Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Do I Determine If My PC is a Zombie?

Posted by Cliff on from the shoot-for-the-head dept.

Captain Chad wonders: "With the recent news of a 1.5-million node botnet, as well as the AIM rootkit worm, I'm getting a bit concerned about whether my PC may be a zombie. I'm seeing a lot of internet activity, even when nothing is running, and I've checked the process explorer for obvious tasks to no avail. I apply patches as soon as they're released, and my antivirus/spyware programs report nothing. How do I determine if my PC is a zombie, and if it is, how would I de-infect it?" On this same vein, college campuses are often prime breeding grounds for undead-boxen. bcrowell adds: "I'm a teacher at a community college where Windows is the only supported OS -- if you ask the school to put machine on your desk, you get a Windows box. Faculty who want to run MacOS or Linux have had to provide their own machines, and those who want to do PowerPoint presentations for their classes have been told that they have to buy their own laptops and bring them in.

Now Academic Computing has announced a new policy: any unauthorized use of the network, such as plugging in your own computer to a port, is prohibited, and will result in disciplinary action. There are supposedly plans to enforce this rule automatically with hardware and software. Great consternation has ensued in the faculty senate, and the manager who wrote the policy has explained that it is basically aimed at the problem of improperly maintained teachers' machines getting '0wned'. A little ironic, because the Windows boxes maintained by the computing folks keep getting infected by worms. Still, it's not an unreasonable concern; many teachers are clueless. In fact, I wouldn't pretend to know enough to keep a Windows machine secure on a public network, although I haven't had any problem with the FreeBSD box on my desk. Any suggestions on how to deal with this? Effective arguments to use? Good educational resources to point people to so they can learn how to keep their Windows boxes secure? Many of my colleagues seem to think that security mainly involves buying antivirus software."

13 of 90 comments (clear)

  1. Simple by mike_lynn · · Score: 5, Funny

    Place a bowl full of brains in front of it and see if you get a response.

    Happy Halloween >:D

    1. Re:Simple by Sepper · · Score: 3, Informative

      Ironicly, you just provided the right and easy answer... the guys from Sysinternals, the ones who did the Sony Drm analisys have a RootkitRevealer that may give a partial answer (it's the screenshot in the Sony article): http://www.sysinternals.com/Utilities/RootkitRevea ler.html

      --
      I live in Soviet Canuckistan you insensitive clod!
  2. What kind of internet Activity? by satterth · · Score: 3, Interesting

    Really... What kind of internet activity are you seeing? Are the lights blinking and you have no idea what is actually happening or are processes on your box accessing IRC servers accross the world without your knowledge?

    --
    Being called a dork on Slashdot must be like being called the retard in special ed.
  3. Sysinternals, Unix attitude applied to Windows by reverse+solidus · · Score: 5, Informative

    http://www.sysinternals.com/Utilities/rootkitrevea ler.html

  4. Use ethereal to check out your network traffic by neillewis · · Score: 4, Insightful

    Hook up another box on a hub and check the network traffic. Obvious signs are connections to addresses that can be traced to irc servers or use of irc ports. The first time I found a bot nest, it scared me like Doom 3 never could. If this means nothing to you, get some expert interactive help.

  5. Rootkits My Son by Yocto+Yotta · · Score: 5, Informative

    Go here and download Rootkit Revealer. If that doesn't find anything, and you've tried everything you said, you got some smart malicious rootkit-usin' virus that knows how to trick Revealer, or your system is the proto for some new form of evilness.

    --
    A B A C A B B
  6. Netstat by BladeMelbourne · · Score: 4, Informative

    If you are using Windows - run netstat at the command line.
    There are also some switches that can show more detailed information, some of them are undocumented I believe. Use Google if you need to find them.

    Using Ethereal is also an option - it can provide a lot more information but is more involved to use and interpret the results.

  7. Only trust the machine externally by MerlynEmrys67 · · Score: 4, Informative
    Internal commands like task manager/netstat won't help at all if you have a decent rootkit - the kernel will just hide your processes from it.

