Slashdot Mirror
How Do I Determine If My PC is a Zombie?
Captain Chad wonders: "With the recent news of a 1.5-million node botnet, as well as the AIM rootkit worm, I'm getting a bit concerned about whether my PC may be a zombie. I'm seeing a lot of internet activity, even when nothing is running, and I've checked the process explorer for obvious tasks to no avail. I apply patches as soon as they're released, and my antivirus/spyware programs report nothing. How do I determine if my PC is a zombie, and if it is, how would I de-infect it?"
On this same vein, college campuses are often prime breeding grounds for undead-boxen. bcrowell adds: "I'm a teacher at a community college where Windows is the only supported OS -- if you ask the school to put machine on your desk, you get a Windows box. Faculty who want to run MacOS or Linux have had to provide their own machines, and those who want to do PowerPoint presentations for their classes have been told that they have to buy their own laptops and bring them in.
Now Academic Computing has announced a new policy: any unauthorized use of the network, such as plugging in your own computer to a port, is prohibited, and will result in disciplinary action. There are supposedly plans to enforce this rule automatically with hardware and software. Great consternation has ensued in the faculty senate, and the manager who wrote the policy has explained that it is basically aimed at the problem of improperly maintained teachers' machines getting '0wned'. A little ironic, because the Windows boxes maintained by the computing folks keep getting infected by worms. Still, it's not an unreasonable concern; many teachers are clueless. In fact, I wouldn't pretend to know enough to keep a Windows machine secure on a public network, although I haven't had any problem with the FreeBSD box on my desk. Any suggestions on how to deal with this? Effective arguments to use? Good educational resources to point people to so they can learn how to keep their Windows boxes secure? Many of my colleagues seem to think that security mainly involves buying antivirus software."
Now Academic Computing has announced a new policy: any unauthorized use of the network, such as plugging in your own computer to a port, is prohibited, and will result in disciplinary action. There are supposedly plans to enforce this rule automatically with hardware and software. Great consternation has ensued in the faculty senate, and the manager who wrote the policy has explained that it is basically aimed at the problem of improperly maintained teachers' machines getting '0wned'. A little ironic, because the Windows boxes maintained by the computing folks keep getting infected by worms. Still, it's not an unreasonable concern; many teachers are clueless. In fact, I wouldn't pretend to know enough to keep a Windows machine secure on a public network, although I haven't had any problem with the FreeBSD box on my desk. Any suggestions on how to deal with this? Effective arguments to use? Good educational resources to point people to so they can learn how to keep their Windows boxes secure? Many of my colleagues seem to think that security mainly involves buying antivirus software."
Place a bowl full of brains in front of it and see if you get a response.
Happy Halloween >:D
Destroy it. It's the only way to be sure.
you are on the safe side unless the spam you get comes from your own IP.
Really... What kind of internet activity are you seeing? Are the lights blinking and you have no idea what is actually happening or are processes on your box accessing IRC servers accross the world without your knowledge?
Being called a dork on Slashdot must be like being called the retard in special ed.
http://www.sysinternals.com/Utilities/rootkitrevea ler.html
Hook up another box on a hub and check the network traffic. Obvious signs are connections to addresses that can be traced to irc servers or use of irc ports. The first time I found a bot nest, it scared me like Doom 3 never could. If this means nothing to you, get some expert interactive help.
Go here and download Rootkit Revealer. If that doesn't find anything, and you've tried everything you said, you got some smart malicious rootkit-usin' virus that knows how to trick Revealer, or your system is the proto for some new form of evilness.
A B A C A B B
Grab a copy of my software and monitor your network usage. If you happen to find blatantly obvious spyware running on your machine, try some of the automatic spyware removal tools available. If you're still infected, the best course of action is a reinstall.
How we know is more important than what we know.
If you are using Windows - run netstat at the command line.
There are also some switches that can show more detailed information, some of them are undocumented I believe. Use Google if you need to find them.
Using Ethereal is also an option - it can provide a lot more information but is more involved to use and interpret the results.
