Most hijacked PCs are controlled by trojan bots that have been installed without users’ knowledge, effectively turned into “zombies” that are controlled by a malicious criminal hacker known as a “bot herder.” His entire purpose is to amass thousands upon thousands of compromised machines into a botnet that is then rented to other criminals to proliferate spam, steal personal information and mount DDoS – Distributed Denial of Service – attacks. These zombies get their commands via IRC – Internet Relay Chat – which operates on port 6667 by default, but can use any port. (Normally, ports in the range of 6660 – 6669 and 7000 are used, but some bots are starting to use port 80 to make it harder to discover them.)
It’s easy to spot a zombie that is using one of these ports and port 6667 is by far the one most commonly used. Open a command prompt, type “netstat -an” (without the quotes) and hit Enter. You’ll see a bunch of lines that look something like this:
TCP xxx.xxx.xxx.xxx:NNNN xxx.xxx.xxx.xxx:NNNN LISTENING
What you are looking at is a listing that shows the protocol (TCP), the local PC address and port (number represented by NNNN), the foreign address and port and the state of the connection. If, while looking over this list of connections, you see 6667 or any of those other numbers (assuming that you aren’t actually consciously using IRC), immediately pull the network cable and take whatever action you must to clean up the machine.
Have a computer problem? A question about your latest gadget? Click here to Ask the Geek! Kenny “The Geek” Harthun has been playing with geeky stuff since 1965. He’s a Microsoft Certified Systems Engineer with Connective Computing providing network, desktop and information security support services to a wide range of clients.