How do you detect a botnet? Impossible, right?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


http://en.wikipedia.org/wiki/Botnet

So the question arises, if 'up to a quarter of all PCs are infected by
botnets' (see Wiki above), and presumably most of these PCs have anti-
virus software, how do you detect a botnet residing on your PC?
Assume you do a thorough (full) scan of your HD using commercially
available antivirus software like Kaspersky or Webroot Antivirus.

Followup:  if Bank of America's FTP servers have Zeus key logging
software on it (as says another article), does that mean when I log
onto BAC's servers to check my online bank account, that this
keylogging software is checking my password?  I guess the answer is
yes.

RL

Re: How do you detect a botnet? Impossible, right?



Quoted text here. Click to load it

Antimalware applications and rootkit detectors.

Quoted text here. Click to load it

Most antivirus applications are incorporating rootkit detection and some
coverage of general malware into their capabilities. Still, I would
suggest using several antimalware (cleanup) tools and maybe even one
with active protection.

Quoted text here. Click to load it

Keyloggers log keystrokes. If *they* have a keylogger, it is *their*
keystrokes that are being logged. The implication is that *their* system
can be further compromised by use of the information gathered.

Then consider that *their* system is the one enforcing the password
based restriction policy.



Re: How do you detect a botnet? Impossible, right?



wrote:
Quoted text here. Click to load it

OK thanks.  I am using Webroot and I also use Kaspersky for my other
PC.  According to a report ( http://www.av-comparatives.org/images/stories /=
test/ondret/avc_report22.pdf
) they score fairly OK (slightly below average or average, with 30-50%
coverage, which sounds lousy but apparently that's about par).


Quoted text here. Click to load it

Good point--I never thought of that.  So their keystrokes, not mine,
are at issue.

RL

Re: How do you detect a botnet? Impossible, right?




OK thanks.  I am using Webroot and I also use Kaspersky for my other
PC.  According to a report (
http://www.av-comparatives.org/images/stories/test/ondret/avc_report22.pdf
) they score fairly OK (slightly below average or average, with 30-50%
coverage, which sounds lousy but apparently that's about par).

***
It is hard for an outstanding virus detection engine to stand out when
it is additionally expected to not only detect non-replicating malware
samples, but clean-up after the fact of infestation. Your choices of
protection should address you choices of behavior. Personally, I
wouldn't base my choice of AV on its clean-up capabilities - it's like
choosing a bodyguard based on his EMT skills.

Instead, adhere to strict policies and you can restrict the window of
opportunity for most kinds of malware (trusted downloads only (most
trojans), frequent software updates (exploit based worms)) and your
on-access antivirus will probably never see anything viral to alert on.
***

Quoted text here. Click to load it

Good point--I never thought of that.  So their keystrokes, not mine,
are at issue.

***
Yes, if the keyloggers are indeed on their system.

Some keyloggers (maybe even this one) can also log keys struck on the
OSK (On Screen Keyboard Start - Run - osk to see what I mean) so even a
server without a keyboard attached can have an operational keylogger.

Can you point me to the story about B o' A's keyloggers?
***



Re: How do you detect a botnet? Impossible, right?



wrote:
Quoted text here. Click to load it

Either that or the viruses are too slick.  For example, I've often
thought (being a programmer myself) how easy it would be to create a
button that looks like a "close X" at the upper right hand corner of
the window, and when you click on it, it activates something.

Quoted text here. Click to load it

It was a web article, I think UK, and it did not name sources.
Apparently (said the article) corporations like in the recent Zeus
mass attack are reluctant to publicize their security breaches.

RL


Re: How do you detect a botnet? Impossible, right?



RayLopez99 wrote:
Quoted text here. Click to load it

That would also intercept an [alt+F4] entry?
--



Re: How do you detect a botnet? Impossible, right?



Quoted text here. Click to load it


Well that's a slick workaround that escaped me. You're right in that
software cannot (at the Windows level) easily effect the keyboard--
I've tried and it's not possible.  Probably on purpose by MSFT as a
security precaution.  You can read keys depressed of course, but
manipulating the keyboard so that ALT+F4 will do something other than
close the window is nigh impossible, at least using the tools provided
to you by Visual Studio IDE, and therefore for most programs written
for Windows (Forms, WPF, Silverlight, ASP, etc).

