How Can I Tell If My Computer Is Part of a Botnet? 491
ashraya writes "My father (not too computer literate) has a desktop and a laptop both running Windows in his network back in Hyderabad, India. I set up a Linksys router for him to use with his broadband service. For some reason, he reset the config on the Linksys, and connected it up without wireless security, and also with the default admin password for some time. As you would expect, both of the Windows computers got 'slow,' and the desktop stopped connecting to the internet completely for some reason. As I logged in remotely to 'fix' things, I noticed on the Linksys' log that the laptop was making seemingly random connections to high-numbered ports on various IPs. I did an nslookup on the IPs to see that they were all either in Canada or US, with Comcast and other ISP addresses. Is that a sign that the computers were in a botnet? Are the other hosts part of the botnet too? (I have since rebuilt the Windows hosts, and these connections are not happening now. I have also secured the Linksys.)"
Assume it is .. (Score:5, Interesting)
Overseeing a small office lan, I've come to the conclusion that you will be infected whether you like to or not. Regardless of how much you threaten users. I've resorted to using an drive image (paragon) saved on a drive partition which saves the system in a uninfected state. As soon as a user goes 'uh ooh' or complains of slowness I restore the image (keep in mind data is stored on a server which is backed up and scanned on which no apps are allowed to run). I also run a combination of ccleaner, spybot s&d and windows defender.
In addition I check the network once a week for mail or ftp sockets ( evidence there is a bot net at work). So far this has been the easiest way to stay on top.
Re:Well the only fool proof way... (Score:5, Interesting)
Agreed, I do it from my Linux router which I assume is not owned.
It is nevertheless better to reserve a machine on your network for just this usage. Nothing installed on it but tcpdump and similar tools. You should even disconnect than machine from the network when not in use. Again, that's what security expert firms do.
The important point is to be confident than what you are looking at is not coming from something that is already owned. Many root kits modify netstat, tcpdump and the like... ;-)
Re:Assume it is .. (Score:5, Interesting)
You're doing it wrong.
You need an IDS/IPS system like a Fortigate or ASA that scans all incoming/outgoing packets for viruses/spyware/whatever, and blocks them before they get to the computer (as well as performing standard firewall duties like NAT and traffic filtering). You need Websense Express (or something similar) to block access to malicious websites (and inappropriate websites, which are often malicious anyway). You need to take away the Local Administrator rights from every user on the network, and use Group Policy to a) lock down Internet Explorer, and b) prevent them from installing any software and c)making any system changes.
This is all easy to do. Why aren't you doing it? For a small office, it wouldn't even be expensive.
Re:Assume it is .. (Score:3, Interesting)
I would also block outgoing port 25 and then ask the users what smtp servers they use and whitelist those.
Getting the users to run as a non-privileged user will make clean-up much easier. Set their normal login to be a low-privilege user (and add network configuration so they can configure wireless networks), then give them their own administrator login (another user with admin rights) and show them how to login as their normal username and use "run-as". That way they can do everything they would like with a much lower risk of an infection that can't be handled.
Re:Well the only fool proof way... (Score:5, Interesting)
I agree with your theory, however in practice, a hacker clearly has several million low hanging fruits running unpatched xp with antivirus which expired 60 days after the computer was purchased in 2006.
The idea that a botnet is really going to worry about the fraction of the fraction of a percent that knows about netstat seems improbable, though obviously not impossible, which is why I agree with you in theory, but in practice netstat would probably answer his question when a hub and a linux box is inconvenient. If someone has an example of a virus masking its connections through netstat I would both eat crow and be interested to hear it.
Re:Assume it is .. (Score:5, Interesting)
All great points, here are mine.
1.) We are an architecture office which runs AutoCAD problem is this requires Power User group membership in order to run. (also on windows even without admin privs malicious software can infect.
2.) Unfortunately any expense is an expense, (economy doesn't help.) This is why you will note all my network software is freeware.
3.) My most malicious user is the owner of the company, who insist on having admin privies ( he equates user authority to company hierarchy) So he constantly does stuff like installs go to my pc, and leaves his system up and logged in.
unfortunately I don't live in your well funded and taken seriously IT world.
Re:Well the only fool proof way... (Score:2, Interesting)
Some Answers to the questions asked here... (Score:5, Interesting)
1. For this time, I assumed the systems were owned, and they have now been rebuild (Windows Reinstalled).
2. The Linksys is re-secured - but I hadnt thought of that being owned - so I have to now do a firmware upgrade on that - Thanks for the suggestion.
