How do you detect a botnet? Impossible, right?

[RayLopez99]

http://en.wikipedia.org/wiki/Botnet

So the question arises, if 'up to a quarter of all PCs are infected by
botnets' (see Wiki above), and presumably most of these PCs have anti-
virus software, how do you detect a botnet residing on your PC?
Assume you do a thorough (full) scan of your HD using commercially
available antivirus software like Kaspersky or Webroot Antivirus.

Followup: if Bank of America's FTP servers have Zeus key logging
software on it (as says another article), does that mean when I log
onto BAC's servers to check my online bank account, that this
keylogging software is checking my password? I guess the answer is
yes.

RL

 

[FromTheRafters]

http://en.wikipedia.org/wiki/Botnet

So the question arises, if 'up to a quarter of all PCs are infected by
botnets' (see Wiki above), and presumably most of these PCs have anti-
virus software, how do you detect a botnet residing on your PC?

Antimalware applications and rootkit detectors.

Assume you do a thorough (full) scan of your HD using commercially
available antivirus software like Kaspersky or Webroot Antivirus.

Most antivirus applications are incorporating rootkit detection and some
coverage of general malware into their capabilities. Still, I would
suggest using several antimalware (cleanup) tools and maybe even one
with active protection.

Followup: if Bank of America's FTP servers have Zeus key logging
software on it (as says another article), does that mean when I log
onto BAC's servers to check my online bank account, that this
keylogging software is checking my password? I guess the answer is
yes.

Keyloggers log keystrokes. If *they* have a keylogger, it is *their*
keystrokes that are being logged. The implication is that *their* system
can be further compromised by use of the information gathered.

Then consider that *their* system is the one enforcing the password
based restriction policy.

 

[Virus Guy]

So the question arises, if 'up to a quarter of all PCs are
infected by botnets' and presumably most of these PCs have anti-
virus software, how do you detect a botnet residing on your PC?

You remove the hard drive from a suspect PC and attach it as a slaved or
second drive to a known good / trusted PC equipped with various
on-demand malware scanning software, and you scan the slaved drive. As
a slave, if it has rootkit or viral/trojan files on it, they won't be
active and will essentially be sitting "naked" out in the open for the
anti-malware software to see.

 

[RayLopez99]

Antimalware applications and rootkit detectors.


Most antivirus applications are incorporating rootkit detection and some
coverage of general malware into their capabilities. Still, I would
suggest using several antimalware (cleanup) tools and maybe even one
with active protection.

OK thanks. I am using Webroot and I also use Kaspersky for my other
PC. According to a report ( http://www.av-comparatives.org/images/stories/test/ondret/avc_report22.pdf
) they score fairly OK (slightly below average or average, with 30-50%
coverage, which sounds lousy but apparently that's about par).

Keyloggers log keystrokes. If *they* have a keylogger, it is *their*
keystrokes that are being logged. The implication is that *their* system
can be further compromised by use of the information gathered.

Then consider that *their* system is the one enforcing the password
based restriction policy.

Good point--I never thought of that. So their keystrokes, not mine,
are at issue.

RL

 

[RayLopez99]

You remove the hard drive from a suspect PC and attach it as a slaved or
second drive to a known good / trusted PC equipped with various
on-demand malware scanning software, and you scan the slaved drive.  As
a slave, if it has rootkit or viral/trojan files on it, they won't be
active and will essentially be sitting "naked" out in the open for the
anti-malware software to see.

OK, sounds reasonable. But what if you don't have a clean PC? I
assume that commercial antivirus s/w with some root kit detectors must
have a way of finding these malware, but then again (see my reply
above) their success rate is at best less than 50%, so their technique
is not foolproof.

RL

 

[FromTheRafters]

OK thanks. I am using Webroot and I also use Kaspersky for my other
PC. According to a report (
http://www.av-comparatives.org/images/stories/test/ondret/avc_report22.pdf
) they score fairly OK (slightly below average or average, with 30-50%
coverage, which sounds lousy but apparently that's about par).

***
It is hard for an outstanding virus detection engine to stand out when
it is additionally expected to not only detect non-replicating malware
samples, but clean-up after the fact of infestation. Your choices of
protection should address you choices of behavior. Personally, I
wouldn't base my choice of AV on its clean-up capabilities - it's like
choosing a bodyguard based on his EMT skills.

Instead, adhere to strict policies and you can restrict the window of
opportunity for most kinds of malware (trusted downloads only (most
trojans), frequent software updates (exploit based worms)) and your
on-access antivirus will probably never see anything viral to alert on.
***

Keyloggers log keystrokes. If *they* have a keylogger, it is *their*
keystrokes that are being logged. The implication is that *their*
system
can be further compromised by use of the information gathered.

Then consider that *their* system is the one enforcing the password
based restriction policy.

Good point--I never thought of that. So their keystrokes, not mine,
are at issue.

***
Yes, if the keyloggers are indeed on their system.

Some keyloggers (maybe even this one) can also log keys struck on the
OSK (On Screen Keyboard Start - Run - osk to see what I mean) so even a
server without a keyboard attached can have an operational keylogger.

