Find out if your computer is a zombie PC

FunInformatique 9 years ago 3 minutes of reading

pc zombie

Yesterday a friend told me: “Ahmed, I recently read your article on how to inject a backdoor with a USB key and I also read the article Zeus, King of botnets and I was wondering if we can recognize a zombie pc that is part of a hacker's botnet network, knowing that I am on windows. "

To answer this question, I have decided to share with you a very effective method of being aware of everything that is happening on your computer.

In fact, when a PC is infected with malware or spyware, it hosts a program that scans the internal drive; either to suck up your contacts to send them to spam databases; or to carry out a relay with other infected machines to constitute a base of zombies.

In either case, there are certain signs that shouldn't be overlooked like:

The fan starts at full speed when the computer is idle.

The computer takes a long time to shut down.

Your Friends receive emails with your email address that you did not send.

Internet access is very slow.

Opening of ad pop-ups even when your web browser is closed.

How to detect a backdoor on your PC

Please note:: This method that I am showing you does not replace the usual protection methods such as Anti-virus.

To begin with, we are going to use a free software that will be very useful to us, it is TCPView.

TCPView monitors your system's TCP / IP site activity. Unlike the TCP / IP monitoring tools that come with Windows, TCPView shows what process is associated with each TCP / IP address.

Download this tool then unzip it.

No installation is required, click on the Tcpview.exe file and the program window will open. TCPView displays network exchanges between your PC and the outside world in every second.

The advantage of TCPView over command netstat is that it allows a connection to be closed without having to close the corresponding process.

In the case of an infected PC, the remote address is "exotic".
Example:
In the screenshot below you can clearly see all open connections on my pc:

You notice in the picture that there is a Telnet client connected to my computer and also a backdoor Net cat.
TCPView will be able to block this backdoor with a click and identify the location of this program which uses it to get rid of it.

Those who liked this article also liked these:

13 Questions / Answers

Anne O'Nime says:

August 30 2017 to 7 44 h min

Blackhats can take control of some PCzombies, how can we tell them apart from a botnet?
Because my PC has been doing tons of updates for 1 month, for 3 months it has been running when it is inactive and yesterday, the mouse pointer was moving on its own then disappeared, I had to restart the PC with the keyboard and a little later my headphones was playing music for no apparent reason.

Reply
Goat says:

July 12 2016 to 19 34 h min

Hi Ahmed
thank you for sharing your method
on the other hand, how did you recognize that the “telnet” client was spyware? Because of the local port, the protocol, its address or simply because the other processes have the same name globally?

Reply
Dat_Modo says:

29 2014 June to 23 00 h min

Ok but how to recognize “exotic” names?
Because in that case I wouldn't have guessed that telnet and nc was malicious :/
Why isn't isass.exe?
In short, you have to know what.

Reply
obiwank says:

March 16 2014 to 14 30 h min

that's an old post! please redate it to 15/03/14!!!

Reply
- Ahmed says:
  
  March 16 2014 to 20 11 h min
  
  So that new visitors and blog subscribers benefit!
  
  Reply
kapuss says:

March 11 2013 to 19 15 h min

do you know if this kind of intrusion is common on ubuntu?

Reply
- Ahmed says:
  
  March 12 2013 to 9 56 h min
  
  Ubuntu is a Linux distribution.
  Linux is just like Windows or MacOS X contains vulnerabilities that can be exploited by hackers. Linux is therefore also sensitive to this kind of intrusion, just like Windows.
  
  Reply
cat rock says:

21 September 2012 17 to 13 h min

can you tell us the normal ports for use in the system?

Reply
Ahmed says:

July 23 2012 to 18 53 h min

Quite simply because backdoors need to open one or more doors to listen. It is through this activity that we can spot them, especially if the open ports are unusual or have no reason to be open at this time. How about the example of netcat which is listening on port 8888!!

Reply
nawras_universe says:

July 23 2012 to 17 10 h min

And how did you know it's a backdoor??
My blog : http://inf0mag.blogspot.com

Reply
- Ahmed says:
  
  July 23 2012 to 18 54 h min
  
  Quite simply because backdoors need to open one or more doors to listen. It is through this activity that we can spot them, especially if the open ports are unusual or have no reason to be open at this time, such as the example of the netcat backdoor which is listening on Port 8888!!
  
  Reply
  - Charles says:
    
    March 22 2014 to 18 14 h min
    
    The explanation is really very basic, and what is the local port that is supposed to appear. In the process, how to know if we are hacked.
  - DRC says:
    
    December 19 2014 to 12 46 h min
    
    In fact, you must first close all the utilities that are supposed to be connected to the internet (browser, torrent client, etc.) and only then launch the detection utility, if despite the fact that all applications are closed, unusual connections appear other than local, then it is possible, I mean possible that you are infected, the best thing is still to ask confirmation from a friend who knows a little about it.