How do you detect a botnet? Impossible, right?
RayLopez99
So the question arises, if 'up to a quarter of all PCs are infected by
botnets' (see Wiki above), and presumably most of these PCs have anti-
virus software, how do you detect a botnet residing on your PC?
Assume you do a thorough (full) scan of your HD using commercially
available antivirus software like Kaspersky or Webroot Antivirus.
Followup: if Bank of America's FTP servers have Zeus key logging
software on it (as says another article), does that mean when I log
onto BAC's servers to check my online bank account, that this
keylogging software is checking my password? I guess the answer is
yes.
RL
FromTheRafters
news:cfc2b9ca-e3cd-4e38...@k41g2000yqm.googlegroups.com...
> http://en.wikipedia.org/wiki/Botnet
>
> So the question arises, if 'up to a quarter of all PCs are infected by
> botnets' (see Wiki above), and presumably most of these PCs have anti-
> virus software, how do you detect a botnet residing on your PC?
Antimalware applications and rootkit detectors.
> Assume you do a thorough (full) scan of your HD using commercially
> available antivirus software like Kaspersky or Webroot Antivirus.
Most antivirus applications are incorporating rootkit detection and some
coverage of general malware into their capabilities. Still, I would
suggest using several antimalware (cleanup) tools and maybe even one
with active protection.
> Followup: if Bank of America's FTP servers have Zeus key logging
> software on it (as says another article), does that mean when I log
> onto BAC's servers to check my online bank account, that this
> keylogging software is checking my password? I guess the answer is
> yes.
Keyloggers log keystrokes. If *they* have a keylogger, it is *their*
keystrokes that are being logged. The implication is that *their* system
can be further compromised by use of the information gathered.
Then consider that *their* system is the one enforcing the password
based restriction policy.
Virus Guy
> So the question arises, if 'up to a quarter of all PCs are
> virus software, how do you detect a botnet residing on your PC?
You remove the hard drive from a suspect PC and attach it as a slaved or
second drive to a known good / trusted PC equipped with various
on-demand malware scanning software, and you scan the slaved drive. As
a slave, if it has rootkit or viral/trojan files on it, they won't be
active and will essentially be sitting "naked" out in the open for the
anti-malware software to see.
Nomen Nescio
From: FromTheRafters...
>
> Keyloggers log keystrokes. If *they* have a keylogger, it is *their*
> keystrokes that are being logged. The implication is that *their* system
> can be further compromised by use of the information gathered.
>
> Then consider that *their* system is the one enforcing the password
> based restriction policy.
Key loggers are a plague in New Zealand.
ZEMANA Antilogger has saved my arse 3 times this year.
Ant
> http://en.wikipedia.org/wiki/Botnet
>
> So the question arises, if 'up to a quarter of all PCs are infected by
> botnets' (see Wiki above), and presumably most of these PCs have anti-
> virus software, how do you detect a botnet residing on your PC?
Look for processes that shouldn't be running (you do know what
services, etc. are normally running and why?), look for files and
directories that shouldn't be there (you do know what your directory
structures looks like and why?), examine network traffic for anomalies
(you do observe what your computer is making connections to and
understand the reasons why?), check the registry load/launch points
for unwanted items (you are familiar with the registry and how it's
configured for your system?) and so on.
> Assume you do a thorough (full) scan of your HD using commercially
> available antivirus software like Kaspersky or Webroot Antivirus.
New malware variants appear every day which are mostly not detected
until the AV vendors catch up. Once a machine is infected, malicious
software can hide itself from anti-malware applications or disable
them.
> Followup: if Bank of America's FTP servers have Zeus key logging
> software on it (as says another article),
Which article?
> does that mean when I log
> onto BAC's servers to check my online bank account, that this
> keylogging software is checking my password? I guess the answer is
> yes.
Zeus (zbot) trojans target user PCs, not bank servers. And, yes, if
you are infected with one, any online transactions with whatever bank
or any other online service are completely unsafe.
Recent zbots create these files, where %System% on current versions of
Windows is usually C:\Windows\System32
%System%\lowsec\local.ds
%System%\lowsec\user.ds
%System%\sdra64.exe
They will be hidden if the Trojan is active and attempting to create
the lowsec sudirectory (if it's not already visible) will confirm the
infection with a message that the direcory already exists.
Bad Boy Charlie
Good reply Ant especially the obvious innuendo that all users should
know what processes and apps are normally running and to be aware of
apps and processes you don't recognize. I do just that and have for
some time. I can say that Task Manager/Processes is our friend....good
answer.
Even though many of us (especially those of us on Usenet) have some
measure of technical savvy I long for the day when PCs can be run as
innocently as the kitchen toaster for everyone's ease of use and so they
can get more work or play done without needing to be a cyber cop on
patrol of their own PC.
