How do you detect a botnet? Impossible, right? - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: How do you detect a botnet? Impossible, right?




Quoted text here. Click to load it

But only if it is being controlled by a server.  A good portscan or the
warning messages from a firewall such as ZoneAlarm would show immediately
whether a computer was acting as a bot or not.  

Shut down any browsers, Outlook, etc., go away for 10 minutes.  Run the
portscan and see what dot-quad addresses are being accessed.  Should only be
your router and maybe Apple (if you've installed iTunes or QuickTime) and
maybe Adobe if you have an Adobe product, etc.  A good port scanner will
resolve the addresses for you and tell you what your connections are looking
at.  If some dot-quads don't resolve to domain names or the domain name ends
in .ch (China), .ru (Russia), .pl (Poland), etc., then you're in trouble.  You
likely have a bot.

As I said earlier, very few of my malware customers have these, which is why I
dispute the 88% or 92% or whatever figures.  I'm just not seeing many of them.

I suspect that most of this bot activity is taking place not on the majority
of home computers but on computers people don't look at very often such as web
servers, mail servers, etc.  


Re: How do you detect a botnet? Impossible, right?



David Kaye wrote:
Quoted text here. Click to load it

Not to quibble but [ch] is the Confoederatio Helvetica or Switzerland,
whereas China is [cn]

Re: How do you detect a botnet? Impossible, right?




Quoted text here. Click to load it

I'm sorry, I meant .cn not .ch.  


Re: How do you detect a botnet? Impossible, right?



On Feb 21, 4:09=A0am, sfdavidka...@yahoo.com (David Kaye) wrote:
Quoted text here. Click to load it

Interesting, thanks.  I am using Webroot, which has a firewall and
virus engine (Sophos licensed) but I guess it doesn't have a port
scan.  However, if your clients are not 100% savvy (otherwise they
would not need your expertise) then you can safely say that most of
the time bots are not running on people's machines that run 'ordinary'
virus/firewall commercial packages (I trust almost all of your clients
are running some kind of such package, as it's nearly inconceivable
that they are not).  So from these two facts we can deduce that bots
are not as common as stated on Wiki--for "people occupied" PCs that
are not running unattended as servers.  So likely I don't have a bot
either.  I do have a firewall "Look-n-stop" and on occasion I check
out the IP address on Whois.

Today I notice a slightly suspicious looking entry:
ppp-124-120-170-40.revip2.asian   ??? What can this be?

But it's probably nothing (I think).

RL


Re: How do you detect a botnet? Impossible, right?



"RayLopez99" wrote:

Quoted text here. Click to load it

I don't agree. Servers are more likely to be better managed than end-
user machines. There are also many more home PCs than servers.

Quoted text here. Click to load it

You truncated the name, which is:
ppp-124-120-170-40.revip2.asianet.co.th

The IP address (124.120.170.40) associated with that generically-named
host belongs to trueinternet.co.th, an ISP in Thailand. It's the kind
of name that gets assigned to home user IPs.

You should be highly suspicious of it. Find out what process owns the
connection.



Re: How do you detect a botnet? Impossible, right?




Quoted text here. Click to load it

But sysadmins tend not to personally use their mail and web servers very
often.  Sure, they'll login from time to time, but they're not going to be
using them intensely with word processing, spreadsheets, web browsing, etc.,
and thus are not likely to find slowdowns, suspicious disk activity, freaky
behavior.  But people who use home computers are going to find these things
quickly.  

And again, I deal with new customers all the time who have malware infections
and seldom do I see bots.  These are random people who call me via one of my
yellow pages ads.  They call when they have problems.  But well over 90% of
them do not have bots on their systems.  


Re: How do you detect a botnet? Impossible, right?



On Feb 21, 11:30=A0pm, sfdavidka...@yahoo.com (David Kaye) wrote:
Quoted text here. Click to load it

This is interesting.  A malware infection would be what, typically?
Something like a program that tracks your internet surfing habits, but
resides outside the browser so you cannot flush it clean?

Also what ZoneAlarm type port sniffing / firewall program do you
recommend for an XP running on Pentium IV with 2 GB ram?

RL

Re: How do you detect a botnet? Impossible, right?




Quoted text here. Click to load it

Most of them have been adware, trying to get people to spend $$ to "disinfect"
their computers.  About 1/4 have been redirects where the browser or the DNS
are redirected to fake search sites either for phishing or to gain click
money.  

I really see very little bot or keylogger activity.  Most of my customers are
small entrepreneurs and consultants, many of them seniors.  Your results may
vary.


Re: How do you detect a botnet? Impossible, right?



Quoted text here. Click to load it

...but you can't say anything about the ones that you don't see. Bots
might not cause any symptoms for the home user to see. They don't
complain about strange behavior because there *is* no strange behavior.
Think of a bot as an application running in the background mostly
waiting for instructions, not like a worm gobbling up your resources to
spread itself or adware getting 'in your face'.



Re: How do you detect a botnet? Impossible, right?




Quoted text here. Click to load it

I know what a bot is, thank you very much.  


Re: How do you detect a botnet? Impossible, right?



Quoted text here. Click to load it

Then what makes you think they would manifest themselves as "slowdowns,
suspicious disk activity,
 freaky behavior."? You could be hosting a bot without *any* user
noticeable symptoms.



Re: How do you detect a botnet? Impossible, right?





Quoted text here. Click to load it


| Then what makes you think they would manifest themselves as "slowdowns,
| suspicious disk activity,
|  freaky behavior."? You could be hosting a bot without *any* user
| noticeable symptoms.



