How Can I Tell If My Computer Is Part of a Botnet?

← Back to Stories (view on slashdot.org)

How Can I Tell If My Computer Is Part of a Botnet?

Posted by timothy on Thursday August 6, 2009 @08:59AM from the check-if-you-are-running-windows dept.

ashraya writes "My father (not too computer literate) has a desktop and a laptop both running Windows in his network back in Hyderabad, India. I set up a Linksys router for him to use with his broadband service. For some reason, he reset the config on the Linksys, and connected it up without wireless security, and also with the default admin password for some time. As you would expect, both of the Windows computers got 'slow,' and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things, I noticed on the Linksys' log that the laptop was making seemingly random connections to high-numbered ports on various IPs. I did an nslookup on the IPs to see that they were all either in Canada or US, with Comcast and other ISP addresses. Is that a sign that the computers were in a botnet? Are the other hosts part of the botnet too? (I have since rebuilt the Windows hosts, and these connections are not happening now. I have also secured the Linksys.)"

23 of 491 comments (clear)

Well the only fool proof way... by ls671 · 2009-08-06 08:59 · Score: 5, Informative

Well the only fool proof way that I can envision is the following
1) Plug you father computer into a HUB ( not a switch, unless it has a special port for this usage)
2) Plug the router into this HUB
3) Plug a Linux machine into the HUB and use tcpdump to examine traffic.
This is what security experts do.

--
Everything I write is lies, read between the lines.
1. Re:Well the only fool proof way... by jspenguin1 · 2009-08-06 09:02 · Score: 5, Informative
  
  You can also use a host with two interfaces and set up bridging or routing with NAT. If you are running custom firmware you can do this straight on the router itself.
2. Re:Well the only fool proof way... by ls671 · 2009-08-06 09:05 · Score: 5, Informative
  
  netstat could be modified not to report the botnet connections if you are owned, hence the fool proof solution.
  
  --
  Everything I write is lies, read between the lines.
3. Re:Well the only fool proof way... by neowolf · 2009-08-06 09:12 · Score: 5, Informative
  
  The hard part nowadays (although maybe not a problem in India) is actually finding a HUB. It is very difficult to actually buy a hub anymore, and most "hubs" sold in the US anyway are actually low-end unmanaged switches, so you can't sniff traffic on them.
  In answer to the question though (I'm sure redundant at this point) is: YES- they are probably part of at least one bot-net, and are probably infected with all sorts of other nastiness. The best thing to do is re-secure the wireless router, and the all-too-often-recommended reformat and re-install of Windows. I wouldn't even try to salvage the current installs at this point.
4. Re:Well the only fool proof way... by endikos · 2009-08-06 09:14 · Score: 5, Informative
  
  Or they use a "real" switch that has port mirroring, or a passive ethernet tap.
5. Re:Well the only fool proof way... by iamhigh · 2009-08-06 09:15 · Score: 5, Funny
  
  Well the only fool proof way
  If that sentence doesn't end with "from orbit" and have "nuke it" in there somewhere it just isn't true!
  
  --
  No comprende? Let me type that a little slower for you...
6. Re:Well the only fool proof way... by sofar · 2009-08-06 09:20 · Score: 5, Informative
  
  You don't need a HUB at all. Linux bridging allows you to use two ports on a system 'as a HUB', while still providing you with the ability to tcpdump a port on the bridge. You just add both interfaces to your bridge and stick the linux bridge in between the real router and the infected machine. Only thing needed is a linux system with 2 physical ethernet ports.
7. Re:Well the only fool proof way... by Anonymous Coward · 2009-08-06 09:31 · Score: 5, Funny
  
  Did you know that both wireshark and tcpdump use libpcap? Wireshark has a pretty GUI, tcpdump is the command line version.
  Perhaps it would help if I explained that in video format.
  Captcha was "obvious", this is unnerving.
8. Re:Well the only fool proof way... by Anonymous Coward · 2009-08-06 09:36 · Score: 5, Interesting
  
  I agree with your theory, however in practice, a hacker clearly has several million low hanging fruits running unpatched xp with antivirus which expired 60 days after the computer was purchased in 2006.
  The idea that a botnet is really going to worry about the fraction of the fraction of a percent that knows about netstat seems improbable, though obviously not impossible, which is why I agree with you in theory, but in practice netstat would probably answer his question when a hub and a linux box is inconvenient. If someone has an example of a virus masking its connections through netstat I would both eat crow and be interested to hear it.
9. Re:Well the only fool proof way... by jafiwam · 2009-08-06 10:18 · Score: 5, Interesting
  
  I don't have any links, but I personally cleaned a PC that had a trojan on it that used netstat hiding tricks. I found it accidentally by looking at files I couldn't delete in the temp folder (trojans often mess with the permissions to make clean-up less likely).
  
  The contents of the file was a text printout of the netstat command, re created every fifteen or so seconds, MINUS the offending connections. Just by waiting and opening the file again I got new netstat info.
  