Can you point me to the story about B o' A's keyloggers?
***

 

[David H. Lipman]

From: "RayLopez99" <[email protected]>

| http://en.wikipedia.org/wiki/Botnet

| So the question arises, if 'up to a quarter of all PCs are infected by
| botnets' (see Wiki above), and presumably most of these PCs have anti-
| virus software, how do you detect a botnet residing on your PC?
| Assume you do a thorough (full) scan of your HD using commercially
| available antivirus software like Kaspersky or Webroot Antivirus.

| Followup: if Bank of America's FTP servers have Zeus key logging
| software on it (as says another article), does that mean when I log
| onto BAC's servers to check my online bank account, that this
| keylogging software is checking my password? I guess the answer is
| yes.

| RL

BotHunter by SRI funded by US Army RDECOM

http://www.bothunter.net/

Is a good answer to the post's question...
How do you detect a botnet ?

 

[RayLopez99]

So who's claiming BoA servers are compromised?

An article on the web, referencing Zeus, which has made the news
recently due to some corporate networks being hacked.

If they don't understand the system, then better to get a competent
technician to sort it out.

OK, but I am not in a position to hire you, as I'm not a Fortune 500
company. I do have a decent understanding of PCs, and have built
quite a few from scratch and program as well. But to assume that a
commercial program is less competent in catching viruses than I is a
bit of a stretch and hubris. I will stay with Kaspersky and hope for
the best.

RL

 

[RayLopez99]

***
It is hard for an outstanding virus detection engine to stand out when
it is additionally expected to not only detect non-replicating malware
samples, but clean-up after the fact of infestation. Your choices of
protection should address you choices of behavior. Personally, I
wouldn't base my choice of AV on its clean-up capabilities - it's like
choosing a bodyguard based on his EMT skills.

Instead, adhere to strict policies and you can restrict the window of
opportunity for most kinds of malware (trusted downloads only (most
trojans), frequent software updates (exploit based worms)) and your
on-access antivirus will probably never see anything viral to alert on.
***

Either that or the viruses are too slick. For example, I've often
thought (being a programmer myself) how easy it would be to create a
button that looks like a "close X" at the upper right hand corner of
the window, and when you click on it, it activates something.

Can you point me to the story about B o' A's keyloggers?

It was a web article, I think UK, and it did not name sources.
Apparently (said the article) corporations like in the recent Zeus
mass attack are reluctant to publicize their security breaches.

RL

 

[ASCII]

Either that or the viruses are too slick. For example, I've often
thought (being a programmer myself) how easy it would be to create a
button that looks like a "close X" at the upper right hand corner of
the window, and when you click on it, it activates something.

That would also intercept an [alt+F4] entry?

 

[RayLopez99]

Either that or the viruses are too slick.  For example, I've often
thought (being a programmer myself) how easy it would be to create a
button that looks like a "close X" at the upper right hand corner of
the window, and when you click on it, it activates something.

That would also intercept an [alt+F4] entry?
--

Well that's a slick workaround that escaped me. You're right in that
software cannot (at the Windows level) easily effect the keyboard--
I've tried and it's not possible. Probably on purpose by MSFT as a
security precaution. You can read keys depressed of course, but
manipulating the keyboard so that ALT+F4 will do something other than
close the window is nigh impossible, at least using the tools provided
to you by Visual Studio IDE, and therefore for most programs written
for Windows (Forms, WPF, Silverlight, ASP, etc).

RL

 

[FromTheRafters]

***
It is hard for an outstanding virus detection engine to stand out when
it is additionally expected to not only detect non-replicating malware
samples, but clean-up after the fact of infestation. Your choices of
protection should address you choices of behavior. Personally, I
wouldn't base my choice of AV on its clean-up capabilities - it's like
choosing a bodyguard based on his EMT skills.

Instead, adhere to strict policies and you can restrict the window of
opportunity for most kinds of malware (trusted downloads only (most
trojans), frequent software updates (exploit based worms)) and your
on-access antivirus will probably never see anything viral to alert
on.
***

Either that or the viruses are too slick. For example, I've often
thought (being a programmer myself) how easy it would be to create a
button that looks like a "close X" at the upper right hand corner of
the window, and when you click on it, it activates something.

***
It's being done. Some scripted messagebox with a "Yes", "No", "Cancel"
and an "X" in the corner - all of which act like "Yes". I've even heard
of some that get a "Yes" from right clicking the task bar icon and
choosing the "X" though I can't confirm this. Most times it is
recommended to use TaskMan to end the process or application generating
the messagebox.
***

 

[David Kaye]

So the question arises, if 'up to a quarter of all PCs are infected by
botnets' (see Wiki above), [....]

I think that's a wrong assumption. The only computers I see (besides the
occasional HD or video card replacement) are those with malware problems, and
I see very few bots. Mostly I see adware.

Now I did have a situation a year ago where a mail server from a frozen food
company in the Midwest kept hitting my home router. It was a new router, so
best I could determine was that the DHCP address I got with the new router had
belonged to someone the bot was trying to hit.

