How do you detect a botnet? Impossible, right?
in [Anti-Virus]
|
From: RayLopez99 on 18 Feb 2010 18:31 On Feb 19, 1:20 am, ASCII <m...(a)privacy.net> wrote: > RayLopez99 wrote: > > >Either that or the viruses are too slick. For example, I've often > >thought (being a programmer myself) how easy it would be to create a > >button that looks like a "close X" at the upper right hand corner of > >the window, and when you click on it, it activates something. > > That would also intercept an [alt+F4] entry? > -- Well that's a slick workaround that escaped me. You're right in that software cannot (at the Windows level) easily effect the keyboard-- I've tried and it's not possible. Probably on purpose by MSFT as a security precaution. You can read keys depressed of course, but manipulating the keyboard so that ALT+F4 will do something other than close the window is nigh impossible, at least using the tools provided to you by Visual Studio IDE, and therefore for most programs written for Windows (Forms, WPF, Silverlight, ASP, etc). RL
From: FromTheRafters on 18 Feb 2010 19:43 "RayLopez99" <raylopez88(a)gmail.com> wrote in message news:f8f580d8-7bef-4411-ac0e-e30019cc0124(a)o30g2000yqb.googlegroups.com... On Feb 18, 10:57 pm, "FromTheRafters" <erra...(a)nomail.afraid.org> wrote: > *** > It is hard for an outstanding virus detection engine to stand out when > it is additionally expected to not only detect non-replicating malware > samples, but clean-up after the fact of infestation. Your choices of > protection should address you choices of behavior. Personally, I > wouldn't base my choice of AV on its clean-up capabilities - it's like > choosing a bodyguard based on his EMT skills. > > Instead, adhere to strict policies and you can restrict the window of > opportunity for most kinds of malware (trusted downloads only (most > trojans), frequent software updates (exploit based worms)) and your > on-access antivirus will probably never see anything viral to alert > on. > *** Either that or the viruses are too slick. For example, I've often thought (being a programmer myself) how easy it would be to create a button that looks like a "close X" at the upper right hand corner of the window, and when you click on it, it activates something. *** It's being done. Some scripted messagebox with a "Yes", "No", "Cancel" and an "X" in the corner - all of which act like "Yes". I've even heard of some that get a "Yes" from right clicking the task bar icon and choosing the "X" though I can't confirm this. Most times it is recommended to use TaskMan to end the process or application generating the messagebox. ***
From: RayLopez99 on 19 Feb 2010 12:55 On Feb 19, 12:38 pm, sfdavidka...(a)yahoo.com (David Kaye) wrote: > RayLopez99 <raylope...(a)gmail.com> wrote: > >So the question arises, if 'up to a quarter of all PCs are infected by > >botnets' (see Wiki above), [....] > > I think that's a wrong assumption. The only computers I see (besides the > occasional HD or video card replacement) are those with malware problems, and > I see very few bots. Mostly I see adware. > > Now I did have a situation a year ago where a mail server from a frozen food > company in the Midwest kept hitting my home router. It was a new router, so > best I could determine was that the DHCP address I got with the new router had > belonged to someone the bot was trying to hit. > > As to how to detect, you need a port scanner to look at your connections. > Also, Zone Alarm is an interesting firewall in that it will warn you about > each incoming or outgoing connection attempt that you haven't authorized. Very interesting. My definition of botnet: I assumed it was a server that inserted a virus into your computer (the client). So if you don't have the virus on your machine, you are not part of a botnet. The Wiki article of 25% is an exaggeration then, noted. RL
From: FromTheRafters on 19 Feb 2010 15:31 "RayLopez99" <raylopez88(a)gmail.com> wrote in message news:7688778b-0245-49d4-ab17-aebb92c2ddb9(a)15g2000yqi.googlegroups.com... On Feb 19, 12:38 pm, sfdavidka...(a)yahoo.com (David Kaye) wrote: > RayLopez99 <raylope...(a)gmail.com> wrote: > >So the question arises, if 'up to a quarter of all PCs are infected > >by > >botnets' (see Wiki above), [....] > > I think that's a wrong assumption. The only computers I see (besides > the > occasional HD or video card replacement) are those with malware > problems, and > I see very few bots. Mostly I see adware. *** That's probably because 88% of all PCs harbor adware. :oD (that 88% is just a wild guess BTW) *** Very interesting. My definition of botnet: I assumed it was a server that inserted a virus into your computer (the client). So if you don't have the virus on your machine, you are not part of a botnet. *** It is best not to use the term "virus" as the all encompassing term for malware, use the term malware instead. Usually, it is a "trojan" getting executed on the machine that gives you the "bot" that makes you a participant in the "botnet". A "trojan" is a non-replicating malware program in this sense. Often, in the lifecycle of a botnet, an exploit based "worm" will be used to help distribute the malware to new territories (Conficker) - in this sense, it is a virus (or worm) ... until it goes back to being just a bot (which is bad enough in itself). ***
From: David H. Lipman on 19 Feb 2010 17:16
From: "RayLopez99" <raylopez88(a)gmail.com> | Very interesting. My definition of botnet: I assumed it was a server | that inserted a virus into your computer (the client). So if you | don't have the virus on your machine, you are not part of a botnet. | The Wiki article of 25% is an exaggeration then, noted. | RL NO ! A botnet is a group of infected computers (via virus or trojan) that are controlled by a central operator(s) where the Command and Control (Aka; C&C or C2) tells the 'bots what to do and and how to act. There are botnets that perform spam. There are botnets that perform a DDoS on specified sites. Botnets in whole or in part can be bought, sold or leased. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |