Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security

How Do I Determine If My PC is a Zombie? 90

Posted by Cliff from the shoot-for-the-head dept.
Captain Chad wonders: "With the recent news of a 1.5-million node botnet, as well as the AIM rootkit worm, I'm getting a bit concerned about whether my PC may be a zombie. I'm seeing a lot of internet activity, even when nothing is running, and I've checked the process explorer for obvious tasks to no avail. I apply patches as soon as they're released, and my antivirus/spyware programs report nothing. How do I determine if my PC is a zombie, and if it is, how would I de-infect it?"
On this same vein, college campuses are often prime breeding grounds for undead-boxen. bcrowell adds: "I'm a teacher at a community college where Windows is the only supported OS -- if you ask the school to put machine on your desk, you get a Windows box. Faculty who want to run MacOS or Linux have had to provide their own machines, and those who want to do PowerPoint presentations for their classes have been told that they have to buy their own laptops and bring them in.

Now Academic Computing has announced a new policy: any unauthorized use of the network, such as plugging in your own computer to a port, is prohibited, and will result in disciplinary action. There are supposedly plans to enforce this rule automatically with hardware and software. Great consternation has ensued in the faculty senate, and the manager who wrote the policy has explained that it is basically aimed at the problem of improperly maintained teachers' machines getting '0wned'. A little ironic, because the Windows boxes maintained by the computing folks keep getting infected by worms. Still, it's not an unreasonable concern; many teachers are clueless. In fact, I wouldn't pretend to know enough to keep a Windows machine secure on a public network, although I haven't had any problem with the FreeBSD box on my desk. Any suggestions on how to deal with this? Effective arguments to use? Good educational resources to point people to so they can learn how to keep their Windows boxes secure? Many of my colleagues seem to think that security mainly involves buying antivirus software."
This discussion has been archived. No new comments can be posted.

How Do I Determine If My PC is a Zombie? More

How Do I Determine If My PC is a Zombie?

Comments Filter:

  • Simple (Score:5, Funny)

    by mike_lynn ( 463952 ) on Monday October 31, 2005 @07:42PM (#13919380)
    Place a bowl full of brains in front of it and see if you get a response.

    Happy Halloween >:D

  • umm... (Score:2, Funny)

    by Anonymous Coward
    you are on the safe side unless the spam you get comes from your own IP.

  • What kind of internet Activity? (Score:4, Interesting)

    by satterth ( 464480 ) on Monday October 31, 2005 @07:49PM (#13919438) Homepage Journal
    Really... What kind of internet activity are you seeing? Are the lights blinking and you have no idea what is actually happening or are processes on your box accessing IRC servers accross the world without your knowledge?
    • What's up with the space after "vea" and before "ler.html"? Do you not want people able to copy the link when they're using lynx?

      Pretty low, if you ask me. Should we mod you troll?

      --LWM
      • Slashdot automatically inserts a space into long URLs.
      • You must be new around here :). Slashcode is notorious for killing links like that. I think it's part of the Lameness Filter that taco put in.
        • Not new around here, just haven't paid attention to it before, and I haven't seen much about the lameness filter.

          So, WTF?

          How is that supposed to prevent lameness?? I can't see the point of having spaces inserted into long urls - is the idea to break up any long string of text?

          --LWM
          • Here's the reason:

            xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

            Back in the old days, people would post shit like that and it would make the page really really wide. This, of course, made reading the comments impossible, so taco added code to break up lines like that. The link was clickable anyway, so who
            • Aaaaaaaaaaah; thanks! Now I see!
              The link was clickable anyway, so who cares?
              I like to copy/paste links from lynx to firefox - harder to do with the space in it :)

              I will accept it as my cross to bear! ;-)

              Again, thanks.

              --LWM

  • Use ethereal to check out your network traffic (Score:5, Insightful)

    by neillewis ( 137544 ) on Monday October 31, 2005 @07:49PM (#13919441)
    Hook up another box on a hub and check the network traffic. Obvious signs are connections to addresses that can be traced to irc servers or use of irc ports. The first time I found a bot nest, it scared me like Doom 3 never could. If this means nothing to you, get some expert interactive help.

