Hackers used botnet to steal business information and led to serious threats for enterprises and end-users. Zombies can be manipulated by distinct protocols having features of stealthy, and difficult to be detected and cleaned, even using firewalls and anti-virus tools. The detection techniques of existing bots primarily used virus scan engine to scan via pattern matching matter. The variants can be formed by modifying virus signatures then they can be hardly detected. This work investigates virus behaviors via sandbox analysis and examines the common signatures of bots using frequent episodes for constructing a virus signature database with detection rules enhancement of estimation of support and confidence degree. Furthermore, a Zombie Detection System (ZDS) and a Dark IP Map have successfully been built to detect bots and variants. To validate the effectiveness of system, test cases in Testbed@TWISC are conducted to emulate network attacks scenario. Experimental results show that the proposed approach can effectively detect zombies and help managers rapidly monitor network zombies in a precise way.