Often the ONLY indication is "beaconing" to a foreighn host.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: How do you detect a botnet? Impossible, right?



Quoted text here. Click to load it

Something not at all obvious to the casual observer. Bots share that
trait with the slow polymorphic virus - if you don't draw attention to
yourself, it is a clear advantage in stickiness - hiding yourself (and
your activities), even more so.



Re: How do you detect a botnet? Impossible, right?






Quoted text here. Click to load it






| Something not at all obvious to the casual observer. Bots share that
| trait with the slow polymorphic virus - if you don't draw attention to
| yourself, it is a clear advantage in stickiness - hiding yourself (and
| your activities), even more so.


Yes and in this case the rate of beaconing can further limit detection.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: How do you detect a botnet? Impossible, right?




Quoted text here. Click to load it

Could, but most of this malware is written so badly that it's usually evident.
I used to write software for a living.  20% of the time was spent writing
software and 80% was spent debugging.  It's hard to write good code that will
work well on all flavors of Windows with all kinds of hardware.  Malware
writers generally want to get it written and out the door; debugging is the
least of their concerns.  If it runs on 1% of the infected computers they're
happy.


Re: How do you detect a botnet? Impossible, right?



Quoted text here. Click to load it

Meaning what?  Gets assigned legally?  Or nefariously?

Quoted text here. Click to load it

Too late--it did not show up when I rebooted.  It's gone.  Is it
possible that bots only "spring to life" certain hours of the day or
week?

You're scaring me Ant.  Do you recommend what product for scanning? I
am running XP pro on an old Pentium IV machine with a couple of Gigs
RAM.  It's old but works.  I cannot upgrade to Vista / 7 on this
machine.  So will some (old) version of ZOne Alarm work?  I heard bad
things about Zone Alarm when it has a certain version that was akin to
malware (hard to uninstall as I recall).  Is Zone Alarm any good
anymore?  Or something else?

Thanks,

RL

Re: How do you detect a botnet? Impossible, right?



"RayLopez99" wrote:

Quoted text here. Click to load it


It means the connection is likely to be nefarious. Why is some unknown
user connecting to you (or you connecting to them)? You wouldn't see a
name like that for a say, a legitimate website in Thailand you had
just visited. However, it could be you visited a site hosted on some
user's home PC. The prefix 'ppp' (point to point protocol, I believe)
gives it away. That's the kind of name assigned to dialup users and
certainly not regular hosting services. You know it's not your own
because yours has this format: athedsl-4482237.home.otenet.gr
and suggests you're a home user on (A)DSL, perhaps near Athens?

Quoted text here. Click to load it


Yes, that can happen.

Quoted text here. Click to load it

Hopefully, someone else can advise since I don't use any! How well do
you know the registry? Autoruns from Sysinternals (now Microsoft) is
useful to see what starts automatically. My only defence is knowing
my system inside-out; e.g. what drivers load and other programs run in
a normal configuration, what files are supposed to be in the system
directories and other places and what they look like internally, etc.
Plus visually monitoring all connections while online (I'm only ever
physically connected for very short periods). I'm also pretty familiar
with malware, as most days I'm disassembling it.

Quoted text here. Click to load it

Nothing wrong with that and no point installing a new OS on an older
PC. I'm still running Win2k on my internet facing PC and only use XP
for testing - it's on a faster machine but runs slower!

Quoted text here. Click to load it

Isn't XP's built-in "firewall" any use here? I've not really looked at
it. Of course, none of this packet filtering software is any good if
you're already infected.



Re: How do you detect a botnet? Impossible, right?



Quoted text here. Click to load it

Yes, that's right.


Quoted text here. Click to load it

But unlikely?  Less than 5% or even 1%?

Quoted text here. Click to load it

You're the man I need to talk to then!  I code for fun, but using
Visual Studio .NET family of languages it's hard to get to the system
level, which I take it malware writers are working at.

Here's another one I 'found' today using LookNStop's firewall log on
my XP machine--either my machine is complete full of malware (and I
run Webroot antivirus and malware remover almost daily, full scan), or
this is another false positive:  host-79-121-44-74.kabelnet.hu

Which Whois says is some website server in Hungary:
host-79-121-44-74.kabelnet.hu

Now I don't remember visiting any Hungarian website, but since Greece
is near Hungary, it's possible my DSL provider somehow links to them
maybe?  Or something like that.

Quoted text here. Click to load it

I hear you.  Check out my flamebait in computer.os.linux.advocacy on
this theme (an old machine that runs fine on Win2k but I could not get
it to work in Linux--which is too resource heavy for it right now--
another example of 'if it ain't broke don't fix it', though in this
case it was an old PC I was going to trash anyway so no big loss).

Quoted text here. Click to load it

But using the Thai and Hungary examples, how do you know if these
sites are innocent or not?  Very complicated.  I also see in this
thread the post by David Kaye that most malware is badly written, and
this seems to make sense to me as an amateur coder, so perhaps the
stuff caught by commercial anti-malware / AV products (and they catch
less than 50% according to the report I cited in this thread), they
are only catching the 'obvious' (badly written) malware / viruses?

The more I know about this topic the stupider I feel, LOL.

RL


Re: How do you detect a botnet? Impossible, right?



RayLopez99 wrote:
Quoted text here. Click to load it

Not really,
with a properly secured browser,
all sites are innocent
...or inoperative.

Re: How do you detect a botnet? Impossible, right?



Quoted text here. Click to load it

What is a properly secured browser?  Does the latest Internet Explorer
with all the patches installed qualify?

RL

Site Timeline