How do you detect a botnet? Impossible, right?
in [Anti-Virus]
|
From: FromTheRafters on 19 Feb 2010 17:33 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:hln2k302cmr(a)news3.newsguy.com... > From: "RayLopez99" <raylopez88(a)gmail.com> > > > | Very interesting. My definition of botnet: I assumed it was a > server > | that inserted a virus into your computer (the client). So if you > | don't have the virus on your machine, you are not part of a botnet. > > | The Wiki article of 25% is an exaggeration then, noted. > > | RL > > NO ! > > A botnet is a group of infected computers (via virus or trojan) that > are controlled by a > central operator(s) where the Command and Control (Aka; C&C or C2) > tells the 'bots what to > do and and how to act. > > There are botnets that perform spam. > > There are botnets that perform a DDoS on specified sites. Did you leave out folding protein math and looking for E.T. on purpose? :oD Did Wiki?
From: RayLopez99 on 20 Feb 2010 19:42 On Feb 20, 12:33 am, "FromTheRafters" <erra...(a)nomail.afraid.org> wrote: > "David H. Lipman" <DLipman~nosp...(a)Verizon.Net> wrote in > > There are botnets that perform spam. > > > There are botnets that perform a DDoS on specified sites. > > Did you leave out folding protein math and looking for E.T. on purpose? > :oD > > Did Wiki? I think that's the key. Any client in a server is potentially a "botnet", broadly defined. So the Wiki stat is probably a 'high' number. RL
From: FromTheRafters on 20 Feb 2010 20:23 "RayLopez99" <raylopez88(a)gmail.com> wrote in message news:e67c54de-2ada-40dc-a4c1-2185c7c707f3(a)upsg2000gro.googlegroups.com... On Feb 20, 12:33 am, "FromTheRafters" <erra...(a)nomail.afraid.org> wrote: > "David H. Lipman" <DLipman~nosp...(a)Verizon.Net> wrote in > > There are botnets that perform spam. > > > There are botnets that perform a DDoS on specified sites. > > Did you leave out folding protein math and looking for E.T. on > purpose? > :oD > > Did Wiki? I think that's the key. Any client in a server is potentially a "botnet", broadly defined. So the Wiki stat is probably a 'high' number. *** I was only joking about wiki. Since the word "infected" was used, it is clear that they were writing about bots that run on stolen computing power. ***
From: David Kaye on 20 Feb 2010 21:09 "FromTheRafters" <erratic(a)nomail.afraid.org> wrote: >I think that's the key. Any client in a server is potentially a >"botnet", broadly defined. So the Wiki stat is probably a 'high' >number. But only if it is being controlled by a server. A good portscan or the warning messages from a firewall such as ZoneAlarm would show immediately whether a computer was acting as a bot or not. Shut down any browsers, Outlook, etc., go away for 10 minutes. Run the portscan and see what dot-quad addresses are being accessed. Should only be your router and maybe Apple (if you've installed iTunes or QuickTime) and maybe Adobe if you have an Adobe product, etc. A good port scanner will resolve the addresses for you and tell you what your connections are looking at. If some dot-quads don't resolve to domain names or the domain name ends in .ch (China), .ru (Russia), .pl (Poland), etc., then you're in trouble. You likely have a bot. As I said earlier, very few of my malware customers have these, which is why I dispute the 88% or 92% or whatever figures. I'm just not seeing many of them. I suspect that most of this bot activity is taking place not on the majority of home computers but on computers people don't look at very often such as web servers, mail servers, etc.
From: RayLopez99 on 21 Feb 2010 06:57
On Feb 21, 4:09 am, sfdavidka...(a)yahoo.com (David Kaye) wrote: > "FromTheRafters" <erra...(a)nomail.afraid.org> wrote: > >I think that's the key. Any client in a server is potentially a > >"botnet", broadly defined. So the Wiki stat is probably a 'high' > >number. > > But only if it is being controlled by a server. A good portscan or the > warning messages from a firewall such as ZoneAlarm would show immediately > whether a computer was acting as a bot or not. > > Shut down any browsers, Outlook, etc., go away for 10 minutes. Run the > portscan and see what dot-quad addresses are being accessed. Should only be > your router and maybe Apple (if you've installed iTunes or QuickTime) and > maybe Adobe if you have an Adobe product, etc. A good port scanner will > resolve the addresses for you and tell you what your connections are looking > at. If some dot-quads don't resolve to domain names or the domain name ends > in .ch (China), .ru (Russia), .pl (Poland), etc., then you're in trouble. You > likely have a bot. > > As I said earlier, very few of my malware customers have these, which is why I > dispute the 88% or 92% or whatever figures. I'm just not seeing many of them. > > I suspect that most of this bot activity is taking place not on the majority > of home computers but on computers people don't look at very often such as web > servers, mail servers, etc. Interesting, thanks. I am using Webroot, which has a firewall and virus engine (Sophos licensed) but I guess it doesn't have a port scan. However, if your clients are not 100% savvy (otherwise they would not need your expertise) then you can safely say that most of the time bots are not running on people's machines that run 'ordinary' virus/firewall commercial packages (I trust almost all of your clients are running some kind of such package, as it's nearly inconceivable that they are not). So from these two facts we can deduce that bots are not as common as stated on Wiki--for "people occupied" PCs that are not running unattended as servers. So likely I don't have a bot either. I do have a firewall "Look-n-stop" and on occasion I check out the IP address on Whois. Today I notice a slightly suspicious looking entry: ppp-124-120-170-40.revip2.asian ??? What can this be? But it's probably nothing (I think). RL |