How many zombies in Australia?

As you may have seen, we declared 31 October 2009 to be International Kill-A-Zombie Day. Unsurprisingly, we suggested, amongst other things, that you scan your PC with an up-to-date anti-virus.

Sophos Threat Detection Test

The cynics amongst you are probably thinking, “But you would say that, wouldn’t you?” Yes, we would indeed! We’re saying it because there are still millions of PCs out there which aren’t properly protected, which are infected with malware, and which are contributing inadvertently to global cybercrime.

I recently carried out a thought experiment to estimate the number of zombies in Australia (population approximately 22 million, or about one-third of the UK and one-fifteenth of the USA). I made an informed guess at the number of spams each day worldwide, the percentage of spam originating from Australia, and the average number of spams a zombified PC might send each day — bearing in mind that not all zombies are programmed to send spam, that some ISPs throttle outbound spam, and that uplink bandwidth on most Australian ADSL connections is artificially restricted.

From these figures (details and justifications on request) I guessed that Australia has about 80,000 active zombies at any moment. I’ll further guess, based on the intelligence accumulated by SophosLabs about active infections — in other words, where malware has successfully evaded any existing security measures — that the vast majority of zombies on these infected PCs are not new, and would be easily detectable with an up-to-date anti-virus.

Since the free Sophos Threat Detection Test can coexist with your existing anti-virus, you don’t need to uninstall anything first. Give it a try. You may be surprised at what shows up.

Sophos Endpoint FirewallAlso, if you aren’t yet using an endpoint firewall, remember that this class of product can provide an important second line of defence against the harm caused by zombies. Unlike border firewalls, which see packets after they have left their sending PCs, endpoint firewalls know which applications and processes have produced what traffic. This means that they can block communication by new, modified or unknown programs and thus prevent zombies from sending out spam or personal data from your PC.

Note that most border firewalls and routers, whether at home or at work, routinely block inbound connections. This is sensible, because it helps prevent outsiders from hacking into your network. But don’t make the mistake of assuming this alone can protect you from zombification.

Even though zombies are generally described as “malware allowing cybercrooks to issue malicious commands to your PC”, this sort of remote control does not require the crooks to connect in to your computer. Most zombies work by connecting out from your PC to download instructions on what to do next. A firewall which merely prevents inward connections cannot stop data leakage via a connection which was initiated from the inside.

(By the way, “zombie” above means the same as “bot”. So 31 October 2009 was also International Kill-A-Bot day — two for the price of one!)