How do you detect a botnet? Impossible, right? - Page 3

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: How do you detect a botnet? Impossible, right?



RayLopez99 wrote:
Quoted text here. Click to load it

I tend to have my doubts about IE,
whereas my Opera seems a bit more secure,
at least I have a warmer fuzzier feeling about it.

Re: How do you detect a botnet? Impossible, right?




Quoted text here. Click to load it

What is a properly secured browser?  Does the latest Internet Explorer
with all the patches installed qualify?

On Vista and Windows 7 it might be more secure. Of course it depends on
the configuration.

Quite a bit if the "danger" comes from scripting support, so if you
disallow scripting you are more secure. Better yet, a text only browser
offers quite a bit of security, it is you that must draw the line
between functionality and security.




Re: How do you detect a botnet? Impossible, right?



FromTheRafters wrote:
Quoted text here. Click to load it

I suppose that's dependent on the threat,
but I feel comfortable with Opera in a sandbox.

Opera v10.10 (didn't care for the beta v10.50)
http://www.opera.com/download/

Sandboxie v 3.44
http://www.sandboxie.com/index.php?DownloadSandboxie

Re: How do you detect a botnet? Impossible, right?



Quoted text here. Click to load it

Good stuff there.

I was reminded of Norman when I mentioned text-only browsing.
http://beacon.chebucto.ca/Content-2006/norman.html

Funny how some people leave a lasting impression.



Re: How do you detect a botnet? Impossible, right?



FromTheRafters wrote:
Quoted text here. Click to load it

Neither of those are v1.
Thank goodness there are some folk trying to keep up
and/or stay ahead of the threat horizon.

Quoted text here. Click to load it

I remember some of the stark images of him
and how ghastly ill he usually appeared,
like a Canadian snowbird that never left the nest
I sure hope his transition was a painless relief.
I also remember it was him that introduced me to the 'pine browser'
some decade and a half ago. Now that's was one gimmick proof app.

--

**** COMMODORE 64 BASIC V 2.0 ****
64 K RAM SYSTEM
38911 BASIC BYTES FREE
READY

Re: How do you detect a botnet? Impossible, right?




Quoted text here. Click to load it




| Good stuff there.

| I was reminded of Norman when I mentioned text-only browsing.
| http://beacon.chebucto.ca/Content-2006/norman.html

| Funny how some people leave a lasting impression.



I forgot all about him!   :-(

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: How do you detect a botnet? Impossible, right?



"RayLopez99" wrote:

Quoted text here. Click to load it

Not unlikely and I would say it's common with bots. They don't so much
go by the time of day but a sleep period which may be anything from a
few minutes to several hours.

Quoted text here. Click to load it

Yes, you don't see that many .NET executables. It's sometimes useful
for code obfuscation but they can't rely on users having the correct
run-time libraries installed. Language preferences tend to be C/C++ or
assembly and malware writers often like to use undocumented functions
at the lowest level exported from ntdll.dll.

Quoted text here. Click to load it

Another end user. There's no services (e.g. web server) running on
that host unless it's using unconventional ports.

Quoted text here. Click to load it

No, not your ISP. I thought you may be seeing these as active
connections with something like netstat but you're looking at firewall
logs. In that case, it may be just background noise or infected PCs
trying to make contact which the firewal blocked. The log should
indicate whether incoming or outgoing and if blocked or not.

Quoted text here. Click to load it

They're not "sites" as such but end-user PCs and, innocent or not,
if you didn't initiate the connection your machine should not
communicate with them. As long as they're incoming connection attempts
and your firewall is blocking them, you have nothing to worry about.

Quoted text here. Click to load it

Most is written well enough to do damage and some is very well written
in that it efficiently does its job and can have experts puzzled for a
while. Certainly not what you would call amateur. Organised crime pays
good money for talented coders.

Quoted text here. Click to load it

It's not to do with how good or bad the code is. A lot of malware is
wrapped in polymorphic packers or obfuscators so every sample (of the
same underlying executable) is different. It's impossible for
signature-based detection to keep up with this and, even with
heuristics, once AV products start to reliably detect it the authors
will modify the packing engine. They also submit samples to places
like Virus Total to check their work.



Re: How do you detect a botnet? Impossible, right?



Quoted text here. Click to load it

Very interesting.  Though the .NET code obfuscation engine is very
weak I hear, so I take it you mean obfuscate maybe people who write AV
software, who maybe don't expect a .NET virus.


