Slashdot Mirror
How Can I Tell If My Computer Is Part of a Botnet?
ashraya writes "My father (not too computer literate) has a desktop and a laptop both running Windows in his network back in Hyderabad, India. I set up a Linksys router for him to use with his broadband service. For some reason, he reset the config on the Linksys, and connected it up without wireless security, and also with the default admin password for some time. As you would expect, both of the Windows computers got 'slow,' and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things, I noticed on the Linksys' log that the laptop was making seemingly random connections to high-numbered ports on various IPs. I did an nslookup on the IPs to see that they were all either in Canada or US, with Comcast and other ISP addresses. Is that a sign that the computers were in a botnet? Are the other hosts part of the botnet too? (I have since rebuilt the Windows hosts, and these connections are not happening now. I have also secured the Linksys.)"
Overseeing a small office lan, I've come to the conclusion that you will be infected whether you like to or not. Regardless of how much you threaten users. I've resorted to using an drive image (paragon) saved on a drive partition which saves the system in a uninfected state. As soon as a user goes 'uh ooh' or complains of slowness I restore the image (keep in mind data is stored on a server which is backed up and scanned on which no apps are allowed to run). I also run a combination of ccleaner, spybot s&d and windows defender.
In addition I check the network once a week for mail or ftp sockets ( evidence there is a bot net at work). So far this has been the easiest way to stay on top.
I agree with your theory, however in practice, a hacker clearly has several million low hanging fruits running unpatched xp with antivirus which expired 60 days after the computer was purchased in 2006.
The idea that a botnet is really going to worry about the fraction of the fraction of a percent that knows about netstat seems improbable, though obviously not impossible, which is why I agree with you in theory, but in practice netstat would probably answer his question when a hub and a linux box is inconvenient. If someone has an example of a virus masking its connections through netstat I would both eat crow and be interested to hear it.
A good many replies here - so I will answer a few questions that have been asked.
1. For this time, I assumed the systems were owned, and they have now been rebuild (Windows Reinstalled).
2. The Linksys is re-secured - but I hadnt thought of that being owned - so I have to now do a firmware upgrade on that - Thanks for the suggestion.
3. Other suggestions are to confirm botnet or sniff traffic - I am in the UK, and I can only do so much remotely.
4. One of the quesions was how I managed to remote into the windows hosts - No, I managed to remote into the Linksys, not the windows hosts.
5. The bizzarre situation in the Windows host before it was rebuilt was that if we did (I told the commands over the phone for my dad to execute) ping or traceroute to a destination like www.google.co.in, it would work. It would resolve the right IP. However, with any of the browsers, as soon as access to a site was attempted - We would get a message "Connection Reset" or the browsers equivalent. (Firefox, Chrome and IE tried). Has anyone seen that one before?
6. Another question asked was if the Windows in question was legit - Yes, I bought him a OEM XP the last time I was there and installed it.
Regards,
Ashraya
I don't have any links, but I personally cleaned a PC that had a trojan on it that used netstat hiding tricks. I found it accidentally by looking at files I couldn't delete in the temp folder (trojans often mess with the permissions to make clean-up less likely).
The contents of the file was a text printout of the netstat command, re created every fifteen or so seconds, MINUS the offending connections. Just by waiting and opening the file again I got new netstat info.
Running the command, showed the contents of the text file, not the actual output of netstat. I could see traffic going on using a packet sniffer elsewhere on the network, so knew something was up.
Eventually just wiped and reinstalled anyway because it was faster than fighting it bit by bit.
So, there are such things out there, yeah, it doesn't make a whole lot of sense for them to spend much time on it, but a lot of that stuff is made from "kits" now days anyway so it's not a big deal to enable the feature.
Please don't make unverified claims. I have seen this happen first-hand on several residential switches (5/8 port Linksys/Acer/whatever). It's how they can get away with crapping 8 ports on an underpowered processor with piddly amounts of memory.
There's basically 3 ways a switch can deal with ARP overload:
1. Ditch the least recently seen address (annoying and laggy but relatively clean)
2. Slow down, panic, and stop forwarding packets altogether (hello Linksys)
3. Ignore ARP entirely and revert to being a dumb hub, at least temporarily until everyone shuts up
You'd be surprised how many A+ asshats have daisy-chained those cheap switches to save a buck. I remember one guy who had a cage full of shitty old gear going into a bunch of $40 Aopen switches, because he figured it was cheaper to cram a few U's with those tiny 8-port toys than to drop real money on a bunch of FSM750s. His latency was pretty bad for 100mbit, but his brain was even slower so he cared not. Then one day he added one device too many and a true packet storm ensued, which caused his entire network to seize within minutes. One switch barfed, then another, and another... he had four or five of them per rack, times maybe ten racks. I tried to explain how retarded he was for trying to save maybe $1000 per rack, when each rack had at least 50k worth of gear, but they say ignorance is bliss.
-Billco, Fnarg.com