    • That isn't to say that all traffic is bad traffic. Most of the time that traffic you're seeing isn't YOUR traffic. Its the traffic of all the other computers on the network talking with yours. This isn't a bad thing. Its typical of a large network. You'll have lots of computers talking to each other to let each other know when something changes. For instance, a new computer comes online and has to get an ip address. Usually it doesn't know where to get an ip address, so it sends out a broadcast to al

  • Rootkits My Son (Score:5, Informative)

    by Yocto Yotta ( 840665 ) * <catapults.music@ ... .com minus berry> on Monday October 31, 2005 @07:52PM (#13919470)
    Go here [sysinternals.com] and download Rootkit Revealer. If that doesn't find anything, and you've tried everything you said, you got some smart malicious rootkit-usin' virus that knows how to trick Revealer, or your system is the proto for some new form of evilness.

    • Re:Rootkits My Son (Score:3, Informative)

      by TFloore ( 27278 )
      If that doesn't find anything, and you've tried everything you said, you got some smart malicious rootkit-usin' virus that knows how to trick Revealer, or your system is the proto for some new form of evilness.

      Or you forgot that your antivirus software does network activity.

      I had that happen a couple weeks ago, I just happened to be watching my network activity light and it lit up when I wasn't doing anything. This bothered me, as you might expect.

      Took me a couple minnutes of poking around to figure out tha

  • Finally, my signature is on-topic (Score:3, Informative)

    by QuantumG ( 50515 ) <qg@biodome.org> on Monday October 31, 2005 @07:53PM (#13919486) Homepage Journal
    Grab a copy of my software [insomnia.org] and monitor your network usage. If you happen to find blatantly obvious spyware running on your machine, try some of the automatic spyware removal tools available. If you're still infected, the best course of action is a reinstall.
    • Great! Now I can check to see if anything wierd is happening on my Win2K boxes. It does work on Win2K, right?
    • Does it do something more than just netstat -a?

      By the way, that's the answer to the original question. netstat -a at a command prompt lists current connections and current listeners. Check the other computers (by googling or whoising them, not by visiting them) to see if they're evil.
      • Yeah, it actually updates the status of connections in realtime. Kinda like nettop, except it keeps closed connections in the list. You can also see incoming connection attempts, even if they fail.
      • Would not a rootkit, by definition, override what can be seen via "normal" system calls and netstat will report nothing of interest?
        • Heh, not like you need to do much overriding, the windows apis used by netstat are so pathetic they report connections open that are closed, or never even existed. TcpSafe uses WinPCap to capture live traffic and present it in a user friendly format. Although it is possible for a rootkit to directly attack this technique, they don't as they are intended to defeat userland programs, not installable network drivers.
        • A lot of the time, you're not looking for a true rootkit, but just phone-home malware, which assumes that once your identity/credit card/password has been stolen there's not much you can do about it anyway.
      • One step better, is using this command:
        sudo watch -n1 "netstat -nape --inet"


        This will truely update ever second indefinitely and will provide a bit more information.
        • One step better, is using this command:
          sudo watch -n1 "netstat -nape --inet"

          Heh! That will be fun to run on anything else but Linux.

          Especially on FreeBSD, which happens to have a watch(1) command but for quite a different purpose :-)

          Good idea though. Something similar can be done on the BSDs and on Solaris with:

          while true; do clear; netstat -aln -f inet; sleep 1; done
    • I was about to point out that the gent mentioned in the summary that he already has tried spy/ad-ware removal programs you promotion whore you, then I noticed that your the fellow I got into a nice discussion [slashdot.org] with about Jack Thompson. I didn't want to seem like an mildly vindictive ass, so I refrained.