As to how to detect, you need a port scanner to look at your connections.
Also, Zone Alarm is an interesting firewall in that it will warn you about
each incoming or outgoing connection attempt that you haven't authorized.

 

[RayLopez99]

So the question arises, if 'up to a quarter of all PCs are infected by
botnets' (see Wiki above), [....]

I think that's a wrong assumption.  The only computers I see (besides the
occasional HD or video card replacement) are those with malware problems,and
I see very few bots.  Mostly I see adware.  

Now I did have a situation a year ago where a mail server from a frozen food
company in the Midwest kept hitting my home router.  It was a new router, so
best I could determine was that the DHCP address I got with the new router had
belonged to someone the bot was trying to hit.  

As to how to detect, you need a port scanner to look at your connections. 
Also, Zone Alarm is an interesting firewall in that it will warn you about
each incoming or outgoing connection attempt that you haven't authorized.

Very interesting. My definition of botnet: I assumed it was a server
that inserted a virus into your computer (the client). So if you
don't have the virus on your machine, you are not part of a botnet.

The Wiki article of 25% is an exaggeration then, noted.

RL

 

[FromTheRafters]

So the question arises, if 'up to a quarter of all PCs are infected
by
botnets' (see Wiki above), [....]

I think that's a wrong assumption. The only computers I see (besides
the
occasional HD or video card replacement) are those with malware
problems, and
I see very few bots. Mostly I see adware.

***
That's probably because 88% of all PCs harbor adware. D

(that 88% is just a wild guess BTW)
***

Very interesting. My definition of botnet: I assumed it was a server
that inserted a virus into your computer (the client). So if you
don't have the virus on your machine, you are not part of a botnet.

***
It is best not to use the term "virus" as the all encompassing term for
malware, use the term malware instead.

Usually, it is a "trojan" getting executed on the machine that gives you
the "bot" that makes you a participant in the "botnet". A "trojan" is a
non-replicating malware program in this sense. Often, in the lifecycle
of a botnet, an exploit based "worm" will be used to help distribute the
malware to new territories (Conficker) - in this sense, it is a virus
(or worm) ... until it goes back to being just a bot (which is bad
enough in itself).
***

 

[David H. Lipman]

From: "RayLopez99" <[email protected]>


| Very interesting. My definition of botnet: I assumed it was a server
| that inserted a virus into your computer (the client). So if you
| don't have the virus on your machine, you are not part of a botnet.

| The Wiki article of 25% is an exaggeration then, noted.

| RL

NO !

A botnet is a group of infected computers (via virus or trojan) that are controlled by a
central operator(s) where the Command and Control (Aka; C&C or C2) tells the 'bots what to
do and and how to act.

There are botnets that perform spam.

There are botnets that perform a DDoS on specified sites.

Botnets in whole or in part can be bought, sold or leased.

 

[FromTheRafters]

From: "RayLopez99" <[email protected]>


| Very interesting. My definition of botnet: I assumed it was a
server
| that inserted a virus into your computer (the client). So if you
| don't have the virus on your machine, you are not part of a botnet.

| The Wiki article of 25% is an exaggeration then, noted.

| RL

NO !

A botnet is a group of infected computers (via virus or trojan) that
are controlled by a
central operator(s) where the Command and Control (Aka; C&C or C2)
tells the 'bots what to
do and and how to act.

There are botnets that perform spam.

There are botnets that perform a DDoS on specified sites.

Did you leave out folding protein math and looking for E.T. on purpose?
D

Did Wiki?

 

[RayLopez99]

Did you leave out folding protein math and looking for E.T. on purpose?
D

Did Wiki?

I think that's the key. Any client in a server is potentially a
"botnet", broadly defined. So the Wiki stat is probably a 'high'
number.

RL

 

[FromTheRafters]

Did you leave out folding protein math and looking for E.T. on
purpose?
D

Did Wiki?

I think that's the key. Any client in a server is potentially a
"botnet", broadly defined. So the Wiki stat is probably a 'high'
number.

***
I was only joking about wiki. Since the word "infected" was used, it is
clear that they were writing about bots that run on stolen computing
power.
***

 

[David Kaye]

I think that's the key. Any client in a server is potentially a
"botnet", broadly defined. So the Wiki stat is probably a 'high'
number.

But only if it is being controlled by a server. A good portscan or the
warning messages from a firewall such as ZoneAlarm would show immediately
whether a computer was acting as a bot or not.

Shut down any browsers, Outlook, etc., go away for 10 minutes. Run the
portscan and see what dot-quad addresses are being accessed. Should only be
your router and maybe Apple (if you've installed iTunes or QuickTime) and
maybe Adobe if you have an Adobe product, etc. A good port scanner will
resolve the addresses for you and tell you what your connections are looking
at. If some dot-quads don't resolve to domain names or the domain name ends
in .ch (China), .ru (Russia), .pl (Poland), etc., then you're in trouble. You
likely have a bot.

As I said earlier, very few of my malware customers have these, which is why I
dispute the 88% or 92% or whatever figures. I'm just not seeing many of them.

I suspect that most of this bot activity is taking place not on the majority
of home computers but on computers people don't look at very often such as web
servers, mail servers, etc.