Quoted text here. Click to load it

Really?  How in the world did you deduce that?  From the majority of
these data entries (see below) being PC to Internet, I would hazard
this one was also PC to Internet).  So why did my PC initiate this
communication to Hungary is the question?


Quoted text here. Click to load it

YES, it works!  I did click on "details" in my Firewall (Look 'n' See)
and indeed it shows direction.  Yesterday's log is lost, but I found
another 'suspicious'??? or maybe not entry today, here:
aedz253.neoplus.adsl.tpnet.pl  which maps to this Polish server:

DOMAIN:                 tpnet.pl registrant's handle:    nsk80879
(CORPORATE) nameservers:            dns2.man.lodz.pl. [212.51.192.5]
Polska/Poland +48.22 3808300


And it's 'outgoing', and even shows the "Ethernet" outgoing
destination address, and the incoming (which is my Ethernet Card ID I
guess).  as well as the length 60, identification 491 and DF MF =
(0,0), Frag offset = 0 and "Time to Live" = 64, and I have no idea
what that means, but probably byte related. It even shows a fragment
of data in HexDecimal form.  Pretty cool, but how do I know if this PC
to Internet data transfer was malware or not?  I would venture to say
that many commercial programs probably have "regional" servers to
handle any data pings output from a user's PC, and since I'm in Europe
(Greece), it stands to reason maybe the nearest server is Poland.  But
I don't know how you would know what program sent this data
fragment...maybe ZoneAlarm?  Look 'n' Stop is a decent, cheap little
firewall insofar as I can tell, and does have a bunch of recommended
rules (about 22, including such obscure ones like: 'Stops UDP
broadcasts to *.*.*.255.')

Again the more I learn the dumber I feel.  But thanks Ant...

Quoted text here. Click to load it

But they're not incoming, see above.


Quoted text here. Click to load it

Virus Total I take it 'legitimizes' software, from what I can tell:
VirusTotal is a free virus and malware online scan service, so they
game the system.  Very devious.

RL


Re: How do you detect a botnet? Impossible, right?



"RayLopez99" wrote:

Quoted text here. Click to load it


No, I mean code obfuscation. It doesn't matter how weak because
scanners don't unravel it on the fly. It can be difficult to determine
maliciousness of executables which rely on external interpreting
engines, like .NET assemblies and old style Visual Basic with its
various vbrunxxx DLLs. All these type of executables do is make a
single call to the installed MS runtime package which then interprets
and runs the code. They are not what I would call standard executables
with standard ready-to-run machine code and, good or bad, they all
look much the same to a scanner.

Quoted text here. Click to load it


Simple, just try to connect to a port you would expect a service to be
running on; e.g. 80 for HTTP (web server), 25 for SMTP (mail), 21 for
FTP and so on. If you get a response you know a server is up and
running, although it may not let you connect. You can do this with the
telnet program but it's quicker to use a port scanner. I checked only
the well-known ports but a service could be running on any one of
65535 possible ports.

Quoted text here. Click to load it

Why, indeed. It's up to you to know what's running on your machine and
what it's doing.

Quoted text here. Click to load it


The IP address of that host is 79.186.103.253 which is being used by
a customer of tpnet.pl, a Polish ISP responsible for that IP.

Quoted text here. Click to load it

Bad news.


You've got to ask yourself why your machine is connecting to random
users in Thailand, Hungary, Poland and who knows where else. I
strongly suggest you block them and investigate. Once you've found
the cause and cleaned up you'd better change all your passwords.
As I said before, check all registry and other startup points for
suspicious things that might be loading automatically.

Quoted text here. Click to load it

Then you would expect to see recognisable host names, either belonging
to the company or known server farms and load balancers like Akamai,
not generic ones assigned to ordinary end users like you and me.

Quoted text here. Click to load it

Are you running more than one software firewall? That's a bad idea.
Can't you configure Zone Alarm to deny all outbound traffic and get
it to prompt you to allow on a case-by-case basis? That way you'll get
an idea of what is trying to call home if it gives a message like
"program x is trying to connect to host y, do you want to allow?".
I thought the built-in XP firewall could do this anyway.



Re: How do you detect a botnet? Impossible, right?




Quoted text here. Click to load it

Update: I think, and I am checking with the firewall people at Look N
Stop, that this is in fact an IP address that is being BLOCKED, not
going through.  It still raises the question of what program residing
in my system would want to hook up with Poland, Thailand, etc.  But if
I have some bot in my system, it has not been detected by any
antivirus program, and like I say it's being blocked from calling out
anyway.

RL

Re: How do you detect a botnet? Impossible, right?




