How Can I Tell If My Computer Is Part of a Botnet?

ashraya writes "My father (not too computer literate) has a desktop and a laptop both running Windows in his network back in Hyderabad, India. I set up a Linksys router for him to use with his broadband service. For some reason, he reset the config on the Linksys, and connected it up without wireless security, and also with the default admin password for some time. As you would expect, both of the Windows computers got 'slow,' and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things, I noticed on the Linksys' log that the laptop was making seemingly random connections to high-numbered ports on various IPs. I did an nslookup on the IPs to see that they were all either in Canada or US, with Comcast and other ISP addresses. Is that a sign that the computers were in a botnet? Are the other hosts part of the botnet too? (I have since rebuilt the Windows hosts, and these connections are not happening now. I have also secured the Linksys.)"

Botnet or not...

[ajcoon]

They're likely FUBAR. Burn your dad a Windows CD...

Simple...

If your OS is OSX, linux, or some other variant of UNIX... you're not part of a botnet.
If your OS is Windows... you're hosed.

Duh!

[Lulu+of+the+Lotus-Ea]

If you are running Windows, you are part of a botnet. If you are running a real operating system, your system is clean. Simple, huh?

Botnet analysis

[kiltros02]

This worked for me: Take a really sharp knife and carefully scrape away the insulation on a section of the wires between your computer and the router. I like to take some duct tape and make a closed loop with the sticky side out. I stick one side of the loop to a flat surface and then stick my wires to the exposed sticky side. This does a pretty good job of keeping the wires secure. You'll then need to develop a quark microscope capable of recording video (I had one but I misplaced it when I moved out of my old apartment). Aim the scope at the exposed wires and hit the record button (mine was red). Type out an email containing every possible character and send it through the wire as your control case. Use this data to translate the electron patterns in the video into discernable information. Monitor the video for several hours. If you see the word "girth" in any outgoing data, you can be pretty sure you've got yourself a bonafide (no pun intended) botnet. If you find a botnet in your system, all you need to do is cut the exposed wires and it won't be able to talk to the internets anymore.

Supplement netstat w/ TcpView + ProcessExplorer

"netstat -a | find "LISTENING"" - by (H)elix1 (231155) * on Thursday August 06, @05:08PM (#28978877) Homepage

Good idea, & I tend to use THIS commandline though:

netstat -an

OR

netstat -ano

Which will show ALL listening endpoints, inclusive of local ports and remote ones...

NOW, my point here? Don't trust netstat alone... because, like ANY application, it can be messaged or hooked (like what you see quite a few malwares nowadays do) to supply erroneous OR incomplete data...

Thus, I recommend some other tools, to supplement & doublecheck it: Those tools being -> TcpView from SysInternals (Dr. Mark Russinovich & Bryce Cogswell, & Microsoft owns them now)...

Another EXTREMELY USEFUL TOOL that sysinternals has, for the purposes of determining IF you are running ANY "weird programs", is their Process Explorer tool!

Process Explorer - it has several advantages over Windows' own native taskmanager, in that it can "break out" subordinate process lists under svchost.exe (what brokers libs/dlls run under it for various system services)... &, since many a malware today attempts to exploit that to hide from std. TaskManager? This program CAN "expose them", if they attempt to hide under svchost.exe... & then, it can also be extremely useful in DESTROYING said malware/botnet control executables as well (more on that in my P.S. below, as to details of the "how" of it, pretty easy to do).

APK

P.S.=> Process Explorer can produce a DLL View listing of a process' own subordinate libs/dlls called or other exe's brokered by it (after you use Process Explorer's VIEW menu, & Show Lower Pane submenu, + choose the Lower Pane View submenu option)...

Then, once that's in place, start hiliting processes to examine in its left-hand side list pane... & once there, start looking @ the DLL view list pane below, & if you see ANY that you are not familiar with?

You then search them online & most times, many of the "malware libs" & exe's are already known & you can simply "Freeze" (suspend) the parent process (halting it temporarily, doubtless via messaging it with HLT instructions or otherwise similar calls) & then, suspend said lib being used for malware control!

Lastly/Finally, delete said bogus lib/dll or exe on disk (this is done because many/most times, when a lib's being called this way, it is not possible to otherwise delete said backing lib or exe file from disk, because executables "page back" to themselves upon pagefaulting, & when in use this way? They cannot be destroyed typically.)... apk