  Running the command, showed the contents of the text file, not the actual output of netstat. I could see traffic going on using a packet sniffer elsewhere on the network, so knew something was up.
  
  Eventually just wiped and reinstalled anyway because it was faster than fighting it bit by bit.
  
  So, there are such things out there, yeah, it doesn't make a whole lot of sense for them to spend much time on it, but a lot of that stuff is made from "kits" now days anyway so it's not a big deal to enable the feature.
Proof of Infection? Clean Reinstall by eldavojohn · 2009-08-06 09:00 · Score: 5, Informative

As you would expect, both of the Windows computers got 'slow', and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things ...

Quick question, how did you log into his desktop remotely if it "stopped connecting to the internet completely for some reason?"

If all you did was reset the hosts file, it will be back sometime. Somewhere, probably in multiple places on that hard drive, is an executable waiting to be run. It's probably infected some inane looking routine Windows system file that occasionally runs and when that happens your host file will magically change again.

I could recommend you do a netstat but what's the point? Any botnet today would know how to elude that or run as part of a system routine. If the bot is serious enough, your best bet might be to save the data and just do a routine re-install. You know on my parent's WinXP machine, I do that everytime I'm home for christmas. Then I patch it as far as I can over their 56k modem.

Odds are high your dad's machine is still infected and I would also suspect your machine as being potentially compromised if you connected using Windows remote desktop. Call me overly cautious but I don't take chances with Windows.

You can run all the programs you want (Bothunter, Symantic, AVG, AdAware, etc.) but in the end there's no guarantee although BotHunter's probably your best bet.

The best thing to do is educate your dad. If he has a valid copy of Windows, spend time with him to show him how to go to IE and click Tools -> Update Windows then select all updates. Remind him periodically when you talk to him--especially if he does any banking or commerce online!

--
My work here is dung.
Assume it is .. by Brigadier · 2009-08-06 09:06 · Score: 5, Interesting

Overseeing a small office lan, I've come to the conclusion that you will be infected whether you like to or not. Regardless of how much you threaten users. I've resorted to using an drive image (paragon) saved on a drive partition which saves the system in a uninfected state. As soon as a user goes 'uh ooh' or complains of slowness I restore the image (keep in mind data is stored on a server which is backed up and scanned on which no apps are allowed to run). I also run a combination of ccleaner, spybot s&d and windows defender.
In addition I check the network once a week for mail or ftp sockets ( evidence there is a bot net at work). So far this has been the easiest way to stay on top.
1. Re:Assume it is .. by iron-kurton · 2009-08-06 10:08 · Score: 5, Insightful
  
  Just a quick question: how hard would it be to give your most malicious user an account named Administrator that was actually not an administrator?
  
  --
  Change is inevitable, except from a vending machine -- Robert C. Gallagher
2. Re:Assume it is .. by QuantumRiff · 2009-08-06 10:10 · Score: 5, Interesting
  
  No! You do not put all your effort at one entry point.. I have seen a company that was totally secure from the old "code red" virus because all the firewalls were updated, and public facing servers were patched. The network guys blocked all the appropriate ports at the firewalls. Then, a Salesman came into the office from out at a client site, and hopped on the network to check his email, and his laptop took out everyone.
  
  You need layers of defense. preferably from different vendors or makers.
  
  And really, this is Slashdot, why are you recommending Fortigate or ASA? you should be talking up Snort, or its commercial appliance version, Sourcefire.
  
  --
  
  What are we going to do tonight Brain?
3. Re:Assume it is .. by PsychoSlashDot · 2009-08-06 12:36 · Score: 5, Informative
  
  All great points, here are mine.
  1.) We are an architecture office which runs AutoCAD problem is this requires Power User group membership in order to run. (also on windows even without admin privs malicious software can infect.
  No, AutoCAD doesn't require Power User membership. What it requires is someone to spend a few minutes to adjust the system to allow it (and pretty much anything else) to run with User perms only. Do a Google search for Filemon and Regmon formerly from SysInternals and now Microsoft free software. Run them (using RunAs since these DO require admin rights) while your users have normal perms. Set them to only show you what ACAD.EXE does. When it craps out (and it will), search the logs for Access Denied. Manually add perms for Users Full Control to the folders and registry keys that it requires. This will take several passes as the program will run better and better each time. Write down what you have to permit, so next time you install on a new machine you'll know what you need.
  Almost none of my hundreds of supported desktops allow users to have admin rights. The ones I'm not PERMITTED to spend the labour tend to get owned periodically. The non-admin systems don't. Really. Since Win2k's release I have yet to have even one system actually get infected. Light damage, yes. Infected, no.
  What... you think admins running Citrix or Terminal Servers just throw their hands up in the air and accept some lazy-ass vendor's word that their software NEEDS admin rights?
  
