What happens to zombie machines after DDoS attacks?

Question

Do the zombie machines that takes part in a DDoS attack belong to ordinary people just like you and me? Can we be the part of a DDoS attack even without realizing it?

What happens to these slave machines after the attack? Do they become unable to connect to the target? Is that how they become aware of it?

I wonder what do they do with these botnets after the attack?

Answer 1

My most common answer: "It Depends".

Do the zombie machines that takes part in a DDoS attack belong to ordinary people just like you and me? Can we be the part of a DDoS attack even without realizing it?

Short answer: Yes. Long answer:

Obviously it depends on the infection, but most times, and for most sophisticated attacks:

• The victim never realizes he/she has been part of the attack.
• Most times victims do not even know their machines are infected.
• During the attack: the victim may realize that computer resources are being used more than normal; or in many cases, they don't (sophisticated attacks may preserve the stealth factor by using just a small portion of each victim's computer resources).

What happens to these slave machines after the attack? Do they become unable to connect to the target? Is that how they become aware of it?

• After the attack, the infection remains (as if it were "sleeping") until the next attack. The victim did not notice anything, and he/she keeps using the computer normally.

I wonder what do they do with these botnets after the attack?

There are two main options:

1. They keep the malware inside the device (computer or any other device as routers and IoT machines) for future attacks.
2. They clean the infected device to erase any trace. (Most sophisticated attacks may do this {in conjunction with many other techniques}, to make the researchers unable to trace back the attack to the origin).

Answer 2

Do the zombie machines that takes part in a DDoS attack belong to ordinary people just like you and me?

Zombies are infected machines. They used to be under the control of attacker and he use to give the instructions to them through C&C centre.

Can we be the part of a DDoS attack even without realising it?

Exactly. If you want to keep your machine out of bot network, then follow the solutions provided here.

What happens to these slave machines after the attack? Do they become unable to connect to the target? Is that how they become aware of it?

Slaves or bot machines works perfectly for their owners and its really tough for the owner of the machine to find out whether machine is under control by someone else.
The machines take instruction from C&C centre and follow the instruction in the background. If no further instruction available for malware, then it generally sit idle in the background.

I wonder what do they do with these botnets after the attack?

Bot machines are like an Army; When Army is not in the war zone, it sit in the bunkers (or in base camp) waiting for next instructions.
Similar is the case with botnet, if they are not attacking someone, that means, they are in listening mode for further instructions.

Hope it helps !!!

Answer 3

I suspect that in most cases, once the DDoS attack is ended, nothing happens to the infected PCs, and they remain infected, available for another attack.

Anti-virus programs probably already knew about such a well-distributed malware. There's a chance some users of anti-virus will have the malware automatically removed after the attack, but only if the anti-virus failed to remove it earlier.

The target of the DDoS (i.e. Dyn recently) will focus on mitigating the attack quickly using resources they can control directly. After that is done, they probably do not have an incentive to clean up the 100k or so infected devices around the world.

They cannot practically block the DDoS victims from accessing their system long-term, because most IP addresses rotate frequently, and the complete list of IPs would be very large. Some (but certainly not all) DDoS sources could have been blocked by IP for a short term, but once the attack ceases this would no longer be needed.

I suspect the attacker would eventually cease the attack if it is no longer effective, as that reduces the chances of the infection being discovered/removed, and frees up resources for other attacks. (I could be wrong about this one. Maybe the attack continues as we speak?)

I do not think there is any world-wide or federal agency which will try to get those zombies cleaned up. ISPs certainly will not spend money doing this unless they have to. It's expensive to identify them and would result in a lot of unhappy customers.

Probably the only one who can clean this up without user participation would be the OS vendor.

• Windows Update can be used by Microsoft to push a malicious software removal script. Personally, I'm not confident whether will do this or not.

• New OSes like iOS, Chrome OS and Android have better management of their corresponding app stores, and have the ability to pull apps that might have participated in a DDoS attack. However, the new OSes are less likely to be infected than classical OSes like Windows, Mac or Linux.

• Edit: It turns out many of the infected devices were actually IoT devices such as standalone webcams. Many mfg.s do not have a way to auto-update those devices. Only the device owners could take care of them.