How can I discover my bot

This is how you effectively protect yourself against botnets

Frank Ziemann

German PC users are a popular target for botnet operators. Are you really still in control of your PC? How to find out.

EnlargeThe victims become unintentionally and unknowingly part of the botnet.
© iStockphoto.com/Alexsl

For a few years now, botnets have been the main tool for online criminals. They use special malware, the bots, to bring third-party computers under their control. They often install additional programs on it, for example to send spam mails or to launch coordinated attacks on web servers. Germany is way ahead in Europe when it comes to botnet contamination.


Botnets are often controlled via central command servers, also known as mother ships. The infected computers, known as zombies, maintain contact with one of the mother ships or with each other. They pass on data spied on, such as passwords for online games and banking websites, but also email addresses or credit card details that have been collected. You will receive instructions from the mother ship, in some cases via interconnected relay computers (repeaters), such as addresses and contents of spam mails to be sent.

A number of botnets do without central command servers and rely on a P2P structure. The zombies are networked with one another and the control commands are fed into the decentralized botnet by the operators of the network, known as bot-herders or bot-masters. In a similar way, collected data is sent to a drop box, a server that accumulates and processes the data. More complex botnets have several command levels over which different areas of responsibility are distributed. Sometimes botnets are also controlled via social networks such as Twitter.

How do the bots get on the PC?

The bot software enters the PC in the same way as conventional malware. They are sent as email attachments under all sorts of pretexts, offered for download as supposedly useful programs, are stuck in infected pirated copies of legitimate programs or are smuggled in via security holes in the browser and its extensions (plug-ins).

EnlargeBotnet construction kit TwitterNET

Bots also often install rootkits, i.e. malware cloaks, with which they try to hide their existence and activities from the user and from antivirus programs. To do this, the rootkits bend system calls so that certain files are not displayed by the operating system.

Antivirus manufacturers have reacted to this and built special routines into their products in order to expose rootkits. To do this, they use the fact that there are several ways to get a list of existing files. If there are discrepancies between the results of these methods, this could be an indication of an installed rootkit. It can't hurt to check your PC regularly with special rootkit tools to track down the bastards.

How do you protect yourself from bot infections?

Cyber ​​criminals cannot easily integrate your computer into their botnet. You first have to smuggle specially prepared malware onto your computer - be it via email, USB stick or drive-by download in the network. In order to protect yourself against infection by a bot, you should therefore heed the same tips that also serve to protect against other pests:

  • To access the Internet, log in as a restricted user, not an administrator. This is especially true for older operating systems.

  • Regularly install security updates for the operating system, the web browser and its plug-ins as well as for other Internet-enabled programs (mail, IM / chat, VoIP, media player); It is best to use the existing automatic update functions. Special tools tell you when there are important updates.

  • Install good antivirus software that automatically keeps itself up to date and permanently monitors all the ways in which malware can get into the computer; A desktop firewall can be a useful addition, but not a replacement, as can other protection programs such as spam filters or special browser extensions

  • Be vigilant and suspicious if you are offered programs or documents by strangers

  • Download software only from trustworthy sources.

How do you find and remove bots?

Once the child has fallen into the well and the computer is contaminated, it is important to track down the pests and eliminate them - leaving as little residue as possible. Quite a few antivirus programs have a hard time doing this, especially when rootkits are involved. Sometimes residues remain, such as orphaned registry entries or malware components that are still active. This can lead to an unstable system or even re-infection.

The safest way

The cleanest solution is therefore to save important data on an external storage medium and then reinstall the system. You are better off if you have regularly backed up partition images of the system hard drive. These backups can be restored to a clean state that was saved before infection.

Remove bots - without reinstalling the computer

If reinstallation is not a viable option or if a suspected infection must first be determined, bootable antivirus CDs can be a valuable tool. Several antivirus manufacturers offer such CDs as ISO images free of charge, for example Avira, F-Secure or Panda Security. You can write them to a blank disc with a suitable CD burning program. With tools like UNetbootin you can also create a fast boot medium from such an ISO image and a USB stick.

Start your computer from the CD or USB stick you created. If that doesn't work, you have to adjust the boot order in the computer BIOS. The antivirus CD usually loads a Linux system that uses a virus scanner to check the Windows hard drive for infections. In this state, the cloaks of installed rootkits are ineffective because they are not active.

Once the virus scanner has detected malware and rendered it harmless, you can boot from the hard drive again. Under Windows, you should run a complete system scan with your installed antivirus program after the update in order to remove malware and its traces from the registry.

It can make sense to use several antivirus CDs from different manufacturers one after the other if you want to be reasonably sure that your computer is clean.