A
ASCII
David said:
Not to quibble but [ch] is the Confoederatio Helvetica or Switzerland,
whereas China is [cn]
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Not to quibble but [ch] is the Confoederatio Helvetica or Switzerland,
whereas China is [cn]
R
RayLopez99
But only if it is being controlled by a server. A good portscan or the
warning messages from a firewall such as ZoneAlarm would show immediately
whether a computer was acting as a bot or not.
Shut down any browsers, Outlook, etc., go away for 10 minutes. Run the
portscan and see what dot-quad addresses are being accessed. Should only be
your router and maybe Apple (if you've installed iTunes or QuickTime) and
maybe Adobe if you have an Adobe product, etc. A good port scanner will
resolve the addresses for you and tell you what your connections are looking
at. If some dot-quads don't resolve to domain names or the domain nameends
in .ch (China), .ru (Russia), .pl (Poland), etc., then you're in trouble. You
likely have a bot.
As I said earlier, very few of my malware customers have these, which is why I
dispute the 88% or 92% or whatever figures. I'm just not seeing many of them.
I suspect that most of this bot activity is taking place not on the majority
of home computers but on computers people don't look at very often such as web
servers, mail servers, etc.
Interesting, thanks. I am using Webroot, which has a firewall and
virus engine (Sophos licensed) but I guess it doesn't have a port
scan. However, if your clients are not 100% savvy (otherwise they
would not need your expertise) then you can safely say that most of
the time bots are not running on people's machines that run 'ordinary'
virus/firewall commercial packages (I trust almost all of your clients
are running some kind of such package, as it's nearly inconceivable
that they are not). So from these two facts we can deduce that bots
are not as common as stated on Wiki--for "people occupied" PCs that
are not running unattended as servers. So likely I don't have a bot
either. I do have a firewall "Look-n-stop" and on occasion I check
out the IP address on Whois.
Today I notice a slightly suspicious looking entry:
ppp-124-120-170-40.revip2.asian ??? What can this be?
But it's probably nothing (I think).
RL
J
John Mason Jr
But only if it is being controlled by a server. A good portscan or the
warning messages from a firewall such as ZoneAlarm would show immediately
whether a computer was acting as a bot or not.
Shut down any browsers, Outlook, etc., go away for 10 minutes. Run the
portscan and see what dot-quad addresses are being accessed. Should only be
your router and maybe Apple (if you've installed iTunes or QuickTime) and
maybe Adobe if you have an Adobe product, etc. A good port scanner will
resolve the addresses for you and tell you what your connections are looking
at. If some dot-quads don't resolve to domain names or the domain name ends
in .ch (China), .ru (Russia), .pl (Poland), etc., then you're in trouble. You
likely have a bot.
As I said earlier, very few of my malware customers have these, which is why I
dispute the 88% or 92% or whatever figures. I'm just not seeing many of them.
I suspect that most of this bot activity is taking place not on the majority
of home computers but on computers people don't look at very often such as web
servers, mail servers, etc.
You say portscan, but it sounds more like the output from something like
netstat, or tcpview.
But once the machine is compromised you can't trust the output of any
installed program, without making sure the program or configuration
hasn't been altered.
I do agree folks should understand the normal behavior of their machine
so they can spot abnormalities.
The stats can be difficult to generate since the only the owners that
notice a problem, do something about it, and the data is proprietary for
many companies
John
D
David Kaye
ASCII said:Not to quibble but [ch] is the Confoederatio Helvetica or Switzerland,
whereas China is [cn]
I'm sorry, I meant .cn not .ch.
D
David Kaye
Ant said:I don't agree. Servers are more likely to be better managed than end-
user machines. There are also many more home PCs than servers.
But sysadmins tend not to personally use their mail and web servers very
often. Sure, they'll login from time to time, but they're not going to be
using them intensely with word processing, spreadsheets, web browsing, etc.,
and thus are not likely to find slowdowns, suspicious disk activity, freaky
behavior. But people who use home computers are going to find these things
quickly.
And again, I deal with new customers all the time who have malware infections
and seldom do I see bots. These are random people who call me via one of my
yellow pages ads. They call when they have problems. But well over 90% of
them do not have bots on their systems.
