How do you detect a botnet? Impossible, right?
in [Anti-Virus]
|
Prev: OpenTablet 7 is iPad alternative, Specs, Reviews and Prices
Next: How do you detect a botnet? Impossible, right?
From: RayLopez99 on 18 Feb 2010 07:44 http://en.wikipedia.org/wiki/Botnet So the question arises, if 'up to a quarter of all PCs are infected by botnets' (see Wiki above), and presumably most of these PCs have anti- virus software, how do you detect a botnet residing on your PC? Assume you do a thorough (full) scan of your HD using commercially available antivirus software like Kaspersky or Webroot Antivirus. Followup: if Bank of America's FTP servers have Zeus key logging software on it (as says another article), does that mean when I log onto BAC's servers to check my online bank account, that this keylogging software is checking my password? I guess the answer is yes. RL
From: FromTheRafters on 18 Feb 2010 08:02 "RayLopez99" <raylopez88(a)gmail.com> wrote in message news:cfc2b9ca-e3cd-4e38-90df-701c0c7b2558(a)k41g2000yqm.googlegroups.com... > http://en.wikipedia.org/wiki/Botnet > > So the question arises, if 'up to a quarter of all PCs are infected by > botnets' (see Wiki above), and presumably most of these PCs have anti- > virus software, how do you detect a botnet residing on your PC? Antimalware applications and rootkit detectors. > Assume you do a thorough (full) scan of your HD using commercially > available antivirus software like Kaspersky or Webroot Antivirus. Most antivirus applications are incorporating rootkit detection and some coverage of general malware into their capabilities. Still, I would suggest using several antimalware (cleanup) tools and maybe even one with active protection. > Followup: if Bank of America's FTP servers have Zeus key logging > software on it (as says another article), does that mean when I log > onto BAC's servers to check my online bank account, that this > keylogging software is checking my password? I guess the answer is > yes. Keyloggers log keystrokes. If *they* have a keylogger, it is *their* keystrokes that are being logged. The implication is that *their* system can be further compromised by use of the information gathered. Then consider that *their* system is the one enforcing the password based restriction policy.
From: Virus Guy on 18 Feb 2010 08:25 RayLopez99 wrote: > So the question arises, if 'up to a quarter of all PCs are > infected by botnets' and presumably most of these PCs have anti- > virus software, how do you detect a botnet residing on your PC? You remove the hard drive from a suspect PC and attach it as a slaved or second drive to a known good / trusted PC equipped with various on-demand malware scanning software, and you scan the slaved drive. As a slave, if it has rootkit or viral/trojan files on it, they won't be active and will essentially be sitting "naked" out in the open for the anti-malware software to see.
From: Ant on 18 Feb 2010 13:25 "RayLopez99" wrote: > http://en.wikipedia.org/wiki/Botnet > > So the question arises, if 'up to a quarter of all PCs are infected by > botnets' (see Wiki above), and presumably most of these PCs have anti- > virus software, how do you detect a botnet residing on your PC? Look for processes that shouldn't be running (you do know what services, etc. are normally running and why?), look for files and directories that shouldn't be there (you do know what your directory structures looks like and why?), examine network traffic for anomalies (you do observe what your computer is making connections to and understand the reasons why?), check the registry load/launch points for unwanted items (you are familiar with the registry and how it's configured for your system?) and so on. > Assume you do a thorough (full) scan of your HD using commercially > available antivirus software like Kaspersky or Webroot Antivirus. New malware variants appear every day which are mostly not detected until the AV vendors catch up. Once a machine is infected, malicious software can hide itself from anti-malware applications or disable them. > Followup: if Bank of America's FTP servers have Zeus key logging > software on it (as says another article), Which article? > does that mean when I log > onto BAC's servers to check my online bank account, that this > keylogging software is checking my password? I guess the answer is > yes. Zeus (zbot) trojans target user PCs, not bank servers. And, yes, if you are infected with one, any online transactions with whatever bank or any other online service are completely unsafe. Recent zbots create these files, where %System% on current versions of Windows is usually C:\Windows\System32 %System%\lowsec\local.ds %System%\lowsec\user.ds %System%\sdra64.exe They will be hidden if the Trojan is active and attempting to create the lowsec sudirectory (if it's not already visible) will confirm the infection with a message that the direcory already exists.
From: Bad Boy Charlie on 18 Feb 2010 13:40
On Thu, 18 Feb 2010 18:25:08 -0000, "Ant" <not(a)home.today> wrote: >"RayLopez99" wrote: > >> http://en.wikipedia.org/wiki/Botnet >> >> So the question arises, if 'up to a quarter of all PCs are infected by >> botnets' (see Wiki above), and presumably most of these PCs have anti- >> virus software, how do you detect a botnet residing on your PC? > >Look for processes that shouldn't be running (you do know what >services, etc. are normally running and why?), look for files and >directories that shouldn't be there (you do know what your directory >structures looks like and why?), examine network traffic for anomalies >(you do observe what your computer is making connections to and >understand the reasons why?), check the registry load/launch points >for unwanted items (you are familiar with the registry and how it's >configured for your system?) and so on. > >> Assume you do a thorough (full) scan of your HD using commercially >> available antivirus software like Kaspersky or Webroot Antivirus. > >New malware variants appear every day which are mostly not detected >until the AV vendors catch up. Once a machine is infected, malicious >software can hide itself from anti-malware applications or disable >them. > >> Followup: if Bank of America's FTP servers have Zeus key logging >> software on it (as says another article), > >Which article? > >> does that mean when I log >> onto BAC's servers to check my online bank account, that this >> keylogging software is checking my password? I guess the answer is >> yes. > >Zeus (zbot) trojans target user PCs, not bank servers. And, yes, if >you are infected with one, any online transactions with whatever bank >or any other online service are completely unsafe. > >Recent zbots create these files, where %System% on current versions of >Windows is usually C:\Windows\System32 > >%System%\lowsec\local.ds >%System%\lowsec\user.ds >%System%\sdra64.exe > >They will be hidden if the Trojan is active and attempting to create >the lowsec sudirectory (if it's not already visible) will confirm the >infection with a message that the direcory already exists. > Good reply Ant especially the obvious innuendo that all users should know what processes and apps are normally running and to be aware of apps and processes you don't recognize. I do just that and have for some time. I can say that Task Manager/Processes is our friend....good answer. Even though many of us (especially those of us on Usenet) have some measure of technical savvy I long for the day when PCs can be run as innocently as the kitchen toaster for everyone's ease of use and so they can get more work or play done without needing to be a cyber cop on patrol of their own PC. |