How Can I Tell If My Computer Is Part of a Botnet?

ashraya writes "My father (not too computer literate) has a desktop and a laptop both running Windows in his network back in Hyderabad, India. I set up a Linksys router for him to use with his broadband service. For some reason, he reset the config on the Linksys, and connected it up without wireless security, and also with the default admin password for some time. As you would expect, both of the Windows computers got 'slow,' and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things, I noticed on the Linksys' log that the laptop was making seemingly random connections to high-numbered ports on various IPs. I did an nslookup on the IPs to see that they were all either in Canada or US, with Comcast and other ISP addresses. Is that a sign that the computers were in a botnet? Are the other hosts part of the botnet too? (I have since rebuilt the Windows hosts, and these connections are not happening now. I have also secured the Linksys.)"

Botnet or not...

[ajcoon]

They're likely FUBAR. Burn your dad a Windows CD...

Simple...

If your OS is OSX, linux, or some other variant of UNIX... you're not part of a botnet.
If your OS is Windows... you're hosed.

Re:Your Computer Is Part Of A Botnet If

[Ethanol-fueled]

Thanks for the link.

I was appalled to see this prominently shown on the page you linked to. One of the adults (can you guess which one?) probably dosen't even know how to use a computer, and the other one obviously chooses her life partners like she chooses her operating systems.

R U a Redneck? Chances are you're in a botnet !!

R U a Redneck? Chances are you're in a botnet !!

Re:See what is going on with NETSTAT

[melikamp]

Who is modding this insightful? The parent has find and grep confused, as far as I can tell.

Duh!

[Lulu+of+the+Lotus-Ea]

If you are running Windows, you are part of a botnet. If you are running a real operating system, your system is clean. Simple, huh?

Re:Well the only fool proof way...

[easyTree]

Or install one of the Agnitum Outpost family of security products. They allow you to monitor, log and lock-down all connections made, *per-process*. They monitor and block processes injecting components into other processes in an attempt to work around the communication lockdown and much more. You'll then have complete control over every aspect of the computer's operation - no longer will you be left wondering which process on the machine made the connection. Try it today!

Botnet analysis

[kiltros02]

This worked for me: Take a really sharp knife and carefully scrape away the insulation on a section of the wires between your computer and the router. I like to take some duct tape and make a closed loop with the sticky side out. I stick one side of the loop to a flat surface and then stick my wires to the exposed sticky side. This does a pretty good job of keeping the wires secure. You'll then need to develop a quark microscope capable of recording video (I had one but I misplaced it when I moved out of my old apartment). Aim the scope at the exposed wires and hit the record button (mine was red). Type out an email containing every possible character and send it through the wire as your control case. Use this data to translate the electron patterns in the video into discernable information. Monitor the video for several hours. If you see the word "girth" in any outgoing data, you can be pretty sure you've got yourself a bonafide (no pun intended) botnet. If you find a botnet in your system, all you need to do is cut the exposed wires and it won't be able to talk to the internets anymore.

Supplement netstat w/ TcpView + ProcessExplorer

"netstat -a | find "LISTENING"" - by (H)elix1 (231155) * on Thursday August 06, @05:08PM (#28978877) Homepage

Good idea, & I tend to use THIS commandline though:

netstat -an

OR

netstat -ano

Which will show ALL listening endpoints, inclusive of local ports and remote ones...

NOW, my point here? Don't trust netstat alone... because, like ANY application, it can be messaged or hooked (like what you see quite a few malwares nowadays do) to supply erroneous OR incomplete data...

Thus, I recommend some other tools, to supplement & doublecheck it: Those tools being -> TcpView from SysInternals (Dr. Mark Russinovich & Bryce Cogswell, & Microsoft owns them now)...

Another EXTREMELY USEFUL TOOL that sysinternals has, for the purposes of determining IF you are running ANY "weird programs", is their Process Explorer tool!

Process Explorer - it has several advantages over Windows' own native taskmanager, in that it can "break out" subordinate process lists under svchost.exe (what brokers libs/dlls run under it for various system services)... &, since many a malware today attempts to exploit that to hide from std. TaskManager? This program CAN "expose them", if they attempt to hide under svchost.exe... & then, it can also be extremely useful in DESTROYING said malware/botnet control executables as well (more on that in my P.S. below, as to details of the "how" of it, pretty easy to do).