R
RayLopez99
I don't agree. Servers are more likely to be better managed than end-
user machines. There are also many more home PCs than servers.
You truncated the name, which is:
ppp-124-120-170-40.revip2.asianet.co.th
The IP address (124.120.170.40) associated with that generically-named
host belongs to trueinternet.co.th, an ISP in Thailand. It's the kind
of name that gets assigned to home user IPs.
Meaning what? Gets assigned legally? Or nefariously?
You should be highly suspicious of it. Find out what process owns the
connection.
Too late--it did not show up when I rebooted. It's gone. Is it
possible that bots only "spring to life" certain hours of the day or
week?
You're scaring me Ant. Do you recommend what product for scanning? I
am running XP pro on an old Pentium IV machine with a couple of Gigs
RAM. It's old but works. I cannot upgrade to Vista / 7 on this
machine. So will some (old) version of ZOne Alarm work? I heard bad
things about Zone Alarm when it has a certain version that was akin to
malware (hard to uninstall as I recall). Is Zone Alarm any good
anymore? Or something else?
Thanks,
RL
R
RayLopez99
But sysadmins tend not to personally use their mail and web servers very
often. Sure, they'll login from time to time, but they're not going tobe
using them intensely with word processing, spreadsheets, web browsing, etc.,
and thus are not likely to find slowdowns, suspicious disk activity, freaky
behavior. But people who use home computers are going to find these things
quickly.
And again, I deal with new customers all the time who have malware infections
and seldom do I see bots. These are random people who call me via one of my
yellow pages ads. They call when they have problems. But well over 90% of
them do not have bots on their systems.
This is interesting. A malware infection would be what, typically?
Something like a program that tracks your internet surfing habits, but
resides outside the browser so you cannot flush it clean?
Also what ZoneAlarm type port sniffing / firewall program do you
recommend for an XP running on Pentium IV with 2 GB ram?
RL
D
David Kaye
RayLopez99 said:This is interesting. A malware infection would be what, typically?
Something like a program that tracks your internet surfing habits, but
resides outside the browser so you cannot flush it clean?
Most of them have been adware, trying to get people to spend $$ to "disinfect"
their computers. About 1/4 have been redirects where the browser or the DNS
are redirected to fake search sites either for phishing or to gain click
money.
I really see very little bot or keylogger activity. Most of my customers are
small entrepreneurs and consultants, many of them seniors. Your results may
vary.
F
FromTheRafters
David Kaye said:But sysadmins tend not to personally use their mail and web servers
very
often. Sure, they'll login from time to time, but they're not going
to be
using them intensely with word processing, spreadsheets, web browsing,
etc.,
and thus are not likely to find slowdowns, suspicious disk activity,
freaky
behavior. But people who use home computers are going to find these
things
quickly.
And again, I deal with new customers all the time who have malware
infections
and seldom do I see bots. These are random people who call me via one
of my
yellow pages ads. They call when they have problems. But well over
90% of
them do not have bots on their systems.
....but you can't say anything about the ones that you don't see. Bots
might not cause any symptoms for the home user to see. They don't
complain about strange behavior because there *is* no strange behavior.
Think of a bot as an application running in the background mostly
waiting for instructions, not like a worm gobbling up your resources to
spread itself or adware getting 'in your face'.
D
David Kaye
FromTheRafters said:Think of a bot as an application running in the background mostly
waiting for instructions, not like a worm gobbling up your resources to
spread itself or adware getting 'in your face'.
I know what a bot is, thank you very much.
F
FromTheRafters
David Kaye said:I know what a bot is, thank you very much.
Then what makes you think they would manifest themselves as "slowdowns,
suspicious disk activity,
freaky behavior."? You could be hosting a bot without *any* user
noticeable symptoms.
D
David H. Lipman
From: "FromTheRafters" <[email protected]>
| Then what makes you think they would manifest themselves as "slowdowns,
| suspicious disk activity,
| freaky behavior."? You could be hosting a bot without *any* user
| noticeable symptoms.
Often the ONLY indication is "beaconing" to a foreighn host.
| Then what makes you think they would manifest themselves as "slowdowns,
| suspicious disk activity,
| freaky behavior."? You could be hosting a bot without *any* user
| noticeable symptoms.
Often the ONLY indication is "beaconing" to a foreighn host.