    Start with an external packet sniffer - see what traffic the machine is sending out and on what ports. If you are seeing traffic that you don't understand - get help to determine what it is. You can start with a simple NAT gateway, and simply log the IP addresses/ports that your machine(s) are going too. If you see unidentified remote ports, well - you probably have a problem, if you see port 80 traffic to sites you don't know what they are - you have a problem, etc.

    How to clean up the mess. Well, your first step would be to simply reformat the hard drive. If you can't do that - good luck, remember you will need to start with a clean media boot (as in a CD boot to a Linux/BSD distro) and see what you can find. Remember with a rootkit present, your kernel can and DOES completely lie to you about what is going on internally.

    --
    I have mod points and I am not afraid to use them
  8. Re:Post your IP address by BladeMelbourne · · Score: 5, Funny

    127.0.0.1

    Thanks in advance.

  9. In everyday terms - by bscott · · Score: 5, Interesting

    I see a lot of people offering some moderatly technical advice, but perhaps a simpler answer to the question is - there's no one easy, foolproof, turnkey way to reliably determine whether your Windows machine is infected.

    There are too many different types of malware around - virii, spyware, rootkits, trojans, and so on - each of which has new twists coming up almost daily. No single development team or company can keep up, and there are too many out there trying for there even to be a dominant player (and if there were, malware would promptly be rewritten to undermine the anti-malware utility in question...).

    You will either need to learn how to use some of the tools others in this thread mention (it's not as hard as it may seem at first - try running them on a system you can be confident is clean, and become familiar with what "safe" traffic looks like, then try yours), or be prepared to pay hefty $ for expert help, or switch to another OS.

    FWIW, I've run un-patched Windows2k for years without trouble, largely because I use a hardware NAT (firewall) and avoid Outlook. Even so, I am careful to avoid clicking on the wrong things online, and I am working towards moving to Linux ASAP.

    --
    Perfectly Normal Industries
  10. Dealing with Stupid, Lazy, or Malicious IT by Noksagt · · Score: 4, Interesting
    There are a number of ways to get around arbitrary rules. Either overtly or covertly.
    if you ask the school to put machine on your desk, you get a Windows box. Faculty who want to run ... Linux have had to provide their own machines
    You can ask for permission to dual-boot. Or, if you already have permission to install your own software, you can do it covertly. I would not advise wiping the Windows partition--you can boot into it when IT starts snooping around & also some might have a problem with you removing licensed software. Failing this, run from a LiveCD/USB key. Or run coLinux or run it under QEMU, VMWare, or similar.
    Great consternation has ensued in the faculty senate
    Cause greater consternation & bring it over IT's heads. Bring it to the President of the school or the trustees. An army of pissed off faculty will beat a lazy IT head any day.
    Any suggestions on how to deal with this?
    In addition to the above, you can probably ask for a special exception & say you are willing to take the blame if your FreeBSD box gets rooted. Once you show minimum competency & need, as well as the willingness to put your ass on the line instead of theirs, IT will probably cave.
    Effective arguments to use?
    The most effective argument is you can't otherwise do your job. Show that you need FreeBSD. Another good argument is obviously to point out the past infections of campus-maintained machines. Tell them you'll firewall your machine from the University network, both to protect you from it & it from you.
  11. lookup your subnet at dshield by j1m+5n0w · · Score: 4, Informative

    www.shield.org maintains a database of sources of malicious network traffic. Many organizations submit firewall logs to dshield, so they have a pretty good global view of who the bad apples are on the network. For anyone who administers network connected machines, it's a good idea to periodically look up your IP(s) or subnet(s), and see if anyone has generated any complaints about any of your own boxes.

    Caveat: This will probably only identify the most aggregious zombies, and only the ones that are doing things that firewalls can identify as malicious. Just because your IPs don't show up on dshield, doesn't mean they aren't zombies.

    Mynetwatchman is a similar service, there may be others as well.

  12. this command by clambake · · Score: 3, Funny

    Type "emerge rkhunter". If that works, chances are, you're ok.