APK

P.S.=> Process Explorer can produce a DLL View listing of a process' own subordinate libs/dlls called or other exe's brokered by it (after you use Process Explorer's VIEW menu, & Show Lower Pane submenu, + choose the Lower Pane View submenu option)...

Then, once that's in place, start hiliting processes to examine in its left-hand side list pane... & once there, start looking @ the DLL view list pane below, & if you see ANY that you are not familiar with?

You then search them online & most times, many of the "malware libs" & exe's are already known & you can simply "Freeze" (suspend) the parent process (halting it temporarily, doubtless via messaging it with HLT instructions or otherwise similar calls) & then, suspend said lib being used for malware control!

Lastly/Finally, delete said bogus lib/dll or exe on disk (this is done because many/most times, when a lib's being called this way, it is not possible to otherwise delete said backing lib or exe file from disk, because executables "page back" to themselves upon pagefaulting, & when in use this way? They cannot be destroyed typically.)... apk

Re:Supplement netstat w/ TcpView + ProcessExplorer

"Stop modding up APK. He's a known troll. He's just spouting outdated "knowledge" from "Windows Help Forums" - by Anonymous Coward on Friday August 07, @02:35PM (#28988871)

As you can see, nobody is listening to your orders. So you can stop being the REAL TROLL here, & following me around doing the type of reply you have here, because you're obviously the freak that's been doing this to my posts in modding them down like mad, & apparently, you've run out of mod points (on your doubtless many sock puppet accounts).

As for how I got the "know how" to use this program this way, I learned it during my career, plus using the tools (looking thru them & trying their features). I've actually been classically educated in this field, & done fairly well in it, per these examples thereof as proofs thereof:

"My Name is Ozymandias: King of Kings - Look upon my works, ye mighty, & DESPAIR..."

----

Windows NT Magazine (now Windows IT Pro) April 1997 "BACK OFFICE PERFORMANCE" issue, page 61

(&, for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program increasing its performance by up to 40% via my work) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row).

WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)

PC-WELT FEB 1998 - page 84, again, my work is featured there

WINDOWS MAGAZINE, WINTER 1998 - page 92, insert section, MUST HAVE WARES, my work is again, there

PC-WELT FEB 1999 - page 83, again, my work is featured there

CHIP Magazine 7/99 - page 100, my work is there

GERMAN PC BOOK, Data Becker publisher "PC Aufrusten und Repairen" 2000, where my work is contained in it

HOT SHAREWARE Numero 46 issue, pg. 54 (PC ware mag from Spain), 2001 my work is there, first one featured, yet again!

Also, a British PC Mag in 2002 for many utilities I wrote, saw it @ BORDERS BOOKS but didn't buy it... by that point, I had moved onto other areas in this field besides coding only...

Lastly, being paid for an article that made me money over @ PCPitstop in 2008 for writing up a guide that has people showing NO VIRUSES/SPYWARES & other screwups, via following its point, such as THRONKA sees here -> http://www.xtremepccentral.com/forums/showthread.php?s=ee926d913b81bf6d63c3c7372fd2a24c&t=28430&page=3

----

How about you? Since you saw fit to try to "put me down" & falsely state I ream my information from help forums (which I have been helping others on for decades & for years before that on IRC), well... that list above tends to disprove your statements, quite easily enough.

What do I have to say about that much above?? Well - I can't say it any better, than this was stated already (from the greatest book of all time, the "tech manual for life" imo):

"But by the grace of God I am what I am: and his grace which was bestowed upon me was not in vain; but I labored more abundantly than they all: yet not I, but the grace of God which was with me." - Corinthians Chapter 10, Verse 10...

Anyhow/Anyways (that "all said & aside"):

This particular method's good for just about ANY type of virus/spyware/malware under the sun (excluding rootkits, & those you can 'take out' too, @ least the boot sector originated type, easily enough, via RECOVERY CONSOLE (as long as you have a Windows installation CD, you're set that way too)).