F
FromTheRafters
David H. Lipman said:From: "FromTheRafters" <[email protected]>
| Then what makes you think they would manifest themselves as
"slowdowns,
| suspicious disk activity,
| freaky behavior."? You could be hosting a bot without *any* user
| noticeable symptoms.
Often the ONLY indication is "beaconing" to a foreighn host.
Something not at all obvious to the casual observer. Bots share that
trait with the slow polymorphic virus - if you don't draw attention to
yourself, it is a clear advantage in stickiness - hiding yourself (and
your activities), even more so.
D
David H. Lipman
From: "FromTheRafters" <[email protected]>
| Something not at all obvious to the casual observer. Bots share that
| trait with the slow polymorphic virus - if you don't draw attention to
| yourself, it is a clear advantage in stickiness - hiding yourself (and
| your activities), even more so.
Yes and in this case the rate of beaconing can further limit detection.
| Something not at all obvious to the casual observer. Bots share that
| trait with the slow polymorphic virus - if you don't draw attention to
| yourself, it is a clear advantage in stickiness - hiding yourself (and
| your activities), even more so.
Yes and in this case the rate of beaconing can further limit detection.
D
David Kaye
FromTheRafters said:Then what makes you think they would manifest themselves as "slowdowns,
suspicious disk activity,
freaky behavior."? You could be hosting a bot without *any* user
noticeable symptoms.
Could, but most of this malware is written so badly that it's usually evident.
I used to write software for a living. 20% of the time was spent writing
software and 80% was spent debugging. It's hard to write good code that will
work well on all flavors of Windows with all kinds of hardware. Malware
writers generally want to get it written and out the door; debugging is the
least of their concerns. If it runs on 1% of the infected computers they're
happy.
R
RayLopez99
It means the connection is likely to be nefarious. Why is some unknown
user connecting to you (or you connecting to them)? You wouldn't see a
name like that for a say, a legitimate website in Thailand you had
just visited. However, it could be you visited a site hosted on some
user's home PC. The prefix 'ppp' (point to point protocol, I believe)
gives it away. That's the kind of name assigned to dialup users and
certainly not regular hosting services. You know it's not your own
because yours has this format: athedsl-4482237.home.otenet.gr
and suggests you're a home user on (A)DSL, perhaps near Athens?
Yes, that's right.
Yes, that can happen.
But unlikely? Less than 5% or even 1%?
Hopefully, someone else can advise since I don't use any! How well do
you know the registry? Autoruns from Sysinternals (now Microsoft) is
useful to see what starts automatically. My only defence is knowing
my system inside-out; e.g. what drivers load and other programs run in
a normal configuration, what files are supposed to be in the system
directories and other places and what they look like internally, etc.
Plus visually monitoring all connections while online (I'm only ever
physically connected for very short periods). I'm also pretty familiar
with malware, as most days I'm disassembling it.
You're the man I need to talk to then! I code for fun, but using
Visual Studio .NET family of languages it's hard to get to the system
level, which I take it malware writers are working at.
Here's another one I 'found' today using LookNStop's firewall log on
my XP machine--either my machine is complete full of malware (and I
run Webroot antivirus and malware remover almost daily, full scan), or
this is another false positive: host-79-121-44-74.kabelnet.hu
Which Whois says is some website server in Hungary:
host-79-121-44-74.kabelnet.hu
Now I don't remember visiting any Hungarian website, but since Greece
is near Hungary, it's possible my DSL provider somehow links to them
maybe? Or something like that.
Nothing wrong with that and no point installing a new OS on an older
PC. I'm still running Win2k on my internet facing PC and only use XP
for testing - it's on a faster machine but runs slower!
I hear you. Check out my flamebait in computer.os.linux.advocacy on
this theme (an old machine that runs fine on Win2k but I could not get
it to work in Linux--which is too resource heavy for it right now--
another example of 'if it ain't broke don't fix it', though in this
case it was an old PC I was going to trash anyway so no big loss).
Isn't XP's built-in "firewall" any use here? I've not really looked at
it. Of course, none of this packet filtering software is any good if
you're already infected.
