Slashdot Mirror
How Can I Tell If My Computer Is Part of a Botnet?
ashraya writes "My father (not too computer literate) has a desktop and a laptop both running Windows in his network back in Hyderabad, India. I set up a Linksys router for him to use with his broadband service. For some reason, he reset the config on the Linksys, and connected it up without wireless security, and also with the default admin password for some time. As you would expect, both of the Windows computers got 'slow,' and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things, I noticed on the Linksys' log that the laptop was making seemingly random connections to high-numbered ports on various IPs. I did an nslookup on the IPs to see that they were all either in Canada or US, with Comcast and other ISP addresses. Is that a sign that the computers were in a botnet? Are the other hosts part of the botnet too? (I have since rebuilt the Windows hosts, and these connections are not happening now. I have also secured the Linksys.)"
Well the only fool proof way that I can envision is the following
1) Plug you father computer into a HUB ( not a switch, unless it has a special port for this usage)
2) Plug the router into this HUB
3) Plug a Linux machine into the HUB and use tcpdump to examine traffic.
This is what security experts do.
Everything I write is lies, read between the lines.
As you would expect, both of the Windows computers got 'slow', and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things ...
Quick question, how did you log into his desktop remotely if it "stopped connecting to the internet completely for some reason?"
If all you did was reset the hosts file, it will be back sometime. Somewhere, probably in multiple places on that hard drive, is an executable waiting to be run. It's probably infected some inane looking routine Windows system file that occasionally runs and when that happens your host file will magically change again.
I could recommend you do a netstat but what's the point? Any botnet today would know how to elude that or run as part of a system routine. If the bot is serious enough, your best bet might be to save the data and just do a routine re-install. You know on my parent's WinXP machine, I do that everytime I'm home for christmas. Then I patch it as far as I can over their 56k modem.
Odds are high your dad's machine is still infected and I would also suspect your machine as being potentially compromised if you connected using Windows remote desktop. Call me overly cautious but I don't take chances with Windows.
You can run all the programs you want (Bothunter, Symantic, AVG, AdAware, etc.) but in the end there's no guarantee although BotHunter's probably your best bet.
The best thing to do is educate your dad. If he has a valid copy of Windows, spend time with him to show him how to go to IE and click Tools -> Update Windows then select all updates. Remind him periodically when you talk to him--especially if he does any banking or commerce online!
My work here is dung.
Overseeing a small office lan, I've come to the conclusion that you will be infected whether you like to or not. Regardless of how much you threaten users. I've resorted to using an drive image (paragon) saved on a drive partition which saves the system in a uninfected state. As soon as a user goes 'uh ooh' or complains of slowness I restore the image (keep in mind data is stored on a server which is backed up and scanned on which no apps are allowed to run). I also run a combination of ccleaner, spybot s&d and windows defender.
In addition I check the network once a week for mail or ftp sockets ( evidence there is a bot net at work). So far this has been the easiest way to stay on top.
Fire up a command prompt and type
netstat -a | find "LISTENING"
to find out what ports your system is listening to. Running the netstat command will give you all the traffic. Should give you a good idea as to what is happening. (Helps to close all of your 'normal' apps)
+++ UGUCAUCGUAUUUCU
If I had that kind of suspicion and if it was router itself I was suspicious about, I would simply get the latest stable firmware for that particular model (be careful) and simply reinstall it over the router itself. It would be something like "format and install windows" I wouldn't really backup any settings on that case. Just make sure you know ISP login and pwd. Make sure they work, they haven't been changed at any point or you will end up speaking with Bangalore at 4 AM :)
A simple,fast port scanner exists at http://www.grc.com/ (shields up!) which really works, ignore Mr. Gibson's weird named inventions like "nano scan" etc. What I know is, it works. Oh also ignore its port 139 or "you aren't stealth" paranoia. 139 is client port and stealth would be good but you won't really die if you have nothing served.
For clients, don't re invent the wheel. NMAP is there, free and can run under win32 if you need. http://nmap.org/download.html , some instructions exist for detecting current security threats but I didn't really check since it is all OS X here, we have different issues than win32.
What it really means is that your dad is a part of an international crime ring and he really is a cracker, without your knowledge. He just felt that you did not have a clue so allowed you to play with his computer.
I prefer the "u" in honour as it seems to be missing these days.
The rubotted tool does a pretty decent job of detecting most botted computers. Have your dad download it here:
http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted
You could also look for his system on the dronebl:
http://dronebl.org/
Good luck!