APK

P.S.=> You're not very good @ trolling so, I suggest you spend your time more wisely, & perhaps learn something about this art & science to improve your lot in life perhaps? Consider it a good suggestion... apk

SHHH

Is it running Linux? Ubonti? or any other open source? If the answer is yes, then your answer is yes. You see the above mentioned systems are compromised because of the "open source" ( the bot-net was written into very early in the beginning of the "open source OS", There were a few of them who said HEY LOOK here, but were quickly shunned or black listed).. The "open source" of the os's are the source of the botnet. It's the so called techies of the open source who are not smart enough to comprehend, or to ignorant to believe, they found other ways to "miss diagnose" the infections. Microsoft and Mac have already cleared most of the bot-nets they have access to. Its because of those who think they know computers and really only know how to use them that are to afraid to admit that the one thing they know most has been corrupted since conception. FACT the bot-net resides in the "open source" (and that's why they cant shut it down,, They can't find the source, as its been in the "open source" from the get go.

I neglected to mention WHY netstat -ano/-an used

See subject-line above, & thanks for the +1 mod up "interesting" too by the by...

ANYHOW/ANYWAYS:

The reason I noted using the -an (Windows 2000) &/or -ano (Windows XP/Windows Server 2003 & beyond), is because it yields not only the local & remote listening + connection soliciting ports used, BUT, also the APPLICATIONS USING THEM, process-by-process...

Which, in turn, lends itself to the tip/trick/technique I note in using Process Explorer on the offending process (even if it is a service, which many a malware attempt to "hide" underneath, as a svchost.exe brokered lib/dll, instead of a "full-blown independently running Win32 PE", which taskmgr.exe can see, but it cannot expose what is brokered beneath it (strangely though, it CAN do that for DOS-mode/charactermode/tty terminal console apps, beneath ntvdm.exe though)).

Thus, this combination of TcpView.exe + Process Explorer?

In other words - Well: Because it lists processes using ports (the -an/-ano switchwork on the netstat commandline)? IT saves time in using Process Explorer later because you have the process name (by "zeroing in" on the offending process affected (infected/infested is more like it)), even beneath svchost.exe (which again, brokers Windows' service daemons & is also unfortunately taken advantage of by malware makers using it to hide their machinations from std. taskmanager).

APK

P.S.=> And, once more, thanks for the mod up... to whoever did so! I hope you find the technique useful... apk

Go away now troll... apk

"Behold, readers of Slashdot. This is what you become if you're an anti-social stupid fuck no girl would want to touch with a 10-foot pole." - by Anonymous Coward on Saturday August 08, @02:11AM (#28994137)

That's funny - 100's of women would say otherwise, over time... &, I'd lay off on the profanity: It's allowing YOUR "TRUE COLORS" to show through here... lol!

----

"You post "achievements" from over 10 years ago, in IT nonetheless" - by Anonymous Coward on Saturday August 08, @02:11AM (#28994137)

You obviously are dyslexic or have ADD/ADHD: The latest one was from 2008, & many are in the range from there back to 1996/1997... &, @ least I have them, 10 of them, as appearances in written respected publications in this field/art & science of computing... NOW, again, I will ask - do you &/or can YOU produce such a list to your credit in the science of computing?

(REPEATING IT, since you "skimmed over" the last time I asked - I am asking that AGAIN of you, do you?? No, clearly, you do not.)

----

"and you quote bullshit from fantasy books while brainlessly ignoring the topic at hand and flooding people with your quack knowledge." - by Anonymous Coward on Saturday August 08, @02:11AM (#28994137)

That's funny, but, I have over 120++ or so "mod ups" ranging from +1 (which is harder on us AC's, considering we start @ zero), up thru +5 max, as INSIGHTFUL, INTERESTING, etc. et al... so, that "said & aside" - would you like me to produce that list here? Just ask!

(Opinions on this note, thus, clearly vary).

----

"I bet 10 dollars the single mod point you got was from your main account and you shizo even thank yourself." - by Anonymous Coward on Saturday August 08, @02:11AM (#28994137)

LOL, giving away YOUR OWN "Modus Operandi"?

----

"Cry yourself to sleep on your cock-shaped pillow you human waste" - by Anonymous Coward on Saturday August 08, @02:11AM (#28994137)

LOL, no, instead... after this? LMAO, I will laugh myself to sleep... laughing @ YOU!

APK

P.S.=> Sorry readers, I have a "fan club" of stalkers online, & this is clearly one of them... it's NOT my fault they forget to take their meds! apk