Quoted text here. Click to load it

I think I detect a pattern (I am researching it now).  These kind of
funny addresses seem to appear when I'm connected to the internet by
firing up a browser.  So, like you suggested in another post, it could
be something "innocent" like a request to the browser to ping this
remote site (for marketing purposes).   But how they would get a
browser to ping is not clear to me, but it's a programming detail
that's probably possible.

Of course the simpler explanation is that there is a undetectable
virus (that escaped my antivirus program) that is alive in my system
and attempts to 'dial out', but is blocked by the firewall.  Why it
springs up at certain times is of course simply due to the way it is
programmed, to act irregularly.

All of this is new to me--I always assumed that with firewalls you can
set them up and forget them, I did not realize you have to monitor
them--a lot of work.  There should be a better way (set up and
forget).

RL

Re: How do you detect a botnet? Impossible, right?



"RayLopez99" wrote:

Quoted text here. Click to load it

Perhaps it's a BHO (Browser Helper OBject). Sysinternals' AutoRuns
will show those.

Quoted text here. Click to load it

It could be a normal HTTP request via script or an HTML element which
pointed to the host. The link in the page source might look something
like this:
http://123.456.789.255:33137/stat.php?id=xyz

That's an invalid IP address, by the way, but the port (33137) is
unconventional and would be the reason why testing for a web server
on that host (at the usual port 80) would fail.



Re: How do you detect a botnet? Impossible, right?



"Ant" wrote:

Quoted text here. Click to load it

On second thoughts, that would register as incoming traffic so I may
be mistaken about the possibility of affiliate clicks generating
unexpected outgoing packets.

Anyway, I see you've found the likely culprit - Skype. Their protocol
is proprietory so you would have to trust their motives for making
these connections. Since you're blocking them and, presumably Skype
still works, all should be well.



Re: How do you detect a botnet? Impossible, right?




Quoted text here. Click to load it

Yes, that's the only thing I could think of other than undetected/
undetectable malware, and BHOs (which you say will generate an
download UDP, so there should be some symmetry in IP addresses, which
there is not in my log).  BTW this stuff seems to happen around 7:30
pm and when I fire up the machine, but not in the account that does
not have Skype (the Admin account), so that further fingers Skype as
the culprit.  Since Skype works despite the blocked UDPs, like you
say, it's not a big deal but I will continue to monitor it.

Thanks Ant you have been a big help.  Without you I never would have
even thought about the firewall...

Now back to my programming project (doing an ASP.NET project now
involving a web service).

RL

Re: How do you detect a botnet? Impossible, right?




Quoted text here. Click to load it




Yes, confirmed.  Took a time out and loaded and unloaded Skype, and
sure enough, within seconds, you start getting pinged (and UDP packets
get requested to be uploaded from your PC to ports all over the
world), from all over the world, including Brazil (I'm posting from
Greece), Hungary, Korea, Russia and central asian countries / regions
I've never heard of (start with a K, not Kazakstan either).

Skype is the "virus"!

My firewall blocks all such requests of course.

RL

Re: How do you detect a botnet? Impossible, right?



On 2/20/2010 9:09 PM, David Kaye wrote:
Quoted text here. Click to load it


You say portscan, but it sounds more like the output from something like
netstat, or tcpview.

But once the machine is compromised you can't trust the output of any
installed program, without making sure the program or configuration
hasn't been altered.

I do agree folks should understand the normal behavior of their machine
so they can spot abnormalities.

The stats can be difficult to generate since the only the owners that
notice a problem, do something about it, and the data is proprietary for
many companies

John





Re: How do you detect a botnet? Impossible, right?



wrote:
Quoted text here. Click to load it

let's say (as is my case) you are noticing suspicious burst of data
from your PC to some server, but you have not caught any viruses using
Webroot Antivirus with Spysweeper nor with Kaspersky.  You also have a
firewall (Look N See). You scan (full scan) every other day.  One
potential virus in the last five years.  Running Windows XP Pro on a
Pentium IV.

What's the 'most probable bad thing' that can happen?

What I mean is this:  say my PC is part of a botnet.  So what?  It
does not have a keylogger on it, right?  It is not able to open and
read my Outlook emails (which are scanned by the AV program prior to
sending).

What's the 'most probable bad thing' that is happening?  I'm asking
because Ant in this thread scared me--so I want to see 'so what'?  Of
course I'm sure if some super duper hacker is involved, he will drain
all my bank accounts, but this anomalous activity has been going on
for a while, and so far my bank accounts have not been hit.

RL

Site Timeline