3. Other suggestions are to confirm botnet or sniff traffic - I am in the UK, and I can only do so much remotely.
4. One of the quesions was how I managed to remote into the windows hosts - No, I managed to remote into the Linksys, not the windows hosts.
5. The bizzarre situation in the Windows host before it was rebuilt was that if we did (I told the commands over the phone for my dad to execute) ping or traceroute to a destination like www.google.co.in, it would work. It would resolve the right IP. However, with any of the browsers, as soon as access to a site was attempted - We would get a message "Connection Reset" or the browsers equivalent. (Firefox, Chrome and IE tried). Has anyone seen that one before?
6. Another question asked was if the Windows in question was legit - Yes, I bought him a OEM XP the last time I was there and installed it.
Regards,
Ashraya
Solaris does this automatically (Score:5, Interesting)
Re:Assume it is .. (Score:5, Interesting)
for a small office running windows the end users HAVE to run as admin, as Most windows apps require it. My HP printer drivers, and a couple of other apps require my to be fully logged in as an admin or they don't work basically preventing me from doing most of my work.
I know this as I tried it as I don't believe I should run as admin. Since Windows and MSFT doesn't force developers to code to security standards, including their own. Running as a non admin in a real world environment is impossible. Oh and just to really make you scratch One of those mission critical apps crashes on install because it loads the win16 subsystem for running.
It gets updated 3-4 times a year but it still requires win16 components. MSFT has enabled that in 2009 that win16 parts are required still. If MSFT would let go of old and outdated parts like the rest of the OS world shit like that wouldn't happen.
Re:Assume it is .. (Score:5, Interesting)
You need layers of defense. preferably from different vendors or makers.
And really, this is Slashdot, why are you recommending Fortigate or ASA? you should be talking up Snort, or its commercial appliance version, Sourcefire.
You've rebuilt the windows machines? (Score:3, Interesting)
You've rebuilt the windows machines? So, now you can not at all be sure if they were part of a botnet or not.
Chances are they were, and you've done the right thing by rebuilding them.
I think the details about the router with it's default password an no wireless security is a red herring - I've not heard of a botnet that tries to get in to your network by guessing standard admin passwords for common wireless routers. More likely it was a drive-by download from a dodgy web page, or a trojan in some downloaded software that put the malware on the machines.
Re:Well the only fool proof way... (Score:5, Interesting)
The contents of the file was a text printout of the netstat command, re created every fifteen or so seconds, MINUS the offending connections. Just by waiting and opening the file again I got new netstat info.
Running the command, showed the contents of the text file, not the actual output of netstat. I could see traffic going on using a packet sniffer elsewhere on the network, so knew something was up.
Eventually just wiped and reinstalled anyway because it was faster than fighting it bit by bit.
So, there are such things out there, yeah, it doesn't make a whole lot of sense for them to spend much time on it, but a lot of that stuff is made from "kits" now days anyway so it's not a big deal to enable the feature.
Re:Well the only fool proof way... (Score:3, Interesting)
I'd assume you want to limit that to a virus actually spreading in the wild and manipulating netstat where it's running on an otherwise properly working Windows box. I'm pretty confident there's been cases where a laboratory proof of concept manipulation of netstat, nmap, or others have been accomplished. The real question is have any of these shown up on an actual machine in the wild, whether that machine was running a botnet or showing some other compromise, i.e. just being infected via to a root-kit. For netstat, ideally, let's see an exploit that is transmitted by other methods than physically being in the same room as the PC, and infecting a machine that was behind a router and until then had both a local, wired network and internet access that worked.
Something that can only spread to machines that are directly connected to a particular brand of cable modem and only when that device is running old firmware, or only via an improperly set up wireless connection, or where the hacker has to first gain unaccompanied physical access, isn't really much of a netstat bug, even if it affects netstat once those other conditions are first met. It's sort of like complaining that it's possible to pry a safety deposit box open with a simple crowbar, if you can just first get unaccompanied access to the vault where those boxes are kept. The real question becomes, can you get the other, preliminary conditions, or not?
Re:Force a failover (Score:5, Interesting)
Please don't make unverified claims. I have seen this happen first-hand on several residential switches (5/8 port Linksys/Acer/whatever). It's how they can get away with crapping 8 ports on an underpowered processor with piddly amounts of memory.
