How do you detect a botnet? Impossible, right?

[FromTheRafters]

Not really,
with a properly secured browser,
all sites are innocent
...or inoperative.

What is a properly secured browser? Does the latest Internet Explorer
with all the patches installed qualify?

On Vista and Windows 7 it might be more secure. Of course it depends on
the configuration.

Quite a bit if the "danger" comes from scripting support, so if you
disallow scripting you are more secure. Better yet, a text only browser
offers quite a bit of security, it is you that must draw the line
between functionality and security.

 

[ASCII]

What is a properly secured browser?

I suppose that's dependent on the threat,
but I feel comfortable with Opera in a sandbox.

Opera v10.10 (didn't care for the beta v10.50)
http://www.opera.com/download/

Sandboxie v 3.44
http://www.sandboxie.com/index.php?DownloadSandboxie

 

[FromTheRafters]

I suppose that's dependent on the threat,
but I feel comfortable with Opera in a sandbox.

Opera v10.10 (didn't care for the beta v10.50)
http://www.opera.com/download/

Sandboxie v 3.44
http://www.sandboxie.com/index.php?DownloadSandboxie

Good stuff there.

I was reminded of Norman when I mentioned text-only browsing.
http://beacon.chebucto.ca/Content-2006/norman.html

Funny how some people leave a lasting impression.

 

[ASCII]

Good stuff there.

Neither of those are v1.
Thank goodness there are some folk trying to keep up
and/or stay ahead of the threat horizon.

I was reminded of Norman when I mentioned text-only browsing.
http://beacon.chebucto.ca/Content-2006/norman.html

Funny how some people leave a lasting impression.

I remember some of the stark images of him
and how ghastly ill he usually appeared,
like a Canadian snowbird that never left the nest
I sure hope his transition was a painless relief.
I also remember it was him that introduced me to the 'pine browser'
some decade and a half ago. Now that's was one gimmick proof app.

--

**** COMMODORE 64 BASIC V 2.0 ****
64 K RAM SYSTEM
38911 BASIC BYTES FREE
READY

 

[David H. Lipman]

From: "FromTheRafters" <[email protected]>


| Good stuff there.

| I was reminded of Norman when I mentioned text-only browsing.
| http://beacon.chebucto.ca/Content-2006/norman.html

| Funny how some people leave a lasting impression.



I forgot all about him! :-(

 

[Chih-Cherng Chin]

So the question arises, if 'up to a quarter of all PCs are infected by
botnets' (see Wiki above), and presumably most of these PCs have anti-

[snip]

I think it's kind of exaggerated. The most bots I have detected in one
day was around 5400, and I have been tracking botnets since last June.
Now I can only detect 3000-4000 bots daily. If a quarter of all PCs
were part of botnets, I would do much better than that.

 

[RayLopez99]

I tend to have my doubts about IE,
whereas my Opera seems a bit more secure,
at least I have a warmer fuzzier feeling about it.

I have Opera too (right now this is an Opera post), but I've surfed
porn sites with IE, and so far (I think) no viruses got past the
commercial AV program (Webroot in my case). That's the ultimate
compliment (no viruses from a free porn site!)

RL

 

[RayLopez99]

I think it's kind of exaggerated.  The most bots I have detected in one
day was around 5400, and I have been tracking botnets since last June.
Now I can only detect 3000-4000 bots daily.  If a quarter of all PCs
were part of botnets, I would do much better than that.

--

let's say (as is my case) you are noticing suspicious burst of data
from your PC to some server, but you have not caught any viruses using
Webroot Antivirus with Spysweeper nor with Kaspersky. You also have a
firewall (Look N See). You scan (full scan) every other day. One
potential virus in the last five years. Running Windows XP Pro on a
Pentium IV.

What's the 'most probable bad thing' that can happen?

What I mean is this: say my PC is part of a botnet. So what? It
does not have a keylogger on it, right? It is not able to open and
read my Outlook emails (which are scanned by the AV program prior to
sending).

What's the 'most probable bad thing' that is happening? I'm asking
because Ant in this thread scared me--so I want to see 'so what'? Of
course I'm sure if some super duper hacker is involved, he will drain
all my bank accounts, but this anomalous activity has been going on
for a while, and so far my bank accounts have not been hit.

RL

 

[RayLopez99]

No, I mean code obfuscation. It doesn't matter how weak because
scanners don't unravel it on the fly.

OK, understood.

Simple, just try to connect to a port you would expect a service to be
running on; e.g. 80 for HTTP (web server), 25 for SMTP (mail), 21 for
FTP and so on. If you get a response you know a server is up and
running, although it may not let you connect. You can do this with the
telnet program but it's quicker to use a port scanner. I checked only
the well-known ports but a service could be running on any one of
65535 possible ports.

