How do you detect a botnet? Impossible, right?
in [Anti-Virus]
|
From: RayLopez99 on 23 Feb 2010 12:37 On Feb 22, 6:02 am, "Ant" <n...(a)home.today> wrote: > "RayLopez99" wrote: > > On Feb 21, 8:34 pm, "Ant" wrote: > >> ppp-124-120-170-40.revip2.asianet.co.th > > >> The IP address (124.120.170.40) associated with that generically-named > >> host belongs to trueinternet.co.th, an ISP in Thailand. It's the kind > >> of name that gets assigned to home user IPs. > > Meaning what? Gets assigned legally? Or nefariously? > > It means the connection is likely to be nefarious. Why is some unknown > user connecting to you (or you connecting to them)? You wouldn't see a > name like that for a say, a legitimate website in Thailand you had > just visited. However, it could be you visited a site hosted on some > user's home PC. The prefix 'ppp' (point to point protocol, I believe) > gives it away. That's the kind of name assigned to dialup users and > certainly not regular hosting services. You know it's not your own > because yours has this format: athedsl-4482237.home.otenet.gr > and suggests you're a home user on (A)DSL, perhaps near Athens? Yes, that's right. > > >> You should be highly suspicious of it. Find out what process owns the > >> connection. > > Too late--it did not show up when I rebooted. It's gone. Is it > > possible that bots only "spring to life" certain hours of the day or > > week? > > Yes, that can happen. But unlikely? Less than 5% or even 1%? > > > You're scaring me Ant. Do you recommend what product for scanning? > > Hopefully, someone else can advise since I don't use any! How well do > you know the registry? Autoruns from Sysinternals (now Microsoft) is > useful to see what starts automatically. My only defence is knowing > my system inside-out; e.g. what drivers load and other programs run in > a normal configuration, what files are supposed to be in the system > directories and other places and what they look like internally, etc. > Plus visually monitoring all connections while online (I'm only ever > physically connected for very short periods). I'm also pretty familiar > with malware, as most days I'm disassembling it. You're the man I need to talk to then! I code for fun, but using Visual Studio .NET family of languages it's hard to get to the system level, which I take it malware writers are working at. Here's another one I 'found' today using LookNStop's firewall log on my XP machine--either my machine is complete full of malware (and I run Webroot antivirus and malware remover almost daily, full scan), or this is another false positive: host-79-121-44-74.kabelnet.hu Which Whois says is some website server in Hungary: host-79-121-44-74.kabelnet.hu Now I don't remember visiting any Hungarian website, but since Greece is near Hungary, it's possible my DSL provider somehow links to them maybe? Or something like that. > > > I > > am running XP pro on an old Pentium IV machine with a couple of Gigs > > RAM. It's old but works. I cannot upgrade to Vista / 7 on this > > machine. > > Nothing wrong with that and no point installing a new OS on an older > PC. I'm still running Win2k on my internet facing PC and only use XP > for testing - it's on a faster machine but runs slower! I hear you. Check out my flamebait in computer.os.linux.advocacy on this theme (an old machine that runs fine on Win2k but I could not get it to work in Linux--which is too resource heavy for it right now-- another example of 'if it ain't broke don't fix it', though in this case it was an old PC I was going to trash anyway so no big loss). > > > So will some (old) version of ZOne Alarm work? I heard bad > > things about Zone Alarm when it has a certain version that was akin to > > malware (hard to uninstall as I recall). Is Zone Alarm any good > > anymore? Or something else? > > Isn't XP's built-in "firewall" any use here? I've not really looked at > it. Of course, none of this packet filtering software is any good if > you're already infected. But using the Thai and Hungary examples, how do you know if these sites are innocent or not? Very complicated. I also see in this thread the post by David Kaye that most malware is badly written, and this seems to make sense to me as an amateur coder, so perhaps the stuff caught by commercial anti-malware / AV products (and they catch less than 50% according to the report I cited in this thread), they are only catching the 'obvious' (badly written) malware / viruses? The more I know about this topic the stupider I feel, LOL. RL
