Slashdot Mirror
How Do I Determine If My PC is a Zombie?
Captain Chad wonders: "With the recent news of a 1.5-million node botnet, as well as the AIM rootkit worm, I'm getting a bit concerned about whether my PC may be a zombie. I'm seeing a lot of internet activity, even when nothing is running, and I've checked the process explorer for obvious tasks to no avail. I apply patches as soon as they're released, and my antivirus/spyware programs report nothing. How do I determine if my PC is a zombie, and if it is, how would I de-infect it?"
On this same vein, college campuses are often prime breeding grounds for undead-boxen. bcrowell adds: "I'm a teacher at a community college where Windows is the only supported OS -- if you ask the school to put machine on your desk, you get a Windows box. Faculty who want to run MacOS or Linux have had to provide their own machines, and those who want to do PowerPoint presentations for their classes have been told that they have to buy their own laptops and bring them in.
Now Academic Computing has announced a new policy: any unauthorized use of the network, such as plugging in your own computer to a port, is prohibited, and will result in disciplinary action. There are supposedly plans to enforce this rule automatically with hardware and software. Great consternation has ensued in the faculty senate, and the manager who wrote the policy has explained that it is basically aimed at the problem of improperly maintained teachers' machines getting '0wned'. A little ironic, because the Windows boxes maintained by the computing folks keep getting infected by worms. Still, it's not an unreasonable concern; many teachers are clueless. In fact, I wouldn't pretend to know enough to keep a Windows machine secure on a public network, although I haven't had any problem with the FreeBSD box on my desk. Any suggestions on how to deal with this? Effective arguments to use? Good educational resources to point people to so they can learn how to keep their Windows boxes secure? Many of my colleagues seem to think that security mainly involves buying antivirus software."
Now Academic Computing has announced a new policy: any unauthorized use of the network, such as plugging in your own computer to a port, is prohibited, and will result in disciplinary action. There are supposedly plans to enforce this rule automatically with hardware and software. Great consternation has ensued in the faculty senate, and the manager who wrote the policy has explained that it is basically aimed at the problem of improperly maintained teachers' machines getting '0wned'. A little ironic, because the Windows boxes maintained by the computing folks keep getting infected by worms. Still, it's not an unreasonable concern; many teachers are clueless. In fact, I wouldn't pretend to know enough to keep a Windows machine secure on a public network, although I haven't had any problem with the FreeBSD box on my desk. Any suggestions on how to deal with this? Effective arguments to use? Good educational resources to point people to so they can learn how to keep their Windows boxes secure? Many of my colleagues seem to think that security mainly involves buying antivirus software."
http://www.sysinternals.com/Utilities/rootkitrevea ler.html
Go here and download Rootkit Revealer. If that doesn't find anything, and you've tried everything you said, you got some smart malicious rootkit-usin' virus that knows how to trick Revealer, or your system is the proto for some new form of evilness.
A B A C A B B
Grab a copy of my software and monitor your network usage. If you happen to find blatantly obvious spyware running on your machine, try some of the automatic spyware removal tools available. If you're still infected, the best course of action is a reinstall.
How we know is more important than what we know.
If you are using Windows - run netstat at the command line.
There are also some switches that can show more detailed information, some of them are undocumented I believe. Use Google if you need to find them.
Using Ethereal is also an option - it can provide a lot more information but is more involved to use and interpret the results.
Start with an external packet sniffer - see what traffic the machine is sending out and on what ports. If you are seeing traffic that you don't understand - get help to determine what it is. You can start with a simple NAT gateway, and simply log the IP addresses/ports that your machine(s) are going too. If you see unidentified remote ports, well - you probably have a problem, if you see port 80 traffic to sites you don't know what they are - you have a problem, etc.
How to clean up the mess. Well, your first step would be to simply reformat the hard drive. If you can't do that - good luck, remember you will need to start with a clean media boot (as in a CD boot to a Linux/BSD distro) and see what you can find. Remember with a rootkit present, your kernel can and DOES completely lie to you about what is going on internally.
I have mod points and I am not afraid to use them
I would like to add another "covert" Linux installation method.
One thing you can do is put a large hidden file, call it something like "swap.sys" or something of that nature. Boot Linux from an attached device (usb / cdrom), then use losetup to loopback mount that file, and run your normal linux install from there. This will take a bit of advanced knowledge to set up since you'd probably have to install your distro to another drive and copy it over, then set up the initial ram disk image on your boot device to do the right thing (losetup, mount, pivot_root, etc...) You'd have to make sure you have maximum firewalling turned on so that the network admins can't see your install. Also make sure you have a screen saver on when you step away to keep "them" from gaining access to your box when you step away. If they reboot it, then it will come up to the normal Windows install.
If you are a bit more paranoid, you can shrink your primary partition, and point losetup to your raw drive (/dev/hda), and feed it an offset (-o option) large enough to skip over your primary partition, then use that (/dev/loop0) as your root filesystem. Add encryption for complete undetectability.
Of course, both of these options are vulnerable to getting whiped out by your IT staff, so good backups are a must.
Ironicly, you just provided the right and easy answer... the guys from Sysinternals, the ones who did the Sony Drm analisys have a RootkitRevealer that may give a partial answer (it's the screenshot in the Sony article): http://www.sysinternals.com/Utilities/RootkitRevea ler.html
I live in Soviet Canuckistan you insensitive clod!
www.shield.org maintains a database of sources of malicious network traffic. Many organizations submit firewall logs to dshield, so they have a pretty good global view of who the bad apples are on the network. For anyone who administers network connected machines, it's a good idea to periodically look up your IP(s) or subnet(s), and see if anyone has generated any complaints about any of your own boxes.
Caveat: This will probably only identify the most aggregious zombies, and only the ones that are doing things that firewalls can identify as malicious. Just because your IPs don't show up on dshield, doesn't mean they aren't zombies.
Mynetwatchman is a similar service, there may be others as well.
That isn't to say that all traffic is bad traffic. Most of the time that traffic you're seeing isn't YOUR traffic. Its the traffic of all the other computers on the network talking with yours. This isn't a bad thing. Its typical of a large network. You'll have lots of computers talking to each other to let each other know when something changes. For instance, a new computer comes online and has to get an ip address. Usually it doesn't know where to get an ip address, so it sends out a broadcast to all computers on the network (yours too). Your computer sees these, but ignores them because you're not the computer giving out ip addresses. Sometimes its more along the lines of "Hello, my name is JoeUsersPC."
If you're alone on your network, (ie behind a router/firewall) then you shouldn't see much traffic other than your computer chatting with the router/firewall. Your router/firewall should block out most of the noise (and that's what most of it is - noise). Contact your cable/dsl company to see if your cable modem or dsl modem has a firewall built in if you're not sure. If, however, you're seeing lots of traffic on typical IRC ports (6997-6999) to typical irc servers (irc.somethinghere.net) and you don't have any programs open, then you're likely a zombie.
By the way, ethereal is located here. Its probably too advanced for the first article submitter, however. I would suggest looking at netstat at the command prompt first.
Use Dug Song's arpspoof, on a BSD or Linux box, to analyze the traffic comming from the suspect. Make sure you have packet forwarding enabled on the box running arpspoof. For FreeBSD, just check that "gateway_enable="YES"" is in your /etc/rc.conf file. Now run arpspoof -t [suspect box's ip address] [gateway router ip address]. Now the suspect box will think that your Linux/BSD box's MAC address is the MAC address of the gateway router. So if you run tcpdump, you'll see all the packets that the suspect box is trying to send out to the internet.