How do you detect a botnet? Impossible, right?
in [Anti-Virus]
|
From: RayLopez99 on 21 Feb 2010 19:38 On Feb 21, 11:30 pm, sfdavidka...(a)yahoo.com (David Kaye) wrote: > "Ant" <n...(a)home.today> wrote: > >I don't agree. Servers are more likely to be better managed than end- > >user machines. There are also many more home PCs than servers. > > But sysadmins tend not to personally use their mail and web servers very > often. Sure, they'll login from time to time, but they're not going to be > using them intensely with word processing, spreadsheets, web browsing, etc., > and thus are not likely to find slowdowns, suspicious disk activity, freaky > behavior. But people who use home computers are going to find these things > quickly. > > And again, I deal with new customers all the time who have malware infections > and seldom do I see bots. These are random people who call me via one of my > yellow pages ads. They call when they have problems. But well over 90% of > them do not have bots on their systems. This is interesting. A malware infection would be what, typically? Something like a program that tracks your internet surfing habits, but resides outside the browser so you cannot flush it clean? Also what ZoneAlarm type port sniffing / firewall program do you recommend for an XP running on Pentium IV with 2 GB ram? RL
From: David Kaye on 21 Feb 2010 20:00 RayLopez99 <raylopez88(a)gmail.com> wrote: >This is interesting. A malware infection would be what, typically? >Something like a program that tracks your internet surfing habits, but >resides outside the browser so you cannot flush it clean? Most of them have been adware, trying to get people to spend $$ to "disinfect" their computers. About 1/4 have been redirects where the browser or the DNS are redirected to fake search sites either for phishing or to gain click money. I really see very little bot or keylogger activity. Most of my customers are small entrepreneurs and consultants, many of them seniors. Your results may vary.
From: FromTheRafters on 21 Feb 2010 21:36 "David Kaye" <sfdavidkaye2(a)yahoo.com> wrote in message news:hls8me$plc$1(a)news.eternal-september.org... > "Ant" <not(a)home.today> wrote: > >>I don't agree. Servers are more likely to be better managed than end- >>user machines. There are also many more home PCs than servers. > > But sysadmins tend not to personally use their mail and web servers > very > often. Sure, they'll login from time to time, but they're not going > to be > using them intensely with word processing, spreadsheets, web browsing, > etc., > and thus are not likely to find slowdowns, suspicious disk activity, > freaky > behavior. But people who use home computers are going to find these > things > quickly. > > And again, I deal with new customers all the time who have malware > infections > and seldom do I see bots. These are random people who call me via one > of my > yellow pages ads. They call when they have problems. But well over > 90% of > them do not have bots on their systems. ....but you can't say anything about the ones that you don't see. Bots might not cause any symptoms for the home user to see. They don't complain about strange behavior because there *is* no strange behavior. Think of a bot as an application running in the background mostly waiting for instructions, not like a worm gobbling up your resources to spread itself or adware getting 'in your face'.
From: Ant on 21 Feb 2010 23:02 "RayLopez99" wrote: > On Feb 21, 8:34 pm, "Ant" wrote: >> ppp-124-120-170-40.revip2.asianet.co.th >> >> The IP address (124.120.170.40) associated with that generically-named >> host belongs to trueinternet.co.th, an ISP in Thailand. It's the kind >> of name that gets assigned to home user IPs. > Meaning what? Gets assigned legally? Or nefariously? It means the connection is likely to be nefarious. Why is some unknown user connecting to you (or you connecting to them)? You wouldn't see a name like that for a say, a legitimate website in Thailand you had just visited. However, it could be you visited a site hosted on some user's home PC. The prefix 'ppp' (point to point protocol, I believe) gives it away. That's the kind of name assigned to dialup users and certainly not regular hosting services. You know it's not your own because yours has this format: athedsl-4482237.home.otenet.gr and suggests you're a home user on (A)DSL, perhaps near Athens? >> You should be highly suspicious of it. Find out what process owns the >> connection. > Too late--it did not show up when I rebooted. It's gone. Is it > possible that bots only "spring to life" certain hours of the day or > week? Yes, that can happen. > You're scaring me Ant. Do you recommend what product for scanning? Hopefully, someone else can advise since I don't use any! How well do you know the registry? Autoruns from Sysinternals (now Microsoft) is useful to see what starts automatically. My only defence is knowing my system inside-out; e.g. what drivers load and other programs run in a normal configuration, what files are supposed to be in the system directories and other places and what they look like internally, etc. Plus visually monitoring all connections while online (I'm only ever physically connected for very short periods). I'm also pretty familiar with malware, as most days I'm disassembling it. > I > am running XP pro on an old Pentium IV machine with a couple of Gigs > RAM. It's old but works. I cannot upgrade to Vista / 7 on this > machine. Nothing wrong with that and no point installing a new OS on an older PC. I'm still running Win2k on my internet facing PC and only use XP for testing - it's on a faster machine but runs slower! > So will some (old) version of ZOne Alarm work? I heard bad > things about Zone Alarm when it has a certain version that was akin to > malware (hard to uninstall as I recall). Is Zone Alarm any good > anymore? Or something else? Isn't XP's built-in "firewall" any use here? I've not really looked at it. Of course, none of this packet filtering software is any good if you're already infected.
From: David Kaye on 22 Feb 2010 01:04
"FromTheRafters" <erratic(a)nomail.afraid.org> wrote: >Think of a bot as an application running in the background mostly >waiting for instructions, not like a worm gobbling up your resources to >spread itself or adware getting 'in your face'. I know what a bot is, thank you very much. |