From: Ant on 24 Feb 2010 01:45 "RayLopez99" wrote: > On Feb 22, 6:02 am, "Ant" wrote: >> "RayLopez99" wrote: >>> Too late--it did not show up when I rebooted. It's gone. Is it >>> possible that bots only "spring to life" certain hours of the day or >>> week? >> >> Yes, that can happen. > > But unlikely? Less than 5% or even 1%? Not unlikely and I would say it's common with bots. They don't so much go by the time of day but a sleep period which may be anything from a few minutes to several hours. >> I'm also pretty familiar >> with malware, as most days I'm disassembling it. > > You're the man I need to talk to then! I code for fun, but using > Visual Studio .NET family of languages it's hard to get to the system > level, which I take it malware writers are working at. Yes, you don't see that many .NET executables. It's sometimes useful for code obfuscation but they can't rely on users having the correct run-time libraries installed. Language preferences tend to be C/C++ or assembly and malware writers often like to use undocumented functions at the lowest level exported from ntdll.dll. > Here's another one I 'found' today using LookNStop's firewall log on > my XP machine--either my machine is complete full of malware (and I > run Webroot antivirus and malware remover almost daily, full scan), or > this is another false positive: host-79-121-44-74.kabelnet.hu > > Which Whois says is some website server in Hungary: > host-79-121-44-74.kabelnet.hu Another end user. There's no services (e.g. web server) running on that host unless it's using unconventional ports. > Now I don't remember visiting any Hungarian website, but since Greece > is near Hungary, it's possible my DSL provider somehow links to them > maybe? Or something like that. No, not your ISP. I thought you may be seeing these as active connections with something like netstat but you're looking at firewall logs. In that case, it may be just background noise or infected PCs trying to make contact which the firewal blocked. The log should indicate whether incoming or outgoing and if blocked or not. > But using the Thai and Hungary examples, how do you know if these > sites are innocent or not? Very complicated. They're not "sites" as such but end-user PCs and, innocent or not, if you didn't initiate the connection your machine should not communicate with them. As long as they're incoming connection attempts and your firewall is blocking them, you have nothing to worry about. > I also see in this > thread the post by David Kaye that most malware is badly written, and > this seems to make sense to me as an amateur coder, Most is written well enough to do damage and some is very well written in that it efficiently does its job and can have experts puzzled for a while. Certainly not what you would call amateur. Organised crime pays good money for talented coders. > so perhaps the > stuff caught by commercial anti-malware / AV products (and they catch > less than 50% according to the report I cited in this thread), they > are only catching the 'obvious' (badly written) malware / viruses? It's not to do with how good or bad the code is. A lot of malware is wrapped in polymorphic packers or obfuscators so every sample (of the same underlying executable) is different. It's impossible for signature-based detection to keep up with this and, even with heuristics, once AV products start to reliably detect it the authors will modify the packing engine. They also submit samples to places like Virus Total to check their work.