Semi-off topic:
If the admins can't even secure their own software, why should they think that those not in "the know" can.
My advice, get written statements about the reasons for no external computers. If the internal computers continue to get infected after this policy is put in place, anonymously email the people in charge (the admins' bosses) reminding them of the reason for the "fix".
As for getting infected, I agree with the other posters, and add that it's hard enough to keep a windows PC uninfected when just one careful person is on it. But once you start giving easily-infected PCs to people who aren't careful, the thing becomes a hive of filth.
Am I open minded towards open source, or closed minded towards closed source?
Start with an external packet sniffer - see what traffic the machine is sending out and on what ports. If you are seeing traffic that you don't understand - get help to determine what it is. You can start with a simple NAT gateway, and simply log the IP addresses/ports that your machine(s) are going too. If you see unidentified remote ports, well - you probably have a problem, if you see port 80 traffic to sites you don't know what they are - you have a problem, etc.
How to clean up the mess. Well, your first step would be to simply reformat the hard drive. If you can't do that - good luck, remember you will need to start with a clean media boot (as in a CD boot to a Linux/BSD distro) and see what you can find. Remember with a rootkit present, your kernel can and DOES completely lie to you about what is going on internally.
I have mod points and I am not afraid to use them
And Slashdot will tell you.
Yours Sincerely, Michael.
I saw various things on the recently downloaded files list when I got home. I asked him about it, he said he tried to download some things, but that he never ran them because he couldnt find out where they downloaded to.
Now I have paranoia.
-- 'The' Lord and Master Bitman On High, Master Of All
"Bowl full of brains"? Yuck! Brains have to be freshly-killed to have any flavor at all. Optimally, the victim should still be thrashing as you scoop them out.
I just see a lot of text, and then I start Enlightenment. Where does that place me?
I see a lot of people offering some moderatly technical advice, but perhaps a simpler answer to the question is - there's no one easy, foolproof, turnkey way to reliably determine whether your Windows machine is infected.
There are too many different types of malware around - virii, spyware, rootkits, trojans, and so on - each of which has new twists coming up almost daily. No single development team or company can keep up, and there are too many out there trying for there even to be a dominant player (and if there were, malware would promptly be rewritten to undermine the anti-malware utility in question...).
You will either need to learn how to use some of the tools others in this thread mention (it's not as hard as it may seem at first - try running them on a system you can be confident is clean, and become familiar with what "safe" traffic looks like, then try yours), or be prepared to pay hefty $ for expert help, or switch to another OS.
FWIW, I've run un-patched Windows2k for years without trouble, largely because I use a hardware NAT (firewall) and avoid Outlook. Even so, I am careful to avoid clicking on the wrong things online, and I am working towards moving to Linux ASAP.
Perfectly Normal Industries
Given your sig, how do you know your *nix box isn't rootkitted?
You make the mistake of thinking you can educate the fundamental stupidity out of people. You can't.
You know, two weeks ago I discovered the AIMbot worm on a friends computer. I picked it apart, watched how it worked, etc. Then I tried in vein to warn several of the major anti-virus companies, but they offered either a) no means of emailing them to offer tips and programs b) only paying customers could submit such information. I tried to contact AOL's AIM department, but no contact addresses where findable, so I emailed their abuse line, but not response. I emailed several providers about infected customers and only Comcast responded their email and in a live-chat (apperent;y you do not have to be a customer to use the customer tech support-- just use the account name guest, password anonymous and fake your real name and address and you are in.
It was frustrating, since I barely was able to inform anyone. There has got to be a better way, but I just could not find it. It was also frustating since I could not offer my friend a means to clean her computer and she had no one to help her directly (too far away for me to manually remove it with magic of Knoppix).
www.shield.org maintains a database of sources of malicious network traffic. Many organizations submit firewall logs to dshield, so they have a pretty good global view of who the bad apples are on the network. For anyone who administers network connected machines, it's a good idea to periodically look up your IP(s) or subnet(s), and see if anyone has generated any complaints about any of your own boxes.
