addresses that can be traced to irc servers or use of irc ports. The first time I found a bot nest, it scared me like Doom 3 never could. If this means nothing to you, get some expert interactive help.

Go over their heads

[dreamer-of-rules]

The IT group has to answer to the needs of their users, not the other way around. Granted, they are trying to keep out viruses and lawsuits, but they still need to address your needs.

It sounds like their heads have swelled too much, so talk to their boss, or their bosses boss. Explain that your work is better with this tool, and that it is unreasonable to ban your tool given the known lack of risks. This is not a garage-built closed-source piece-of-shareware; but a globally used, open source, well-inspected and maintained tool. Remember the talking points: ZERO viruses (macs), not running as Administrator, updates are applied regularly and consistently.. (well, there's better Persuader lists out there.)

I've been in IT for the last 10 years, and we are there specifically to help the users do their job. Sometimes it's to disable all email attachments, and sometimes it's setting up a Windows 98 machine for a critical job.

You may need to compromise.. a probabation peroid of increased firewall monitoring, maybe a "I'm responsible" contract to cover their butts. Thing is.. if their argument comes down to "Because we said so", then they are enforcing a personal agenda, and have ceased being effective at their primary responsibilities.

(Falling asleep at this point, so my ramblings will go unedited..) Hope this helps.

Re:Only trust the machine externally

If it's too automatic and easy to use then they will have a convinient backup of "urgent document.pdf.exe".