  --
  "Oh no... he found the .sig setting."
If you suspect the router itself by Ilgaz · 2009-08-06 09:10 · Score: 5, Informative

If I had that kind of suspicion and if it was router itself I was suspicious about, I would simply get the latest stable firmware for that particular model (be careful) and simply reinstall it over the router itself. It would be something like "format and install windows" I wouldn't really backup any settings on that case. Just make sure you know ISP login and pwd. Make sure they work, they haven't been changed at any point or you will end up speaking with Bangalore at 4 AM :)
A simple,fast port scanner exists at http://www.grc.com/ (shields up!) which really works, ignore Mr. Gibson's weird named inventions like "nano scan" etc. What I know is, it works. Oh also ignore its port 139 or "you aren't stealth" paranoia. 139 is client port and stealth would be good but you won't really die if you have nothing served.
For clients, don't re invent the wheel. NMAP is there, free and can run under win32 if you need. http://nmap.org/download.html , some instructions exist for detecting current security threats but I didn't really check since it is all OS X here, we have different issues than win32.
Re:Proof of Infection? Clean Reinstall by RetroGeek · 2009-08-06 09:28 · Score: 5, Informative

Then I patch it as far as I can over their 56k modem.
Get Autopatcher and update it from a CD BEFORE you connect it to anything.

--

- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
Re:See what is going on with NETSTAT by mkramer · 2009-08-06 09:45 · Score: 5, Funny

This is windows. find == grep. Well, find < grep.
Some Answers to the questions asked here... by ashraya · 2009-08-06 09:51 · Score: 5, Interesting

A good many replies here - so I will answer a few questions that have been asked.

1. For this time, I assumed the systems were owned, and they have now been rebuild (Windows Reinstalled).
2. The Linksys is re-secured - but I hadnt thought of that being owned - so I have to now do a firmware upgrade on that - Thanks for the suggestion.
3. Other suggestions are to confirm botnet or sniff traffic - I am in the UK, and I can only do so much remotely.
4. One of the quesions was how I managed to remote into the windows hosts - No, I managed to remote into the Linksys, not the windows hosts.
5. The bizzarre situation in the Windows host before it was rebuilt was that if we did (I told the commands over the phone for my dad to execute) ping or traceroute to a destination like www.google.co.in, it would work. It would resolve the right IP. However, with any of the browsers, as soon as access to a site was attempted - We would get a message "Connection Reset" or the browsers equivalent. (Firefox, Chrome and IE tried). Has anyone seen that one before?
6. Another question asked was if the Windows in question was legit - Yes, I bought him a OEM XP the last time I was there and installed it.

Regards,
Ashraya
OS Check! by dandart · 2009-08-06 10:07 · Score: 5, Funny

Q: How do I tell if my computer is part of a botnet?
A: If it's got Windows on it, it is.
Three things to look for. by sgt+scrub · 2009-08-06 10:10 · Score: 5, Informative

If you are seeing netbios over tcp (port 445) traffic and he is not uploading/downloading files via the "My Network Places" interface he is most likely infected with a trojan.
If your seeing random high port to random high port traffic (ports 1024 - 65535 connecting to another ports 1024-65535) and he isn't doing P2P then he most likely is infected and the infection is trying to set up the machine as part of a bot net and trying to infect others.
If you are seeing UDP traffic on a consistent port on his machine to random high ports (1024-65535) on the outside, his machine is an active server in a bot net.

--
Having to work for a living is the root of all evil.
Re:See what is going on with NETSTAT by Zalbik · 2009-08-06 10:21 · Score: 5, Insightful

The parent has find and grep confused, as far as I can tell.
You have Windows and Linux confused, as far as I can tell.
Re:Force a failover by billcopc · 2009-08-06 10:29 · Score: 5, Interesting

Please don't make unverified claims. I have seen this happen first-hand on several residential switches (5/8 port Linksys/Acer/whatever). It's how they can get away with crapping 8 ports on an underpowered processor with piddly amounts of memory.
There's basically 3 ways a switch can deal with ARP overload:
1. Ditch the least recently seen address (annoying and laggy but relatively clean)
2. Slow down, panic, and stop forwarding packets altogether (hello Linksys)
3. Ignore ARP entirely and revert to being a dumb hub, at least temporarily until everyone shuts up
You'd be surprised how many A+ asshats have daisy-chained those cheap switches to save a buck. I remember one guy who had a cage full of shitty old gear going into a bunch of $40 Aopen switches, because he figured it was cheaper to cram a few U's with those tiny 8-port toys than to drop real money on a bunch of FSM750s. His latency was pretty bad for 100mbit, but his brain was even slower so he cared not. Then one day he added one device too many and a true packet storm ensued, which caused his entire network to seize within minutes. One switch barfed, then another, and another... he had four or five of them per rack, times maybe ten racks. I tried to explain how retarded he was for trying to save maybe $1000 per rack, when each rack had at least 50k worth of gear, but they say ignorance is bliss.

--
-Billco, Fnarg.com