RL

Re: How do you detect a botnet? Impossible, right?



wrote:
Quoted text here. Click to load it

Either that or the viruses are too slick.  For example, I've often
thought (being a programmer myself) how easy it would be to create a
button that looks like a "close X" at the upper right hand corner of
the window, and when you click on it, it activates something.

***
It's being done. Some scripted messagebox with a "Yes", "No", "Cancel"
and an "X" in the corner - all of which act like "Yes". I've even heard
of some that get a "Yes" from right clicking the task bar icon and
choosing the "X" though I can't confirm this. Most times it is
recommended to use TaskMan to end the process or application generating
the messagebox.
***



Re: How do you detect a botnet? Impossible, right?



"RayLopez99" wrote:

Quoted text here. Click to load it

Look for processes that shouldn't be running (you do know what
services, etc. are normally running and why?), look for files and
directories that shouldn't be there (you do know what your directory
structures looks like and why?), examine network traffic for anomalies
(you do observe what your computer is making connections to and
understand the reasons why?), check the registry load/launch points
for unwanted items (you are familiar with the registry and how it's
configured for your system?) and so on.

Quoted text here. Click to load it

New malware variants appear every day which are mostly not detected
until the AV vendors catch up. Once a machine is infected, malicious
software can hide itself from anti-malware applications or disable
them.

Quoted text here. Click to load it

Which article?

Quoted text here. Click to load it

Zeus (zbot) trojans target user PCs, not bank servers. And, yes, if
you are infected with one, any online transactions with whatever bank
or any other online service are completely unsafe.

Recent zbots create these files, where %System% on current versions of
Windows is usually C:\Windows\System32

%System%\lowsec\local.ds
%System%\lowsec\user.ds
%System%\sdra64.exe

They will be hidden if the Trojan is active and attempting to create
the lowsec sudirectory (if it's not already visible) will confirm the
infection with a message that the direcory already exists.



Re: How do you detect a botnet? Impossible, right?




Quoted text here. Click to load it

Good reply Ant especially the obvious innuendo that all users should
know what processes and apps are normally running and to be aware of
apps and processes you don't recognize.  I do just that and have for
some time. I can say that Task Manager/Processes is our friend....good
answer.

Even though many of us (especially those of us on Usenet) have some
measure of technical savvy I long for the day when PCs can be run as
innocently as the kitchen toaster for everyone's ease of use and so they
can get more work or play done without needing to be a cyber cop on
patrol of their own PC.

Re: How do you detect a botnet? Impossible, right?



"Bad Boy Charlie" wrote:

Quoted text here. Click to load it

So who's claiming BoA servers are compromised?

Quoted text here. Click to load it

If they don't understand the system, then better to get a competent
technician to sort it out.

Quoted text here. Click to load it

It's a start but won't necessarily indicate infected legitimate
processes (code injection) or show malicious drivers (rootkits) at
work.

Quoted text here. Click to load it

I can't see that ever happening. As long as people are free to run any
code they wish on their systems there's always a risk. A PC is not
just another appliance or entertainment centre, much as companies like
Microsoft would like the general public to think so. The more complex
and sophisticated these devices get the more opportunities arise for
exploitation. Take cell phones, for example; they have an operating
system, all sorts of code widgets that can run on them and have been
subject to attack.



Re: How do you detect a botnet? Impossible, right?



Quoted text here. Click to load it

An article on the web, referencing Zeus, which has made the news
recently due to some corporate networks being hacked.

Quoted text here. Click to load it

OK, but I am not in a position to hire you, as I'm not a Fortune 500
company.  I do have a decent understanding of PCs, and have built
quite a few from scratch and program as well.  But to assume that a
commercial program is less competent in catching viruses than I is a
bit of a stretch and hubris.  I will stay with Kaspersky and hope for
the best.

