How do you detect a botnet? Impossible, right?
in [Anti-Virus]
|
From: RayLopez99 on 18 Feb 2010 13:55 On Feb 18, 3:02 pm, "FromTheRafters" <erra...(a)nomail.afraid.org> wrote: > "RayLopez99" <raylope...(a)gmail.com> wrote in message > > news:cfc2b9ca-e3cd-4e38-90df-701c0c7b2558(a)k41g2000yqm.googlegroups.com... > > >http://en.wikipedia.org/wiki/Botnet > > > So the question arises, if 'up to a quarter of all PCs are infected by > > botnets' (see Wiki above), and presumably most of these PCs have anti- > > virus software, how do you detect a botnet residing on your PC? > > Antimalware applications and rootkit detectors. > > > Assume you do a thorough (full) scan of your HD using commercially > > available antivirus software like Kaspersky or Webroot Antivirus. > > Most antivirus applications are incorporating rootkit detection and some > coverage of general malware into their capabilities. Still, I would > suggest using several antimalware (cleanup) tools and maybe even one > with active protection. > OK thanks. I am using Webroot and I also use Kaspersky for my other PC. According to a report ( http://www.av-comparatives.org/images/stories/test/ondret/avc_report22.pdf ) they score fairly OK (slightly below average or average, with 30-50% coverage, which sounds lousy but apparently that's about par). > > Followup: if Bank of America's FTP servers have Zeus key logging > > software on it (as says another article), does that mean when I log > > onto BAC's servers to check my online bank account, that this > > keylogging software is checking my password? I guess the answer is > > yes. > > Keyloggers log keystrokes. If *they* have a keylogger, it is *their* > keystrokes that are being logged. The implication is that *their* system > can be further compromised by use of the information gathered. > > Then consider that *their* system is the one enforcing the password > based restriction policy. Good point--I never thought of that. So their keystrokes, not mine, are at issue. RL
From: RayLopez99 on 18 Feb 2010 13:57 On Feb 18, 3:25 pm, Virus Guy <Vi...(a)Guy.com> wrote: > RayLopez99 wrote: > > So the question arises, if 'up to a quarter of all PCs are > > infected by botnets' and presumably most of these PCs have anti- > > virus software, how do you detect a botnet residing on your PC? > > You remove the hard drive from a suspect PC and attach it as a slaved or > second drive to a known good / trusted PC equipped with various > on-demand malware scanning software, and you scan the slaved drive. As > a slave, if it has rootkit or viral/trojan files on it, they won't be > active and will essentially be sitting "naked" out in the open for the > anti-malware software to see. OK, sounds reasonable. But what if you don't have a clean PC? I assume that commercial antivirus s/w with some root kit detectors must have a way of finding these malware, but then again (see my reply above) their success rate is at best less than 50%, so their technique is not foolproof. RL
From: FromTheRafters on 18 Feb 2010 15:57 "RayLopez99" <raylopez88(a)gmail.com> wrote in message news:5a1db053-534c-47ca-9a9e-92ed5e6241d4(a)f29g2000yqa.googlegroups.com... OK thanks. I am using Webroot and I also use Kaspersky for my other PC. According to a report ( http://www.av-comparatives.org/images/stories/test/ondret/avc_report22.pdf ) they score fairly OK (slightly below average or average, with 30-50% coverage, which sounds lousy but apparently that's about par). *** It is hard for an outstanding virus detection engine to stand out when it is additionally expected to not only detect non-replicating malware samples, but clean-up after the fact of infestation. Your choices of protection should address you choices of behavior. Personally, I wouldn't base my choice of AV on its clean-up capabilities - it's like choosing a bodyguard based on his EMT skills. Instead, adhere to strict policies and you can restrict the window of opportunity for most kinds of malware (trusted downloads only (most trojans), frequent software updates (exploit based worms)) and your on-access antivirus will probably never see anything viral to alert on. *** > > Followup: if Bank of America's FTP servers have Zeus key logging > > software on it (as says another article), does that mean when I log > > onto BAC's servers to check my online bank account, that this > > keylogging software is checking my password? I guess the answer is > > yes. > > Keyloggers log keystrokes. If *they* have a keylogger, it is *their* > keystrokes that are being logged. The implication is that *their* > system > can be further compromised by use of the information gathered. > > Then consider that *their* system is the one enforcing the password > based restriction policy. Good point--I never thought of that. So their keystrokes, not mine, are at issue. *** Yes, if the keyloggers are indeed on their system. Some keyloggers (maybe even this one) can also log keys struck on the OSK (On Screen Keyboard Start - Run - osk to see what I mean) so even a server without a keyboard attached can have an operational keylogger. Can you point me to the story about B o' A's keyloggers? ***
From: RayLopez99 on 18 Feb 2010 18:07 On Feb 18, 10:48 pm, "Ant" <n...(a)home.today> wrote: > "Bad Boy Charlie" wrote: > > On Thu, 18 Feb 2010 18:25:08 -0000, "Ant" wrote: > >>"RayLopez99" wrote: > >>> Followup: if Bank of America's FTP servers have Zeus key logging > >>> software on it (as says another article), > > >>Which article? > > So who's claiming BoA servers are compromised? An article on the web, referencing Zeus, which has made the news recently due to some corporate networks being hacked. > > > Good reply Ant especially the obvious innuendo that all users should > > know what processes and apps are normally running and to be aware of > > apps and processes you don't recognize. > > If they don't understand the system, then better to get a competent > technician to sort it out. OK, but I am not in a position to hire you, as I'm not a Fortune 500 company. I do have a decent understanding of PCs, and have built quite a few from scratch and program as well. But to assume that a commercial program is less competent in catching viruses than I is a bit of a stretch and hubris. I will stay with Kaspersky and hope for the best. RL
From: RayLopez99 on 18 Feb 2010 18:11
On Feb 18, 10:57 pm, "FromTheRafters" <erra...(a)nomail.afraid.org> wrote: > *** > It is hard for an outstanding virus detection engine to stand out when > it is additionally expected to not only detect non-replicating malware > samples, but clean-up after the fact of infestation. Your choices of > protection should address you choices of behavior. Personally, I > wouldn't base my choice of AV on its clean-up capabilities - it's like > choosing a bodyguard based on his EMT skills. > > Instead, adhere to strict policies and you can restrict the window of > opportunity for most kinds of malware (trusted downloads only (most > trojans), frequent software updates (exploit based worms)) and your > on-access antivirus will probably never see anything viral to alert on. > *** Either that or the viruses are too slick. For example, I've often thought (being a programmer myself) how easy it would be to create a button that looks like a "close X" at the upper right hand corner of the window, and when you click on it, it activates something. > Can you point me to the story about B o' A's keyloggers? > It was a web article, I think UK, and it did not name sources. Apparently (said the article) corporations like in the recent Zeus mass attack are reluctant to publicize their security breaches. RL |