Get Autopatcher and update it from a CD BEFORE you connect it to anything.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
It makes remarks about wanting to try other operating software. It's unusually concerned about antivirus protection. Plug and Play only works with force-feedback devices. It makes unusually long "hand-shakes" with the email server. It accuses you of installing spyware. It asks you to run your network scans in promiscuous mode. It tells you that it's mainframe never liked you.
Doesn't work in my already-compromised computer running XP.
FTFY
Now that I think about it, I'm pretty sure everything I just said is completely wrong.
For a suspicion? Good luck with that.
A good many replies here - so I will answer a few questions that have been asked.
1. For this time, I assumed the systems were owned, and they have now been rebuild (Windows Reinstalled).
2. The Linksys is re-secured - but I hadnt thought of that being owned - so I have to now do a firmware upgrade on that - Thanks for the suggestion.
3. Other suggestions are to confirm botnet or sniff traffic - I am in the UK, and I can only do so much remotely.
4. One of the quesions was how I managed to remote into the windows hosts - No, I managed to remote into the Linksys, not the windows hosts.
5. The bizzarre situation in the Windows host before it was rebuilt was that if we did (I told the commands over the phone for my dad to execute) ping or traceroute to a destination like www.google.co.in, it would work. It would resolve the right IP. However, with any of the browsers, as soon as access to a site was attempted - We would get a message "Connection Reset" or the browsers equivalent. (Firefox, Chrome and IE tried). Has anyone seen that one before?
6. Another question asked was if the Windows in question was legit - Yes, I bought him a OEM XP the last time I was there and installed it.
Regards,
Ashraya
I remember from my Sun Solaris 8 network or sys admin class that they said the system will automatically configure itself as a gateway between two network cards. When my son gets old enough to start surfing on his own, it's what I intend to do. I've got an old Solaris 8 machine on an Ultra 10. I can put it out in the garage (next to the cable modem) and have it be a physical hop between the cable modem and Dual Band WiFi router.
Slashdot is doing tech-support for India now?
Some chick named Alanis is calling you subby.
Q: How do I tell if my computer is part of a botnet?
A: If it's got Windows on it, it is.
If you are seeing netbios over tcp (port 445) traffic and he is not uploading/downloading files via the "My Network Places" interface he is most likely infected with a trojan.
If your seeing random high port to random high port traffic (ports 1024 - 65535 connecting to another ports 1024-65535) and he isn't doing P2P then he most likely is infected and the infection is trying to set up the machine as part of a bot net and trying to infect others.
If you are seeing UDP traffic on a consistent port on his machine to random high ports (1024-65535) on the outside, his machine is an active server in a bot net.
Having to work for a living is the root of all evil.
You've rebuilt the windows machines? So, now you can not at all be sure if they were part of a botnet or not.
Chances are they were, and you've done the right thing by rebuilding them.
I think the details about the router with it's default password an no wireless security is a red herring - I've not heard of a botnet that tries to get in to your network by guessing standard admin passwords for common wireless routers. More likely it was a drive-by download from a dodgy web page, or a trojan in some downloaded software that put the malware on the machines.
Specialist Mac support for creative pros, Melbourne
Please don't make unverified claims. I have seen this happen first-hand on several residential switches (5/8 port Linksys/Acer/whatever). It's how they can get away with crapping 8 ports on an underpowered processor with piddly amounts of memory.
There's basically 3 ways a switch can deal with ARP overload:
1. Ditch the least recently seen address (annoying and laggy but relatively clean)
2. Slow down, panic, and stop forwarding packets altogether (hello Linksys)
3. Ignore ARP entirely and revert to being a dumb hub, at least temporarily until everyone shuts up
You'd be surprised how many A+ asshats have daisy-chained those cheap switches to save a buck. I remember one guy who had a cage full of shitty old gear going into a bunch of $40 Aopen switches, because he figured it was cheaper to cram a few U's with those tiny 8-port toys than to drop real money on a bunch of FSM750s. His latency was pretty bad for 100mbit, but his brain was even slower so he cared not. Then one day he added one device too many and a true packet storm ensued, which caused his entire network to seize within minutes. One switch barfed, then another, and another... he had four or five of them per rack, times maybe ten racks. I tried to explain how retarded he was for trying to save maybe $1000 per rack, when each rack had at least 50k worth of gear, but they say ignorance is bliss.
-Billco, Fnarg.com
Sounds like Dad, if that's even his real name, knows more about computers than he is pretending to.
He is clearly torrenting, and your best course of action would be to report his nefarious actions to the authorities.
While we are on a topic of security:
Several months ago I started using Debian as my primary OS at home. I am very happy with it, but don't know much about how to keep it secure or how to tell if I had been compromised. Of course very basics are clear: I do not use root except in those instances of updates, etc. The consensus on this site is that if you run Linux then you are invincible, but I respectfully disagree. The system is only as secure as the competence of the user.
To cut the long story short:
- What do you normally do to make sure that your Linux system is clean? Is running apt-get upgrade regularly enough or is there more to it?
- What articles or books would you recommend to a newbie in this area? I am fully willing to RTFM as such, but please at least give me at least some direction on what to search for.
- Any other general tips, advice or wisdom would you be willing to share?
Thank you
It comes with a logo; looks like a window. :)
--- For a good time mail uce@ftc.gov
If you are going to fart around that much, you might as well build a new install CD with SP3 slipstreamed in and the most recent hotfixes set to run on install:
http://www.nliteos.com/guide/part1.html
I have built such a CD from the I386 folder on my harddrive (my laptop came with a recovery partition, not a CD) and successfully installed it into a virtual machine.
Nerd rage is the funniest rage.
... and now imagine I chose 'Plain text'
c:\>netstat -b
Your computer is fine.
c:\>
Sweet!
If the bogus netstat (and other utilities) are already part of the rootkit the skript ciddey downloaded, it doesn't cost the skript ciddey any more effort, and is even less likely to be noticed than strange output in netstat.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
That's rather unfounded, it's not undefined behavior, and it's well understood. The simple fact is cheap switches have such a small CAM table available, that they can be filled up even in normal operation. It doesn't take very many packets per second or very many kilobytes per second to keep the table filled up, just frames with unique MAC addresses.
Even large expensive switches can have their CAM tables filled up, and they do the same thing (but the admin has more controls to stop it).
When an Ethernet frame arrives that has a destination MAC address not in the table, the switch will send the frame out all ports except the source port.
In normal operation, every received Ethernet frame is inspected, if the source MAC address is not in the table, and there's room in the table, then it is added. , if there is no place to store the new CAM entry, it's not stored, and the MAC address remains unknown.
Similarly, old entries in the table will get removed (usually after about 5 minutes, if no more frames have been received from that source)
When a switch receives a frame, and there is no CAM entry for the destination MAC addresses, the switch has to send every frame received out all ports, because it doesn't know the right destination.
Ergo, if the CAM table has been flooded, the flood is sustained, AND the MAC address whose traffic you want to sniff is not in the table, then all other ports will receive traffic they send.
It is true that it's dependant on how much memory the switch has.
There is another layer 2 attack called "ARP Injection" which is more reliable in this regard, especially when combined with CAM flooding.
However, ARP injection is easily detected by the security concerned just by watching system logs, and there are tools to easily detect it.
CAM flooding is harder, especially if the data sent in the Ethernet frame isn't a valid IP payload, they can be constructed in such a way that many ordinary packet sniffers will not detect the CAM flooding.
The security concerned use SNMPv3 managed switches that allow forwarding table monitoring and a network management station that can detect such incidents.
It's true devices can do those things, and yeah, you would certainly need to test before trying flooding as a solution. (1) and (3) are really the only proper choices.
(2) is definitely a defect in the device, that the manufacturer should fix. I equate it to a hard drive running out of disk space, and deciding to shut itself off, instead of reporting an error when you try to write past the end of the disk.
But I suppose he did say it was a cheap switch, and sometimes, you really do get what you pay for.
I've read this entire thread and learned that it's impossible to tell if your computer is part of a botnet.
--I'm so big, my sig has its own sig.
-- See?
Download and install Wireshark from http://www.wireshark.org/
Fire it up and watch everything on the NIC
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
There are some very inexpensive UPS enabled power strips today. APC makes a bunch. Just pick one up and make sure only your hardware router/firewall and hubs (if you use them) are plugged into it. With that light of a load, they will run longer than a larger UPS hooked up to your monitor and tower PC. Lets face it, if the power is out more than 30 minutes today, most home UPSs will run out of battery power before the smaller one dedicated to the modem and router/firewall. At least that has been my experience.
I put larger UPS hardware next to my primary work tower and (servers + big screen TV) and put a smaller less expensive UPS for my routers, modem, hubs. In the last two years I lost power for longer than 30 minutes only once. It was a no brainer shutting down everything before the UPS battery was completely depleted.
I was able to watch a 42 inch TV for 20 minutes before I had to turn it off, because the power did not come back on. So it is a pretty big UPS for a home. At least I do not have to worry about brown outs any more. The lights blink, no worries.
I turned the larger one off about 10 - 15 minutes before the smaller one keeping the modems and router/firewall hardware up ran out of juice. (I had a firewall/router, dumb hub and cable modem on that one smaller UPS, no problems and nothing else.)