      Oh . . . darn. Well, I like your app. Cheers.
      • I was just trying to make people understand his arguments before they dismiss him as a loon. The media portray him as a drooling madman when in fact his ideas are clearly thought out and logical, they're just based on things most of us disagree with (kids are damaged by violent games, the community has a responsibility to raise other people's kids, etc). Without understand his belief structure you can't understand his arguments. The thread you linked to is a perfect example. People say Thompson is crazy
    • I reinstalled... LINUX... and openbsd on the heavy router (its an OLD intel gaming machine turned router (450 mhz rig))

      Odd thing is, I also do it for anyone who complains about spyware to me. So far they know... I WILL NOT fix windows issues, but I will "reinstall"... they have to agree that they will ask ME to install software for them unless they get it from the CVS/packagemanager that is defaulted by their distribution... overall I've had little trouble, though they complain that certain things (windows

  • Netstat (Score:4, Informative)

    by BladeMelbourne ( 518866 ) on Monday October 31, 2005 @08:01PM (#13919549)
    If you are using Windows - run netstat at the command line.
    There are also some switches that can show more detailed information, some of them are undocumented I believe. Use Google if you need to find them.

    Using Ethereal is also an option - it can provide a lot more information but is more involved to use and interpret the results.
    • If a machine is compromised in the zombie/rootkit way, you cannot trust a single executable on the box.

      • Re:Netstat (Score:3, Interesting)

        by cbr2702 ( 750255 )
        If you only have acess to one computer, you could do something like boot knoppix, load the base operating system inside QEMU, then watch what it does.

  • Lazy admins (Score:3, Interesting)

    by sedyn ( 880034 ) on Monday October 31, 2005 @08:04PM (#13919574)
    Semi-off topic:
    If the admins can't even secure their own software, why should they think that those not in "the know" can.

    My advice, get written statements about the reasons for no external computers. If the internal computers continue to get infected after this policy is put in place, anonymously email the people in charge (the admins' bosses) reminding them of the reason for the "fix".

    As for getting infected, I agree with the other posters, and add that it's hard enough to keep a windows PC uninfected when just one careful person is on it. But once you start giving easily-infected PCs to people who aren't careful, the thing becomes a hive of filth.

  • Only trust the machine externally (Score:5, Informative)

    by MerlynEmrys67 ( 583469 ) on Monday October 31, 2005 @08:08PM (#13919594)
    Internal commands like task manager/netstat won't help at all if you have a decent rootkit - the kernel will just hide your processes from it.

    Start with an external packet sniffer - see what traffic the machine is sending out and on what ports. If you are seeing traffic that you don't understand - get help to determine what it is. You can start with a simple NAT gateway, and simply log the IP addresses/ports that your machine(s) are going too. If you see unidentified remote ports, well - you probably have a problem, if you see port 80 traffic to sites you don't know what they are - you have a problem, etc.

    How to clean up the mess. Well, your first step would be to simply reformat the hard drive. If you can't do that - good luck, remember you will need to start with a clean media boot (as in a CD boot to a Linux/BSD distro) and see what you can find. Remember with a rootkit present, your kernel can and DOES completely lie to you about what is going on internally.

    • This is mostly good advice.

      Except for reformatting your hard drive. You might make your original drive a slave drive though, and use a new clean hard drive as the master and reinstall your OS on that. A live cd distro (as suggested) might help in a short term solution too.
    • "...first step would be to simply reformat the hard drive. If you can't do that - good luck..."

      Ditto. I feel bad for people who balk at re-formatting their hard drive. They always ask me if there is an easier way. Unfortunately, reformatting is the easy way. Trying to clean out rootkits and nasty spy/adware requires a lot of knowledge, even with the excellent free tools available. (Thanks, sysinternals, lavasoft and safer-networking.org).

      • Yeah, see, the kind of people who say "just reinstall" are the same kind of people who keep backups. Normal people don't backup their files. Now, if computers came standard with a tape backup and easy software to use it people might actually think about what they need backed up and what they are willing to lose if there's a harddrive crash or they need to reformat.