There's basically 3 ways a switch can deal with ARP overload:
1. Ditch the least recently seen address (annoying and laggy but relatively clean)
2. Slow down, panic, and stop forwarding packets altogether (hello Linksys)
3. Ignore ARP entirely and revert to being a dumb hub, at least temporarily until everyone shuts up
You'd be surprised how many A+ asshats have daisy-chained those cheap switches to save a buck. I remember one guy who had a cage full of shitty old gear going into a bunch of $40 Aopen switches, because he figured it was cheaper to cram a few U's with those tiny 8-port toys than to drop real money on a bunch of FSM750s. His latency was pretty bad for 100mbit, but his brain was even slower so he cared not. Then one day he added one device too many and a true packet storm ensued, which caused his entire network to seize within minutes. One switch barfed, then another, and another... he had four or five of them per rack, times maybe ten racks. I tried to explain how retarded he was for trying to save maybe $1000 per rack, when each rack had at least 50k worth of gear, but they say ignorance is bliss.
Securing Linux Box? (Score:4, Interesting)
While we are on a topic of security:
Several months ago I started using Debian as my primary OS at home. I am very happy with it, but don't know much about how to keep it secure or how to tell if I had been compromised. Of course very basics are clear: I do not use root except in those instances of updates, etc. The consensus on this site is that if you run Linux then you are invincible, but I respectfully disagree. The system is only as secure as the competence of the user.
To cut the long story short:
- What do you normally do to make sure that your Linux system is clean? Is running apt-get upgrade regularly enough or is there more to it?
- What articles or books would you recommend to a newbie in this area? I am fully willing to RTFM as such, but please at least give me at least some direction on what to search for.
- Any other general tips, advice or wisdom would you be willing to share?
Thank you
Re:Force a failover (Score:2, Interesting)
That's rather unfounded, it's not undefined behavior, and it's well understood. The simple fact is cheap switches have such a small CAM table available, that they can be filled up even in normal operation. It doesn't take very many packets per second or very many kilobytes per second to keep the table filled up, just frames with unique MAC addresses.
Even large expensive switches can have their CAM tables filled up, and they do the same thing (but the admin has more controls to stop it).
When an Ethernet frame arrives that has a destination MAC address not in the table, the switch will send the frame out all ports except the source port.
In normal operation, every received Ethernet frame is inspected, if the source MAC address is not in the table, and there's room in the table, then it is added. , if there is no place to store the new CAM entry, it's not stored, and the MAC address remains unknown.
Similarly, old entries in the table will get removed (usually after about 5 minutes, if no more frames have been received from that source)
When a switch receives a frame, and there is no CAM entry for the destination MAC addresses, the switch has to send every frame received out all ports, because it doesn't know the right destination.
Ergo, if the CAM table has been flooded, the flood is sustained, AND the MAC address whose traffic you want to sniff is not in the table, then all other ports will receive traffic they send.
It is true that it's dependant on how much memory the switch has.
There is another layer 2 attack called "ARP Injection" which is more reliable in this regard, especially when combined with CAM flooding.
However, ARP injection is easily detected by the security concerned just by watching system logs, and there are tools to easily detect it.
CAM flooding is harder, especially if the data sent in the Ethernet frame isn't a valid IP payload, they can be constructed in such a way that many ordinary packet sniffers will not detect the CAM flooding.
The security concerned use SNMPv3 managed switches that allow forwarding table monitoring and a network management station that can detect such incidents.
Re:Well the only fool proof way... (Score:5, Interesting)
Yes it does seem possible and you might even get away with it in real life, but the idea of running a 48VDC pair that also uses a 100VAC ring signal right beside your ethernet pairs is scary. Also every time the telephone rings it would induce a hellacious amount of electrical noise into the data pairs; it would probably shut down any data packets on the network and possibly blow out your ethernet cards. If another technician was faninng the wires and happened puncture his skin with them the jolt from the 48VDC would probably make you number ten thousand dirty rotten SOB, a 100VAC ring signal would definitely make you number ten thousand dirty rotten SOB. Telephone and ethernet really don't play well together.
The takeaway... (Score:5, Interesting)
Re:Well the only fool proof way... (Score:3, Interesting)
not really...
POE uses the two spare pairs to provide 48VDC
POE+ uses the spare pairs and induces a DC offset onto the differential signal pairs ala "phantom power".
in either case the specified current is much higher than a phone line can provide.
doubtful the AC ring would have any effect, the frequency is far too low and current is extremely limited and the differential nature of ethernet's signaling would cancel out noise of this type anyway.
however, the analog phone line most likely would pick up some rather obnoxious noise from the ethernet lines. the carrier frequencies are clearly well above the audio spectrum but you could likely hear packet bursts, like setting your cell phone next to a speaker.