OK, got it.

Why, indeed. It's up to you to know what's running on your machine and
what it's doing.

So I block it? (and how would I block it if it only pops up once in a
while? Look 'n' See, my firewall, only allows you to block
*programs*, like Office Word, not IP addresses (at least from what I
can tell)

The IP address of that host is 79.186.103.253 which is being used by
a customer of tpnet.pl, a Polish ISP responsible for that IP.


Bad news.

Why? I need more data. How often does this happen to others? Any
logs out there I can inspect?

[...] how do I know if this PC
to Internet data transfer was malware or not?

You've got to ask yourself why your machine is connecting to random
users in Thailand, Hungary, Poland and who knows where else. I
strongly suggest you block them and investigate. Once you've found
the cause and cleaned up you'd better change all your passwords.
As I said before, check all registry and other startup points for
suspicious things that might be loading automatically.

No, I beg to differ. Why change passwords? You are assuming a bot is
also a keyboard logger? Are you playing "worse case"? In appears
so. Let's change the topic to "most probable cause", not "worse
case". I've not had any security breaches in my bank accounts, email,
etc. So let's say this is a bot--so what? Perhaps my machine is
being used as a 'rerouter' or 'router' to distribute messages
elsewhere--is that the 'most probable' case?--but I tend to think it's
improbable my bank accounts are being compromised--not impossible, but
improbable.

Then you would expect to see recognisable host names, either belonging
to the company or known server farms and load balancers like Akamai,
not generic ones assigned to ordinary end users like you and me.

Right--that's why I need to inspect a log. How often does ordinary
activity (and I include occasional free porn surfing as such!)
generate such 'end user' FTP type domain names? That's the question.

Are you running more than one software firewall? That's a bad idea.

I dont' think so. XP and Look 'n' Stop.

Can't you configure Zone Alarm to deny all outbound traffic and get
it to prompt you to allow on a case-by-case basis? That way you'll get
an idea of what is trying to call home if it gives a message like
"program x is trying to connect to host y, do you want to allow?".
I thought the built-in XP firewall could do this anyway.

So you recommend Zone Alarm? Any experience with it? Remember I'm
running XP, not Vista or 7.

Thanks in advance.

RL

 

[RayLopez99]

Update: I think, and I am checking with the firewall people at Look N
Stop, that this is in fact an IP address that is being BLOCKED, not
going through. It still raises the question of what program residing
in my system would want to hook up with Poland, Thailand, etc. But if
I have some bot in my system, it has not been detected by any
antivirus program, and like I say it's being blocked from calling out
anyway.

RL

 

[RayLopez99]

Sounds like you need a better firewall. You should be able to specify
only your browser and any other programs you know need to connect as
'allowed' and block everything else by default.

I think in fact that's what's happening w/ Look 'N Stop, which I
learned today is rules based not what they call (forget the acronym -
[it's HIPS], see: http://www.wilderssecurity.com/showthread.php?t=265295)
security certificate based.

Any malware on your computer can get passwords from protected storage,
it doesn't need to log key presses.

That's interesting. Sounds like MSFT should plug that hole.

No, a common case is data stealing.
OK


All equally probable. A bot will do whatever its controller tells it
to do. This can include infecting your machine with more malware,
sending spam, participating in DDoS and information theft.
OK



Surfing for porn is a pretty dangerous activity without tight
security. I hope you are completely up-to-date with OS, Java and
browser patches, including any for PDF, Flash, Quicktime, etc. plugins
you may be using.

Yes, I figured that.

I don't know what you mean by "FTP type domain names". These are hosts
you should not be sending traffic to under normal conditions. However,
so as not to scare you too much, it could be they are just end-users
receiving affiliate clicks from the sites you visit. But - so you
don't relax too much, such clicks would normally be collated by a
click-tracking centre on a standard web server. You really should
investigate more. Check the log times and note if you were actually
browsing when the traffic was sent.
OK.


I know nothing about it. When you said: "I don't know how you would
know what program sent this data fragment...maybe ZoneAlarm?" it gave
the impression you were using it.

No, I am using the "rules based" Look N Stop, which is very
lightweight and fast. Sorry, I mean if ZoneAlarm tracks programs, and
I think the answer is "yes", because ZoneAlarm, unlike L'n'S, is not
'rules based' as much as application based (from what I can read
between the lines at the L'n'S website, here:
http://www.wilderssecurity.com/showthread.php?t=265295 ). While
ZoneAlarm has a learn feature, it heavily relies on a series of rules
as to what to do.

Also, L'n'S, my firewall, is blocking these weird Polish, Thai, etc
outbound connections I'm pretty sure, but I'm curious what programs
are asking it to do so. It could be the "affiliate clicks from the
sites I visited", possibly those devious free porn sites. Or some
malware residing deep in the bowels of my hard drive? Hard to tell.