Caveat: This will probably only identify the most aggregious zombies, and only the ones that are doing things that firewalls can identify as malicious. Just because your IPs don't show up on dshield, doesn't mean they aren't zombies.
Mynetwatchman is a similar service, there may be others as well.
here at Lewis & Clark (http://www.lclark.edu/ they use a client for any windows based machine to authenticate. Any other OS is required to authentify using a webpage to which you are redirected automatically when opening any webpage.
The client ensures you have all mandatory updates installed to connect, otherwise the access is discontinued. Saves lots of trouble, and my friends on OSX and me on gentoo have no problems whatsoever.
Might want to suggest your IT department to take a look at it... And even contact our IT department, they're pretty open about helping other schools keep their networks clean.
Hope that tidbit of info helped.
Oh, before I forget, the client used to be called "SmartEnforcer", and now it's a Cisco client... don't remember the name since I don't use it.
---- I am certain of only one thing : I know nothing else.
Enable the framebuffer console.
I know nothing about Kernels, the internal workings of all OS's, etc, however it occured to me that your kernel has to just be a file or collection of files...
Why couldn't you get the md5 or sha1 hash of that file (or group of files), and then periodicaly recheck the files and compare the two. Of course you would probably have to redo the "initial" hashing after any official update (or does your kernel not change all that often? Like I said I have no idea about most of this).
That's all i've really thought of thus far, but thank you to the OP, this has been something I have been wondering about for quite a while and it would be cool to see a "complete" guide to detecting and fighting these kind of things.
Scott Swezey
Type "emerge rkhunter". If that works, chances are, you're ok.
He obviously does not.
The IT group has to answer to the needs of their users, not the other way around. Granted, they are trying to keep out viruses and lawsuits, but they still need to address your needs.
It sounds like their heads have swelled too much, so talk to their boss, or their bosses boss. Explain that your work is better with this tool, and that it is unreasonable to ban your tool given the known lack of risks. This is not a garage-built closed-source piece-of-shareware; but a globally used, open source, well-inspected and maintained tool. Remember the talking points: ZERO viruses (macs), not running as Administrator, updates are applied regularly and consistently.. (well, there's better Persuader lists out there.)
I've been in IT for the last 10 years, and we are there specifically to help the users do their job. Sometimes it's to disable all email attachments, and sometimes it's setting up a Windows 98 machine for a critical job.
You may need to compromise.. a probabation peroid of increased firewall monitoring, maybe a "I'm responsible" contract to cover their butts. Thing is.. if their argument comes down to "Because we said so", then they are enforcing a personal agenda, and have ceased being effective at their primary responsibilities.
(Falling asleep at this point, so my ramblings will go unedited..) Hope this helps.
Everyone is entitled to his own opinions, but not his own facts.
Higher brain functions are the first to go with zombies...
It's tough but you have to remember to shoot for the head.
May contain traces of nut.
Made from the freshest electrons.
I've seen many responses, including webpages which may be helpful, or other programs which may be up to date. Personally, I prefer netstat. It's not "user friendly", but it's always up to date. If you're smart enough to keep your computer updated, you're smart enough to start recognizing stuff and feeding Google what you don't understand.
Basically, http traffic is likely web. Hopefully you recognize websites you're visiting. Imap and pop, mail. You get the idea. There may be a few you don't recognize, on ports that netstat can't translate. Feed the host to Google and see what you can find out. If your computer is idle and you can't figure out what's going on, netstat will give you a momentary snapshot. A coworker was afraid his computer was overtaken, I looked at it, pointed to the only host I didn't recognize and he said, "Oh, I forgot about my automated backup!"
I reinstalled... LINUX... and openbsd on the heavy router (its an OLD intel gaming machine turned router (450 mhz rig))
Odd thing is, I also do it for anyone who complains about spyware to me. So far they know... I WILL NOT fix windows issues, but I will "reinstall"... they have to agree that they will ask ME to install software for them unless they get it from the CVS/packagemanager that is defaulted by their distribution... overall I've had little trouble, though they complain that certain things (windows WMI DRM for example when using new porn sites) not working.