Re:Beware Many wireless Routers Loose their Securi (Score:2, Interesting)
There are some very inexpensive UPS enabled power strips today. APC makes a bunch. Just pick one up and make sure only your hardware router/firewall and hubs (if you use them) are plugged into it. With that light of a load, they will run longer than a larger UPS hooked up to your monitor and tower PC. Lets face it, if the power is out more than 30 minutes today, most home UPSs will run out of battery power before the smaller one dedicated to the modem and router/firewall. At least that has been my experience.
I put larger UPS hardware next to my primary work tower and (servers + big screen TV) and put a smaller less expensive UPS for my routers, modem, hubs. In the last two years I lost power for longer than 30 minutes only once. It was a no brainer shutting down everything before the UPS battery was completely depleted.
I was able to watch a 42 inch TV for 20 minutes before I had to turn it off, because the power did not come back on. So it is a pretty big UPS for a home. At least I do not have to worry about brown outs any more. The lights blink, no worries.
I turned the larger one off about 10 - 15 minutes before the smaller one keeping the modems and router/firewall hardware up ran out of juice. (I had a firewall/router, dumb hub and cable modem on that one smaller UPS, no problems and nothing else.)
Re:Well the only fool proof way... (Score:0, Interesting)
Sorry, but this sounds like BS.
Not only have you not provided any info on what trojan it was, what the files were, where the files were but why would it bother writing it to a file? It would be much more trivial to simply exclude output in netstat for the specific process ID of the trojan. Writing the netstat output to a file, erasing the entries, then modifying/replacing the netstat command to read from a file is non-sensical, at worst you'd just do it all in memory, at best you'd just do as I mentioned - skip all that bs and just do a netstat output excluding data from the required PID(s).
The parent is right, there are really no mainstream threats in the field right now that do this. You get features like this in Linux rootkits and that sort of thing, but run of the mill Windows trojans? No, it doesn't happen. Even if by some chance you did encounter this extremely non-sensically developer trojan then it's still not something mainstream and will hence only be affecting an absolutely negligible minority of users.
Credentials: I've spent the last 7 years manually examining, reverse engineering and clearing viruses, trojans and rootkits from Windows, Linux and Mac machines for a well known AV firm.
Re:Well the only fool proof way... (Score:4, Interesting)
Indeed. I don't know why security companies don't aggressively push this kind of product for home use- sounds like a win-win for them: sell the consumer an expensive physical box /and/ charge them for monthly firmware updates. Special bonus: An external box would actually /work/ (and with the aid of a USB connection, it could boot into its own environment to do scans) Just for fun, you could throw in a "real" firewall.
So then you'd provide: /works/, rather than one which is guaranteed not to
- Network monitoring for statistical "suspicious packet" analysis
- Completely detached scanning which doesn't just nicely ask an infected system whether it's infected or not
- Hardware firewall
- A solution which potentially
Yet everything I've ever seen pushed to home users has been a software-only package, or just a firewall. When will I be able to tell my mom to "go buy a Norton ActuallyWorX box and plug it between your computer and router"?
Re:Well the only fool proof way... (Score:3, Interesting)
Yah, 'cause there's no way I could just be recommending it as a favour to the guy who asked the question. Way to catch me out dude.
+1 no-flies-on-you
Considering that others have already pointed out that it's a "firewall" you run as software on the computer you're trying to protect (tl;dr version: snake oil), no, we're all quite certain you weren't doing him any favors.
Re:Well the only fool proof way... (Score:1, Interesting)
Ethernet was NOT designed to work with/as a "passive hub". Sure, crossover cables work great, but as someone who tried splitting things up like you suggest as a 10 year old without money to buy a hub, I can tell you for a fact that it doesn't work. NICs (or at least all the NICs I had at the time) would start freaking out that they got their own traffic back on their receive pins.
Re:Well the only fool proof way... (Score:1, Interesting)
Aside from the fact that PSTN is meant to be in a whole, unbroken link, this could possibly work, maybe. If you didn't mind blowing cards. A lot of cards. POE is not necessarily supported by a *large* amount of endpoints on the market.
Mixing 5vdc and 48vdc, plus teh ring signal (which btw, is insane amounts of noisy from every provider I've ever seen)
Contrary to this particular *idea*, DO NOT PLUG A TELEPHONE INTO A SWITCH/HUB/ROUTER/COMPUTERS' ETHERNET. ESPECIALLY NOT YOUR MAIN FEED FROM THE POP!