  • Post your IP address (Score:3, Funny)

    by sydb ( 176695 ) <[michael] [at] [wd21.co.uk]> on Monday October 31, 2005 @08:13PM (#13919628)
    And Slashdot will tell you.
  • I saw various things on the recently downloaded files list when I got home. I asked him about it, he said he tried to download some things, but that he never ran them because he couldnt find out where they downloaded to.
    Now I have paranoia.

  • In everyday terms - (Score:5, Interesting)

    by bscott ( 460706 ) on Monday October 31, 2005 @10:12PM (#13920319)
    I see a lot of people offering some moderatly technical advice, but perhaps a simpler answer to the question is - there's no one easy, foolproof, turnkey way to reliably determine whether your Windows machine is infected.

    There are too many different types of malware around - virii, spyware, rootkits, trojans, and so on - each of which has new twists coming up almost daily. No single development team or company can keep up, and there are too many out there trying for there even to be a dominant player (and if there were, malware would promptly be rewritten to undermine the anti-malware utility in question...).

    You will either need to learn how to use some of the tools others in this thread mention (it's not as hard as it may seem at first - try running them on a system you can be confident is clean, and become familiar with what "safe" traffic looks like, then try yours), or be prepared to pay hefty $ for expert help, or switch to another OS.

    FWIW, I've run un-patched Windows2k for years without trouble, largely because I use a hardware NAT (firewall) and avoid Outlook. Even so, I am careful to avoid clicking on the wrong things online, and I am working towards moving to Linux ASAP.
    • FWIW, I've run un-patched Windows2k for years without trouble, largely because I use a hardware NAT (firewall) and avoid Outlook. Even so, I am careful to avoid clicking on the wrong things online

      That works well, actually. I've run Windows XP Home for a few years without SP2 nor anti-virus nor personal firewall, and it hasn't slowed to a halt nor given any signs of abnormal activity. The trick? Don't download disreputable software, use Firefox (or Mozilla), and stay behind a firewall/NAT. And run Windows Fi
      • I had a lot of problem with Zone Alarm flashing my screen whenever I ran a DirectX app. I switched to Kerio and have been reasonably pleased with it. Although it's not quite right on my XP laptop, but then again, the laptop has other problems.... I put it on there simply to see what apps were phoning home. For instance, Toshiba laptops do every time you log in if they are on the net and look for updates. Oddly, in 3 years my laptop never found a Toshiba update.

  • Dealing with Stupid, Lazy, or Malicious IT (Score:5, Interesting)

    by Noksagt ( 69097 ) on Monday October 31, 2005 @10:15PM (#13920337) Homepage
    There are a number of ways to get around arbitrary rules. Either overtly or covertly.
    if you ask the school to put machine on your desk, you get a Windows box. Faculty who want to run ... Linux have had to provide their own machines
    You can ask for permission to dual-boot. Or, if you already have permission to install your own software, you can do it covertly. I would not advise wiping the Windows partition--you can boot into it when IT starts snooping around & also some might have a problem with you removing licensed software. Failing this, run from a LiveCD/USB key. Or run coLinux or run it under QEMU, VMWare, or similar.
    Great consternation has ensued in the faculty senate
    Cause greater consternation & bring it over IT's heads. Bring it to the President of the school or the trustees. An army of pissed off faculty will beat a lazy IT head any day.
    Any suggestions on how to deal with this?
    In addition to the above, you can probably ask for a special exception & say you are willing to take the blame if your FreeBSD box gets rooted. Once you show minimum competency & need, as well as the willingness to put your ass on the line instead of theirs, IT will probably cave.
    Effective arguments to use?
    The most effective argument is you can't otherwise do your job. Show that you need FreeBSD. Another good argument is obviously to point out the past infections of campus-maintained machines. Tell them you'll firewall your machine from the University network, both to protect you from it & it from you.
    • I would like to add another "covert" Linux installation method.
      One thing you can do is put a large hidden file, call it something like "swap.sys" or something of that nature. Boot Linux from an attached device (usb / cdrom), then use losetup to loopback mount that file, and run your normal linux install from there. This will take a bit of advanced knowledge to set up since you'd probably have to install your distro to another drive and copy it over, then set up the initial ram disk image on your boot devi

    • In addition to the above, you can probably ask for a special exception & say you are willing to take the blame if your FreeBSD box gets rooted.

