The invention embodiment discloses a method and a device for detecting the zombie network, comprising: acquiring data message in the network; implementing security analysis to the executable program in the data message, determining the destructive executable program to be a malicious resource; monitoring whether the malicious resource has access requirement; if yes, determining the host sending out the access requirement as a zombie host. The invention embodiment actively acquires the data message in the network, performs the security analysis for the executable program in the data message, then monitors the address of the host which requires to access the destructive executable program, thus determining the host sending out the requirement as the zombie host. The invention is able to determine the zombie host position before attacked by the zombie network and detects the existing of the zombie network.