Other than that, nobody bitches except that they have to go through so much trouble to install things that come on windows cds... (and ultimately since they run in wine, the system remains unfux0r3d)... go figure eh?
~D
" What luck for rulers that men do not think" - Adolf Hitler
What community college is that? Better yet, what is their IP address range, or their domain name (so I can add them to my email blacklist)? Given their backwards policy on security, I would be safer by refusing anything from there.
now we need to go OSS in diesel cars
First make sure your office isn't haunted.
Happy All Saints Day.
If I remember right there is a Linux security software called Tripwire that records a hash for critical files in the system and when one of them changes it notifies you.
Does such a thing exist for windows?
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
It would also be a good idea to demonstrate that you have the financial resources to cover the loss if the system gets compromised as a result of your non-standard box creating a security flaw. For the benefit of the uninitiated/wishful thinkers, that liability is $EXPERT_HOURLY_RATE * $HOURS_TO_REINSTALL_ENTIRE_NETWORK + $COST_TO_ORGANISATION_OF_TIME_LOST_DOING_SO, because once you're compromised, nothing less is safe.
If you aren't prepared/able to underwrite such a sum, you have no business ignoring IT's policy and using a non-standard set-up, end of story. If you want to do something else for a genuine reason connected with your job, make a case for why your need to do that is more important than any risk it creates to the organisation's IT infrastructure, and the attendant risk to everyone else's ability to do their job, and ask to have the policy changed or for an exception to be made.
Contrary to popular opinion, not all sysadmins are stupid, draconian power freaks. Some of them just take security seriously. (Not saying that's necessarily the case here, but don't assume a policy like this is unreasonable just because it's inconvenient.)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Use Dug Song's arpspoof, on a BSD or Linux box, to analyze the traffic comming from the suspect. Make sure you have packet forwarding enabled on the box running arpspoof. For FreeBSD, just check that "gateway_enable="YES"" is in your /etc/rc.conf file. Now run arpspoof -t [suspect box's ip address] [gateway router ip address]. Now the suspect box will think that your Linux/BSD box's MAC address is the MAC address of the gateway router. So if you run tcpdump, you'll see all the packets that the suspect box is trying to send out to the internet.
You can always use RootkitRevealer. I have not tried this myself, but it looks like a good tool. I was also poking around looking for rootkit information when I found this.
You may also want to check out this interesting story from Mark Russinovich, Sony Music CDs installing DRM rootkit.
Not new around here, just haven't paid attention to it before, and I haven't seen much about the lameness filter.
So, WTF?
How is that supposed to prevent lameness?? I can't see the point of having spaces inserted into long urls - is the idea to break up any long string of text?
--LWM
...scanned your computer for rootkits, viruses, and trojans, and found it's a hive of filth! It's infested with some really devious stuff. You've got backdoors and unsecured shares everywhere. Spyware is beaming the contents of your hard drive to marketers across SE Asia, and you're delivering at least 300K+ vi@gr4 spams per hour.
Even as I type this it's trying to beam all your personal information back to Ukranian hackers, three different sites that claim they're eBay, and it's sending hundreds of megabytes of data through two FTP servers running on your machine + at least half a dozen IRC connections.
I've taken the liberty of trashing most of your registry, so maybe that'll slow down the infections.
And wow, man, according to my scans, you're in to some really kinky porn! If anyone found I had that kind of stuff on my computer my marriage, career, and everything else in my life would be ruined!
I'd give you more details but for some reason my computer is really bogging down. (I guess it's time to upgrade again.) It takes about ten seconds for each word to appear and I have to keep clicking out of these annoying popups. Anyway, you're totally 0wn3d.
What's with all the porn on your computer? I decided to just "hack in" - don't worry, I'm a white hat - and I found all this stuff on your computer! I don't feel like helping you out anymore because this horsebj.avi business is just too disgusting and really shows what kind of person you are, and frankly I don't want to help you.
God! People these days!