      It would also be a good idea to demonstrate that you have the financial resources to cover the loss if the system gets compromised as a result of your non-standard box creating a security flaw. For the benefit of the uninitiated/wishful thinkers, that liability is $EXPERT_HOURLY_RATE * $HOURS_TO_REINSTALL_ENTIRE_NETWORK + $COST_TO_ORGANISATION_OF_TIME_LOST_DO

      • that liability is $EXPERT_HOURLY_RATE * $HOURS_TO_REINSTALL_ENTIRE_NETWORK + $COST_TO_ORGANISATION_OF_TIME_LOST_DOING_SO, because once you're compromised, nothing less is safe.internal attacks, as well as external ones. Indeed, targetted malicious attacks are more likely to come from within the firewall & usually do the most damage. One rooted box should never be capable of making it so you have to reinstall the entire network.

        If you aren't prepared/able to underwrite such a sum, you have no business

        • that liability is $EXPERT_HOURLY_RATE * $HOURS_TO_REINSTALL_ENTIRE_NETWORK + $COST_TO_ORGANISATION_OF_TIME_LOST_DOING_SO, because once you're compromised, nothing less is safe.

          Competent network admins should be able to protect against internal attacks, as well as external ones. Indeed, targetted malicious attacks are more likely to come from within the firewall & usually do the most damage. One rooted box should never be capable of making it so you have to reinstall the entire network.

          If you aren't pr

  • lookup your subnet at dshield (Score:5, Informative)

    by j1m+5n0w ( 749199 ) on Tuesday November 01, 2005 @01:02AM (#13921175) Homepage Journal

    www.shield.org maintains a database of sources of malicious network traffic. Many organizations submit firewall logs to dshield, so they have a pretty good global view of who the bad apples are on the network. For anyone who administers network connected machines, it's a good idea to periodically look up [dshield.org] your IP(s) or subnet(s), and see if anyone has generated any complaints about any of your own boxes.

    Caveat: This will probably only identify the most aggregious zombies, and only the ones that are doing things that firewalls can identify as malicious. Just because your IPs don't show up on dshield, doesn't mean they aren't zombies.

    Mynetwatchman is a similar service, there may be others as well.

  • how my college does it (Score:3, Interesting)

    by Goeland86 ( 741690 ) <`goeland86' `at' `gmail.com'> on Tuesday November 01, 2005 @01:43AM (#13921352) Homepage
    here at Lewis & Clark (http://www.lclark.edu/ [lclark.edu] they use a client for any windows based machine to authenticate. Any other OS is required to authentify using a webpage to which you are redirected automatically when opening any webpage.
    The client ensures you have all mandatory updates installed to connect, otherwise the access is discontinued. Saves lots of trouble, and my friends on OSX and me on gentoo have no problems whatsoever.
    Might want to suggest your IT department to take a look at it... And even contact our IT department, they're pretty open about helping other schools keep their networks clean.
    Hope that tidbit of info helped.

    Oh, before I forget, the client used to be called "SmartEnforcer", and now it's a Cisco client... don't remember the name since I don't use it.
    • It may be some type of 802.1x client. The system is pretty easy to get running w/ Cisco. I haven't had the chance to work w/ other equipment. Many linux distors and XP come w/ native clients. If no client is available, the first time a web page is requested, on a given port, the network device intercepts it and displays the login page.

      Works well if your users are using webapps. Not so good if they're using 3270 emulation or the like.

  • I know nothing about Kernels, the internal workings of all OS's, etc, however it occured to me that your kernel has to just be a file or collection of files...