But using the Thai and Hungary examples, how do you know if these
sites are innocent or not? Very complicated. I also see in this
thread the post by David Kaye that most malware is badly written, and
this seems to make sense to me as an amateur coder, so perhaps the
stuff caught by commercial anti-malware / AV products (and they catch
less than 50% according to the report I cited in this thread), they
are only catching the 'obvious' (badly written) malware / viruses?
The more I know about this topic the stupider I feel, LOL.
RL
A
ASCII
RayLopez99 said:But using the Thai and Hungary examples, how do you know if these
sites are innocent or not? Very complicated.
Not really,
with a properly secured browser,
all sites are innocent
....or inoperative.
R
RayLopez99
Not really,
with a properly secured browser,
all sites are innocent
...or inoperative.
What is a properly secured browser? Does the latest Internet Explorer
with all the patches installed qualify?
RL
R
RayLopez99
Not unlikely and I would say it's common with bots. They don't so much
go by the time of day but a sleep period which may be anything from a
few minutes to several hours.
Yes, you don't see that many .NET executables. It's sometimes useful
for code obfuscation but they can't rely on users having the correct
run-time libraries installed. Language preferences tend to be C/C++ or
assembly and malware writers often like to use undocumented functions
at the lowest level exported from ntdll.dll.
Very interesting. Though the .NET code obfuscation engine is very
weak I hear, so I take it you mean obfuscate maybe people who write AV
software, who maybe don't expect a .NET virus.
Another end user. There's no services (e.g. web server) running on
that host unless it's using unconventional ports.
Really? How in the world did you deduce that? From the majority of
these data entries (see below) being PC to Internet, I would hazard
this one was also PC to Internet). So why did my PC initiate this
communication to Hungary is the question?
No, not your ISP. I thought you may be seeing these as active
connections with something like netstat but you're looking at firewall
logs. In that case, it may be just background noise or infected PCs
trying to make contact which the firewal blocked. The log should
indicate whether incoming or outgoing and if blocked or not.
YES, it works! I did click on "details" in my Firewall (Look 'n' See)
and indeed it shows direction. Yesterday's log is lost, but I found
another 'suspicious'??? or maybe not entry today, here:
aedz253.neoplus.adsl.tpnet.pl which maps to this Polish server:
DOMAIN: tpnet.pl registrant's handle: nsk80879
(CORPORATE) nameservers: dns2.man.lodz.pl. [212.51.192.5]
Polska/Poland +48.22 3808300
And it's 'outgoing', and even shows the "Ethernet" outgoing
destination address, and the incoming (which is my Ethernet Card ID I
guess). as well as the length 60, identification 491 and DF MF =
(0,0), Frag offset = 0 and "Time to Live" = 64, and I have no idea
what that means, but probably byte related. It even shows a fragment
of data in HexDecimal form. Pretty cool, but how do I know if this PC
to Internet data transfer was malware or not? I would venture to say
that many commercial programs probably have "regional" servers to
handle any data pings output from a user's PC, and since I'm in Europe
(Greece), it stands to reason maybe the nearest server is Poland. But
I don't know how you would know what program sent this data
fragment...maybe ZoneAlarm? Look 'n' Stop is a decent, cheap little
firewall insofar as I can tell, and does have a bunch of recommended
rules (about 22, including such obscure ones like: 'Stops UDP
broadcasts to *.*.*.255.')
Again the more I learn the dumber I feel. But thanks Ant...
They're not "sites" as such but end-user PCs and, innocent or not,
if you didn't initiate the connection your machine should not
communicate with them. As long as they're incoming connection attempts
and your firewall is blocking them, you have nothing to worry about.
But they're not incoming, see above.
It's not to do with how good or bad the code is. A lot of malware is
wrapped in polymorphic packers or obfuscators so every sample (of the
same underlying executable) is different. It's impossible for
signature-based detection to keep up with this and, even with
heuristics, once AV products start to reliably detect it the authors
will modify the packing engine. They also submit samples to places
like Virus Total to check their work.
Virus Total I take it 'legitimizes' software, from what I can tell:
VirusTotal is a free virus and malware online scan service, so they
game the system. Very devious.
RL
A
ASCII
RayLopez99 said:What is a properly secured browser? Does the latest Internet Explorer
with all the patches installed qualify?
RL
I tend to have my doubts about IE,
whereas my Opera seems a bit more secure,
at least I have a warmer fuzzier feeling about it.