RL

 

[RayLopez99]

You should be highly suspicious of it. Find out what process owns the
connection.

OK, I got more info. I checked my Webroot AV log, and found an old
virus "in quaranteen" (not yet deleted, but apparently inert, since
the Sophos engine that Webroot uses is known to produce a lot of false
positives). See below.

Now my question is: is it possible for a "rootkit-masked registry" to
get installed, attempt to dial out info, and get blocked by your
firewall? That might explain some weird stuff, but, on the other
hand, if it's in 'quaranteen' (inert), it should not be doing that.

So my hypothesis is that your suggestion that a site I visited
(probably porn) attempted to route my presence at that site (simply
for marketing purposes, nothing nefarious) via the browser(?), to
another web server--that explains perhaps the Polish and southern
Russia and Thai ports that are/were attempted to be accessed
(unsuccessfully, since the firewall blocked them).


RL

the virus under 'quaranteen' is here:

Profile - Potentially rootkit-masked registry
Name Potentially rootkit-masked registry
Unique Code EH8URCFZ
Type System Monitor
Severity Critical
Description Potentially rootkit-masked registry is a monitoring
program that secretly tracks all activities of computer users.

Characteristics Potentially rootkit-masked registry may monitor and
capture your computer activity, including recording all keystrokes, e-
mails, chat room dialogue, instant message dialogue, Web sites
visited, usernames, passwords, and programs run. This program may be
capable of taking screen shots of your desktop at scheduled intervals,
storing the information on your computer in an encrypted log file for
later retrieval. These log files may be e-mailed to a pre-defined e-
mail address. This program can run in the background, hiding its
presence.

Method of Infection Potentially rootkit-masked registry may be
installed via other threats, such as music downloads and Trojan
downloaders.

Consequences This system monitor may allow an unauthorized, third
party to view potentially sensitive information, such as passwords, e-
mail, and chat room conversation. Additional Comments: It is
recommended that you change all of your passwords after removing this
program. If you bank online, you might consider changing your credit
card and bank account numbers. You should also monitor your credit
card and bank statements carefully over the next several months for
signs of fraudulent activity.

 

[RayLopez99]

The IP address (124.120.170.40) associated with that generically-named
host belongs to trueinternet.co.th, an ISP in Thailand. It's the kind
of name that gets assigned to home user IPs.

You should be highly suspicious of it. Find out what process owns the
connection.

I think I detect a pattern (I am researching it now). These kind of
funny addresses seem to appear when I'm connected to the internet by
firing up a browser. So, like you suggested in another post, it could
be something "innocent" like a request to the browser to ping this
remote site (for marketing purposes). But how they would get a
browser to ping is not clear to me, but it's a programming detail
that's probably possible.

Of course the simpler explanation is that there is a undetectable
virus (that escaped my antivirus program) that is alive in my system
and attempts to 'dial out', but is blocked by the firewall. Why it
springs up at certain times is of course simply due to the way it is
programmed, to act irregularly.

All of this is new to me--I always assumed that with firewalls you can
set them up and forget them, I did not realize you have to monitor
them--a lot of work. There should be a better way (set up and
forget).

RL

 

[RayLopez99]

Anyway, I see you've found the likely culprit - Skype. Their protocol
is proprietory so you would have to trust their motives for making
these connections. Since you're blocking them and, presumably Skype
still works, all should be well.

Yes, that's the only thing I could think of other than undetected/
undetectable malware, and BHOs (which you say will generate an
download UDP, so there should be some symmetry in IP addresses, which
there is not in my log). BTW this stuff seems to happen around 7:30
pm and when I fire up the machine, but not in the account that does
not have Skype (the Admin account), so that further fingers Skype as
the culprit. Since Skype works despite the blocked UDPs, like you
say, it's not a big deal but I will continue to monitor it.

Thanks Ant you have been a big help. Without you I never would have
even thought about the firewall...

Now back to my programming project (doing an ASP.NET project now
involving a web service).

RL

 

[RayLopez99]

Anyway, I see you've found the likely culprit - Skype. Their protocol
is proprietory so you would have to trust their motives for making
these connections. Since you're blocking them and, presumably Skype
still works, all should be well.

Anybody else notice this in their firewall? It's just a working
hypothesis at this point.

Yes, confirmed. Took a time out and loaded and unloaded Skype, and
sure enough, within seconds, you start getting pinged (and UDP packets
get requested to be uploaded from your PC to ports all over the
world), from all over the world, including Brazil (I'm posting from
Greece), Hungary, Korea, Russia and central asian countries / regions
I've never heard of (start with a K, not Kazakstan either).

Skype is the "virus"!

My firewall blocks all such requests of course.

RL