    Why couldn't you get the md5 or sha1 hash of that file (or group of files), and then periodicaly recheck the files and compare the two. Of course you would probably have to redo the "initial" hashing after any official update (or does your kernel not change all that often? Like I said I have no idea about most of this).

    That's all i've really thought o
    • You mean Tripwire? Or maybe a poor man's tripwire [geocities.com]?
    • Why couldn't you get the md5 or sha1 hash of that file (or group of files), and then periodicaly recheck the files and compare the two?
      Because you've got a rootkit installed, which hides itself and reports the old kernel files to anything that tries to view them except through the rootkit.

      --LWM

  • this command (Score:4, Funny)

    by clambake ( 37702 ) on Tuesday November 01, 2005 @04:05AM (#13921800) Homepage
    Type "emerge rkhunter". If that works, chances are, you're ok.

  • Go over their heads (Score:3, Insightful)

    by dreamer-of-rules ( 794070 ) on Tuesday November 01, 2005 @06:08AM (#13922151)
    The IT group has to answer to the needs of their users, not the other way around. Granted, they are trying to keep out viruses and lawsuits, but they still need to address your needs.

    It sounds like their heads have swelled too much, so talk to their boss, or their bosses boss. Explain that your work is better with this tool, and that it is unreasonable to ban your tool given the known lack of risks. This is not a garage-built closed-source piece-of-shareware; but a globally used, open source, well-inspected and maintained tool. Remember the talking points: ZERO viruses (macs), not running as Administrator, updates are applied regularly and consistently.. (well, there's better Persuader lists out there.)

    I've been in IT for the last 10 years, and we are there specifically to help the users do their job. Sometimes it's to disable all email attachments, and sometimes it's setting up a Windows 98 machine for a critical job.

    You may need to compromise.. a probabation peroid of increased firewall monitoring, maybe a "I'm responsible" contract to cover their butts. Thing is.. if their argument comes down to "Because we said so", then they are enforcing a personal agenda, and have ceased being effective at their primary responsibilities.

    (Falling asleep at this point, so my ramblings will go unedited..) Hope this helps.

  • I've seen many responses, including webpages which may be helpful, or other programs which may be up to date. Personally, I prefer netstat. It's not "user friendly", but it's always up to date. If you're smart enough to keep your computer updated, you're smart enough to start recognizing stuff and feeding Google what you don't understand.

    netstat -a
    Active Internet connections
    Proto Recv-Q Send-Q Local Address Foreign Address (state)
    tcp4 0 0 192.168.2.156.52756 www.example.com.http ESTABLISHED

  • Now Academic Computing has announced a new policy: any unauthorized use of the network, such as plugging in your own computer to a port, is prohibited, and will result in disciplinary action.

    What community college is that? Better yet, what is their IP address range, or their domain name (so I can add them to my email blacklist)? Given their backwards policy on security, I would be safer by refusing anything from there.

  • If I remember right there is a Linux security software called Tripwire that records a hash for critical files in the system and when one of them changes it notifies you.

    Does such a thing exist for windows?
  • Use Dug Song's arpspoof, on a BSD or Linux box, to analyze the traffic comming from the suspect. Make sure you have packet forwarding enabled on the box running arpspoof. For FreeBSD, just check that "gateway_enable="YES"" is in your /etc/rc.conf file. Now run arpspoof -t [suspect box's ip address] [gateway router ip address]. Now the suspect box will think that your Linux/BSD box's MAC address is the MAC address of the gateway router. So if you run tcpdump, you'll see all the packets that the suspect
  • You can always use RootkitRevealer [sysinternals.com]. I have not tried this myself, but it looks like a good tool. I was also poking around looking for rootkit information when I found this.

    You may also want to check out this interesting story from Mark Russinovich, Sony Music CDs installing DRM rootkit [sysinternals.com].

Slashdot Top Deals

Get hold of portable property. -- Charles Dickens, "Great Expectations"

Close