RL

Re: How do you detect a botnet? Impossible, right?




| http://en.wikipedia.org/wiki/Botnet

| So the question arises, if 'up to a quarter of all PCs are infected by
| botnets' (see Wiki above), and presumably most of these PCs have anti-
| virus software, how do you detect a botnet residing on your PC?
| Assume you do a thorough (full) scan of your HD using commercially
| available antivirus software like Kaspersky or Webroot Antivirus.

| Followup:  if Bank of America's FTP servers have Zeus key logging
| software on it (as says another article), does that mean when I log
| onto BAC's servers to check my online bank account, that this
| keylogging software is checking my password?  I guess the answer is
| yes.

| RL

BotHunter by SRI funded by US Army RDECOM

http://www.bothunter.net /

Is a good answer to the post's question...
How do you detect a botnet ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: How do you detect a botnet? Impossible, right?




Quoted text here. Click to load it

I think that's a wrong assumption.  The only computers I see (besides the
occasional HD or video card replacement) are those with malware problems, and
I see very few bots.  Mostly I see adware.  

Now I did have a situation a year ago where a mail server from a frozen food
company in the Midwest kept hitting my home router.  It was a new router, so
best I could determine was that the DHCP address I got with the new router had
belonged to someone the bot was trying to hit.  

As to how to detect, you need a port scanner to look at your connections.  
Also, Zone Alarm is an interesting firewall in that it will warn you about
each incoming or outgoing connection attempt that you haven't authorized.


Re: How do you detect a botnet? Impossible, right?



On Feb 19, 12:38=A0pm, sfdavidka...@yahoo.com (David Kaye) wrote:
Quoted text here. Click to load it

Very interesting.  My definition of botnet: I assumed it was a server
that inserted a virus into your computer (the client).   So if you
don't have the virus on  your machine, you are not part of a botnet.

The Wiki article of 25% is an exaggeration then, noted.

RL

Re: How do you detect a botnet? Impossible, right?



On Feb 19, 12:38 pm, sfdavidka...@yahoo.com (David Kaye) wrote:
Quoted text here. Click to load it

***
That's probably because 88% of all PCs harbor adware. :oD

(that 88% is just a wild guess BTW)
***

Very interesting.  My definition of botnet: I assumed it was a server
that inserted a virus into your computer (the client).   So if you
don't have the virus on  your machine, you are not part of a botnet.

***
It is best not to use the term "virus" as the all encompassing term for
malware, use the term malware instead.

Usually, it is a "trojan" getting executed on the machine that gives you
the "bot" that makes you a participant in the "botnet". A "trojan" is a
non-replicating malware program in this sense. Often, in the lifecycle
of a botnet, an exploit based "worm" will be used to help distribute the
malware to new territories (Conficker) - in this sense, it is a virus
(or worm) ... until it goes back to being just a bot (which is bad
enough in itself).
***



Re: How do you detect a botnet? Impossible, right?





| Very interesting.  My definition of botnet: I assumed it was a server
| that inserted a virus into your computer (the client).   So if you
| don't have the virus on  your machine, you are not part of a botnet.

| The Wiki article of 25% is an exaggeration then, noted.

| RL

NO !

A botnet is a group of infected computers (via virus or trojan) that are
controlled by a
central operator(s) where the Command and Control (Aka; C&C or C2) tells the
'bots what to
do and and how to act.

There are botnets that perform spam.

There are botnets that perform a DDoS on specified sites.

Botnets in whole or in part can be bought, sold or leased.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: How do you detect a botnet? Impossible, right?



Quoted text here. Click to load it

Did you leave out folding protein math and looking for E.T. on purpose?
:oD

Did Wiki?



Re: How do you detect a botnet? Impossible, right?



wrote:
Quoted text here. Click to load it

I think that's the key.  Any client in a server is potentially a
"botnet", broadly defined.  So the Wiki stat is probably a 'high'
number.

RL


Re: How do you detect a botnet? Impossible, right?




wrote:
Quoted text here. Click to load it

I think that's the key.  Any client in a server is potentially a
"botnet", broadly defined.  So the Wiki stat is probably a 'high'
number.

***
I was only joking about wiki. Since the word "infected" was used, it is
clear that they were writing about bots that run on stolen computing
power.
***



Site Timeline