From: RayLopez99 on 24 Feb 2010 06:38 On Feb 23, 10:44 pm, ASCII <m...(a)privacy.net> wrote: > RayLopez99 wrote: > >But using the Thai and Hungary examples, how do you know if these > >sites are innocent or not? Very complicated. > > Not really, > with a properly secured browser, > all sites are innocent > ...or inoperative. What is a properly secured browser? Does the latest Internet Explorer with all the patches installed qualify? RL
From: RayLopez99 on 24 Feb 2010 06:57 On Feb 24, 8:45 am, "Ant" <n...(a)home.today> wrote: > "RayLopez99" wrote: > > On Feb 22, 6:02 am, "Ant" wrote: > >> "RayLopez99" wrote: > >>> Too late--it did not show up when I rebooted. It's gone. Is it > >>> possible that bots only "spring to life" certain hours of the day or > >>> week? > > >> Yes, that can happen. > > > But unlikely? Less than 5% or even 1%? > > Not unlikely and I would say it's common with bots. They don't so much > go by the time of day but a sleep period which may be anything from a > few minutes to several hours. > > >> I'm also pretty familiar > >> with malware, as most days I'm disassembling it. > > > You're the man I need to talk to then! I code for fun, but using > > Visual Studio .NET family of languages it's hard to get to the system > > level, which I take it malware writers are working at. > > Yes, you don't see that many .NET executables. It's sometimes useful > for code obfuscation but they can't rely on users having the correct > run-time libraries installed. Language preferences tend to be C/C++ or > assembly and malware writers often like to use undocumented functions > at the lowest level exported from ntdll.dll. Very interesting. Though the .NET code obfuscation engine is very weak I hear, so I take it you mean obfuscate maybe people who write AV software, who maybe don't expect a .NET virus. > > > Here's another one I 'found' today using LookNStop's firewall log on > > my XP machine--either my machine is complete full of malware (and I > > run Webroot antivirus and malware remover almost daily, full scan), or > > this is another false positive: host-79-121-44-74.kabelnet.hu > > > Which Whois says is some website server in Hungary: > > host-79-121-44-74.kabelnet.hu > > Another end user. There's no services (e.g. web server) running on > that host unless it's using unconventional ports. Really? How in the world did you deduce that? From the majority of these data entries (see below) being PC to Internet, I would hazard this one was also PC to Internet). So why did my PC initiate this communication to Hungary is the question? > > > Now I don't remember visiting any Hungarian website, but since Greece > > is near Hungary, it's possible my DSL provider somehow links to them > > maybe? Or something like that. > > No, not your ISP. I thought you may be seeing these as active > connections with something like netstat but you're looking at firewall > logs. In that case, it may be just background noise or infected PCs > trying to make contact which the firewal blocked. The log should > indicate whether incoming or outgoing and if blocked or not. YES, it works! I did click on "details" in my Firewall (Look 'n' See) and indeed it shows direction. Yesterday's log is lost, but I found another 'suspicious'??? or maybe not entry today, here: aedz253.neoplus.adsl.tpnet.pl which maps to this Polish server: DOMAIN: tpnet.pl registrant's handle: nsk80879 (CORPORATE) nameservers: dns2.man.lodz.pl. [212.51.192.5] Polska/Poland +48.22 3808300 And it's 'outgoing', and even shows the "Ethernet" outgoing destination address, and the incoming (which is my Ethernet Card ID I guess). as well as the length 60, identification 491 and DF MF = (0,0), Frag offset = 0 and "Time to Live" = 64, and I have no idea what that means, but probably byte related. It even shows a fragment of data in HexDecimal form. Pretty cool, but how do I know if this PC to Internet data transfer was malware or not? I would venture to say that many commercial programs probably have "regional" servers to handle any data pings output from a user's PC, and since I'm in Europe (Greece), it stands to reason maybe the nearest server is Poland. But I don't know how you would know what program sent this data fragment...maybe ZoneAlarm? Look 'n' Stop is a decent, cheap little firewall insofar as I can tell, and does have a bunch of recommended rules (about 22, including such obscure ones like: 'Stops UDP broadcasts to *.*.*.255.') Again the more I learn the dumber I feel. But thanks Ant... > > > But using the Thai and Hungary examples, how do you know if these > > sites are innocent or not? Very complicated. > > They're not "sites" as such but end-user PCs and, innocent or not, > if you didn't initiate the connection your machine should not > communicate with them. As long as they're incoming connection attempts > and your firewall is blocking them, you have nothing to worry about. But they're not incoming, see above. > It's not to do with how good or bad the code is. A lot of malware is > wrapped in polymorphic packers or obfuscators so every sample (of the > same underlying executable) is different. It's impossible for > signature-based detection to keep up with this and, even with > heuristics, once AV products start to reliably detect it the authors > will modify the packing engine. They also submit samples to places > like Virus Total to check their work. Virus Total I take it 'legitimizes' software, from what I can tell: VirusTotal is a free virus and malware online scan service, so they game the system. Very devious. RL
