How do you detect a botnet? Impossible, right?
in [Anti-Virus]
|
From: FromTheRafters on 24 Feb 2010 19:04 "RayLopez99" <raylopez88(a)gmail.com> wrote in message news:16592792-4aab-4ce0-b2c6-8afafede4d78(a)b2g2000yqi.googlegroups.com... On Feb 23, 10:44 pm, ASCII <m...(a)privacy.net> wrote: > RayLopez99 wrote: > >But using the Thai and Hungary examples, how do you know if these > >sites are innocent or not? Very complicated. > > Not really, > with a properly secured browser, > all sites are innocent > ...or inoperative. What is a properly secured browser? Does the latest Internet Explorer with all the patches installed qualify? On Vista and Windows 7 it might be more secure. Of course it depends on the configuration. Quite a bit if the "danger" comes from scripting support, so if you disallow scripting you are more secure. Better yet, a text only browser offers quite a bit of security, it is you that must draw the line between functionality and security.
From: FromTheRafters on 24 Feb 2010 19:52 "ASCII" <me2(a)privacy.net> wrote in message news:4b85bf7c.857093(a)EDCBIC... > FromTheRafters wrote: >>What is a properly secured browser? > > I suppose that's dependent on the threat, > but I feel comfortable with Opera in a sandbox. > > Opera v10.10 (didn't care for the beta v10.50) > http://www.opera.com/download/ > > Sandboxie v 3.44 > http://www.sandboxie.com/index.php?DownloadSandboxie Good stuff there. I was reminded of Norman when I mentioned text-only browsing. http://beacon.chebucto.ca/Content-2006/norman.html Funny how some people leave a lasting impression.
From: David H. Lipman on 25 Feb 2010 06:36 From: "FromTheRafters" <erratic(a)nomail.afraid.org> | "ASCII" <me2(a)privacy.net> wrote in message | news:4b85bf7c.857093(a)EDCBIC... >> FromTheRafters wrote: >>>What is a properly secured browser? >> I suppose that's dependent on the threat, >> but I feel comfortable with Opera in a sandbox. >> Opera v10.10 (didn't care for the beta v10.50) >> http://www.opera.com/download/ >> Sandboxie v 3.44 >> http://www.sandboxie.com/index.php?DownloadSandboxie | Good stuff there. | I was reminded of Norman when I mentioned text-only browsing. | http://beacon.chebucto.ca/Content-2006/norman.html | Funny how some people leave a lasting impression. I forgot all about him! :-( -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: RayLopez99 on 25 Feb 2010 10:11 On Feb 25, 4:58 pm, Chih-Cherng Chin <mei...(a)cheapmail.byinter.net> wrote: > I think it's kind of exaggerated. The most bots I have detected in one > day was around 5400, and I have been tracking botnets since last June. > Now I can only detect 3000-4000 bots daily. If a quarter of all PCs > were part of botnets, I would do much better than that. > > -- let's say (as is my case) you are noticing suspicious burst of data from your PC to some server, but you have not caught any viruses using Webroot Antivirus with Spysweeper nor with Kaspersky. You also have a firewall (Look N See). You scan (full scan) every other day. One potential virus in the last five years. Running Windows XP Pro on a Pentium IV. What's the 'most probable bad thing' that can happen? What I mean is this: say my PC is part of a botnet. So what? It does not have a keylogger on it, right? It is not able to open and read my Outlook emails (which are scanned by the AV program prior to sending). What's the 'most probable bad thing' that is happening? I'm asking because Ant in this thread scared me--so I want to see 'so what'? Of course I'm sure if some super duper hacker is involved, he will drain all my bank accounts, but this anomalous activity has been going on for a while, and so far my bank accounts have not been hit. RL
From: RayLopez99 on 25 Feb 2010 18:31
On Feb 25, 5:18 pm, RayLopez99 <raylope...(a)gmail.com> wrote: > > >> The log should > > >> indicate whether incoming or outgoing and if blocked or not. > > > YES, it works! I did click on "details" in my Firewall (Look 'n' See) > > > and indeed it shows direction. Yesterday's log is lost, but I found > > > another 'suspicious'??? or maybe not entry today, here: > > > aedz253.neoplus.adsl.tpnet.pl which maps to this Polish server: > > > The IP address of that host is 79.186.103.253 which is being used by > > a customer of tpnet.pl, a Polish ISP responsible for that IP. > > > > And it's 'outgoing' > > > Bad news. > Update: I think, and I am checking with the firewall people at Look N Stop, that this is in fact an IP address that is being BLOCKED, not going through. It still raises the question of what program residing in my system would want to hook up with Poland, Thailand, etc. But if I have some bot in my system, it has not been detected by any antivirus program, and like I say it's being blocked from calling out anyway. RL |