How do you detect a botnet? Impossible, right?
in [Anti-Virus]
|
From: Ant on 21 Feb 2010 13:34 "RayLopez99" wrote: > On Feb 21, 4:09 am, (David Kaye) wrote: >> I suspect that most of this bot activity is taking place not on the majority >> of home computers but on computers people don't look at very often such as web >> servers, mail servers, etc. I don't agree. Servers are more likely to be better managed than end- user machines. There are also many more home PCs than servers. > Today I notice a slightly suspicious looking entry: > ppp-124-120-170-40.revip2.asian ??? What can this be? You truncated the name, which is: ppp-124-120-170-40.revip2.asianet.co.th The IP address (124.120.170.40) associated with that generically-named host belongs to trueinternet.co.th, an ISP in Thailand. It's the kind of name that gets assigned to home user IPs. You should be highly suspicious of it. Find out what process owns the connection.
From: John Mason Jr on 21 Feb 2010 13:37 On 2/20/2010 9:09 PM, David Kaye wrote: > "FromTheRafters"<erratic(a)nomail.afraid.org> wrote: > >> I think that's the key. Any client in a server is potentially a >> "botnet", broadly defined. So the Wiki stat is probably a 'high' >> number. > > But only if it is being controlled by a server. A good portscan or the > warning messages from a firewall such as ZoneAlarm would show immediately > whether a computer was acting as a bot or not. > > Shut down any browsers, Outlook, etc., go away for 10 minutes. Run the > portscan and see what dot-quad addresses are being accessed. Should only be > your router and maybe Apple (if you've installed iTunes or QuickTime) and > maybe Adobe if you have an Adobe product, etc. A good port scanner will > resolve the addresses for you and tell you what your connections are looking > at. If some dot-quads don't resolve to domain names or the domain name ends > in .ch (China), .ru (Russia), .pl (Poland), etc., then you're in trouble. You > likely have a bot. > > As I said earlier, very few of my malware customers have these, which is why I > dispute the 88% or 92% or whatever figures. I'm just not seeing many of them. > > I suspect that most of this bot activity is taking place not on the majority > of home computers but on computers people don't look at very often such as web > servers, mail servers, etc. > You say portscan, but it sounds more like the output from something like netstat, or tcpview. But once the machine is compromised you can't trust the output of any installed program, without making sure the program or configuration hasn't been altered. I do agree folks should understand the normal behavior of their machine so they can spot abnormalities. The stats can be difficult to generate since the only the owners that notice a problem, do something about it, and the data is proprietary for many companies John
From: David Kaye on 21 Feb 2010 16:25 ASCII <me2(a)privacy.net> wrote: >Not to quibble but [ch] is the Confoederatio Helvetica or Switzerland, >whereas China is [cn] I'm sorry, I meant .cn not .ch.
From: David Kaye on 21 Feb 2010 16:30 "Ant" <not(a)home.today> wrote: >I don't agree. Servers are more likely to be better managed than end- >user machines. There are also many more home PCs than servers. But sysadmins tend not to personally use their mail and web servers very often. Sure, they'll login from time to time, but they're not going to be using them intensely with word processing, spreadsheets, web browsing, etc., and thus are not likely to find slowdowns, suspicious disk activity, freaky behavior. But people who use home computers are going to find these things quickly. And again, I deal with new customers all the time who have malware infections and seldom do I see bots. These are random people who call me via one of my yellow pages ads. They call when they have problems. But well over 90% of them do not have bots on their systems.
From: RayLopez99 on 21 Feb 2010 19:36
On Feb 21, 8:34 pm, "Ant" <n...(a)home.today> wrote: > "RayLopez99" wrote: > > On Feb 21, 4:09 am, (David Kaye) wrote: > >> I suspect that most of this bot activity is taking place not on the majority > >> of home computers but on computers people don't look at very often such as web > >> servers, mail servers, etc. > > I don't agree. Servers are more likely to be better managed than end- > user machines. There are also many more home PCs than servers. > > > Today I notice a slightly suspicious looking entry: > > ppp-124-120-170-40.revip2.asian ??? What can this be? > > You truncated the name, which is: > ppp-124-120-170-40.revip2.asianet.co.th > > The IP address (124.120.170.40) associated with that generically-named > host belongs to trueinternet.co.th, an ISP in Thailand. It's the kind > of name that gets assigned to home user IPs. Meaning what? Gets assigned legally? Or nefariously? > > You should be highly suspicious of it. Find out what process owns the > connection. Too late--it did not show up when I rebooted. It's gone. Is it possible that bots only "spring to life" certain hours of the day or week? You're scaring me Ant. Do you recommend what product for scanning? I am running XP pro on an old Pentium IV machine with a couple of Gigs RAM. It's old but works. I cannot upgrade to Vista / 7 on this machine. So will some (old) version of ZOne Alarm work? I heard bad things about Zone Alarm when it has a certain version that was akin to malware (hard to uninstall as I recall). Is Zone Alarm any good anymore? Or something else? Thanks, RL |