From: Ant on 24 Feb 2010 15:10
"RayLopez99" wrote: > On Feb 24, 8:45 am, "Ant" wrote: >> Yes, you don't see that many .NET executables. It's sometimes useful >> for code obfuscation but they can't rely on users having the correct >> run-time libraries installed. Language preferences tend to be C/C++ or >> assembly and malware writers often like to use undocumented functions >> at the lowest level exported from ntdll.dll. > Very interesting. Though the .NET code obfuscation engine is very > weak I hear, so I take it you mean obfuscate maybe people who write AV > software, who maybe don't expect a .NET virus. No, I mean code obfuscation. It doesn't matter how weak because scanners don't unravel it on the fly. It can be difficult to determine maliciousness of executables which rely on external interpreting engines, like .NET assemblies and old style Visual Basic with its various vbrunxxx DLLs. All these type of executables do is make a single call to the installed MS runtime package which then interprets and runs the code. They are not what I would call standard executables with standard ready-to-run machine code and, good or bad, they all look much the same to a scanner. >> Another end user. There's no services (e.g. web server) running on >> that host unless it's using unconventional ports. > Really? How in the world did you deduce that? Simple, just try to connect to a port you would expect a service to be running on; e.g. 80 for HTTP (web server), 25 for SMTP (mail), 21 for FTP and so on. If you get a response you know a server is up and running, although it may not let you connect. You can do this with the telnet program but it's quicker to use a port scanner. I checked only the well-known ports but a service could be running on any one of 65535 possible ports. > From the majority of > these data entries (see below) being PC to Internet, I would hazard > this one was also PC to Internet). So why did my PC initiate this > communication to Hungary is the question? Why, indeed. It's up to you to know what's running on your machine and what it's doing. >> The log should >> indicate whether incoming or outgoing and if blocked or not. > YES, it works! I did click on "details" in my Firewall (Look 'n' See) > and indeed it shows direction. Yesterday's log is lost, but I found > another 'suspicious'??? or maybe not entry today, here: > aedz253.neoplus.adsl.tpnet.pl which maps to this Polish server: The IP address of that host is 79.186.103.253 which is being used by a customer of tpnet.pl, a Polish ISP responsible for that IP. > And it's 'outgoing' Bad news. > [...] how do I know if this PC > to Internet data transfer was malware or not? You've got to ask yourself why your machine is connecting to random users in Thailand, Hungary, Poland and who knows where else. I strongly suggest you block them and investigate. Once you've found the cause and cleaned up you'd better change all your passwords. As I said before, check all registry and other startup points for suspicious things that might be loading automatically. > I would venture to say > that many commercial programs probably have "regional" servers to > handle any data pings output from a user's PC, and since I'm in Europe > (Greece), it stands to reason maybe the nearest server is Poland. Then you would expect to see recognisable host names, either belonging to the company or known server farms and load balancers like Akamai, not generic ones assigned to ordinary end users like you and me. > But > I don't know how you would know what program sent this data > fragment...maybe ZoneAlarm? Look 'n' Stop is a decent, cheap little > firewall insofar as I can tell, and does have a bunch of recommended > rules (about 22, including such obscure ones like: 'Stops UDP > broadcasts to *.*.*.255.') Are you running more than one software firewall? That's a bad idea. Can't you configure Zone Alarm to deny all outbound traffic and get it to prompt you to allow on a case-by-case basis? That way you'll get an idea of what is trying to call home if it gives a message like "program x is trying to connect to host y, do you want to allow?". I thought the built-in XP firewall could do this anyway. |