RayLopez99
wrote:
> "RayLopez99" <raylope...@gmail.com> wrote in message
>
> news:cfc2b9ca-e3cd-4e38...@k41g2000yqm.googlegroups.com...
>
> >http://en.wikipedia.org/wiki/Botnet
>
> > So the question arises, if 'up to a quarter of all PCs are infected by
> > botnets' (see Wiki above), and presumably most of these PCs have anti-
> > virus software, how do you detect a botnet residing on your PC?
>
> Antimalware applications and rootkit detectors.
>
> > Assume you do a thorough (full) scan of your HD using commercially
> > available antivirus software like Kaspersky or Webroot Antivirus.
>
> Most antivirus applications are incorporating rootkit detection and some
> coverage of general malware into their capabilities. Still, I would
> suggest using several antimalware (cleanup) tools and maybe even one
> with active protection.
>
OK thanks. I am using Webroot and I also use Kaspersky for my other
PC. According to a report ( http://www.av-comparatives.org/images/stories/test/ondret/avc_report22.pdf
) they score fairly OK (slightly below average or average, with 30-50%
coverage, which sounds lousy but apparently that's about par).
> > Followup: if Bank of America's FTP servers have Zeus key logging
> > software on it (as says another article), does that mean when I log
> > onto BAC's servers to check my online bank account, that this
> > keylogging software is checking my password? I guess the answer is
> > yes.
>
> Keyloggers log keystrokes. If *they* have a keylogger, it is *their*
> keystrokes that are being logged. The implication is that *their* system
> can be further compromised by use of the information gathered.
>
> Then consider that *their* system is the one enforcing the password
> based restriction policy.
Good point--I never thought of that. So their keystrokes, not mine,
are at issue.
RL
RayLopez99
OK, sounds reasonable. But what if you don't have a clean PC? I
assume that commercial antivirus s/w with some root kit detectors must
have a way of finding these malware, but then again (see my reply
above) their success rate is at best less than 50%, so their technique
is not foolproof.
RL
Ant
> On Thu, 18 Feb 2010 18:25:08 -0000, "Ant" wrote:
>>"RayLopez99" wrote:
>>> Followup: if Bank of America's FTP servers have Zeus key logging
>>> software on it (as says another article),
>>
>>Which article?
So who's claiming BoA servers are compromised?
> Good reply Ant especially the obvious innuendo that all users should
> know what processes and apps are normally running and to be aware of
> apps and processes you don't recognize.
If they don't understand the system, then better to get a competent
technician to sort it out.
> I do just that and have for
> some time. I can say that Task Manager/Processes is our friend....good
> answer.
It's a start but won't necessarily indicate infected legitimate
processes (code injection) or show malicious drivers (rootkits) at
work.
> Even though many of us (especially those of us on Usenet) have some
> measure of technical savvy I long for the day when PCs can be run as
> innocently as the kitchen toaster for everyone's ease of use and so they
> can get more work or play done without needing to be a cyber cop on
> patrol of their own PC.
I can't see that ever happening. As long as people are free to run any
code they wish on their systems there's always a risk. A PC is not
just another appliance or entertainment centre, much as companies like
Microsoft would like the general public to think so. The more complex
and sophisticated these devices get the more opportunities arise for
exploitation. Take cell phones, for example; they have an operating
system, all sorts of code widgets that can run on them and have been
subject to attack.
FromTheRafters
OK thanks. I am using Webroot and I also use Kaspersky for my other
PC. According to a report (
http://www.av-comparatives.org/images/stories/test/ondret/avc_report22.pdf
) they score fairly OK (slightly below average or average, with 30-50%
coverage, which sounds lousy but apparently that's about par).
***
It is hard for an outstanding virus detection engine to stand out when
it is additionally expected to not only detect non-replicating malware
samples, but clean-up after the fact of infestation. Your choices of
protection should address you choices of behavior. Personally, I
wouldn't base my choice of AV on its clean-up capabilities - it's like
choosing a bodyguard based on his EMT skills.
Instead, adhere to strict policies and you can restrict the window of
opportunity for most kinds of malware (trusted downloads only (most
trojans), frequent software updates (exploit based worms)) and your
on-access antivirus will probably never see anything viral to alert on.
***
> > Followup: if Bank of America's FTP servers have Zeus key logging
> > software on it (as says another article), does that mean when I log
> > onto BAC's servers to check my online bank account, that this
> > keylogging software is checking my password? I guess the answer is
> > yes.
>
> Keyloggers log keystrokes. If *they* have a keylogger, it is *their*
> keystrokes that are being logged. The implication is that *their*
> system
> can be further compromised by use of the information gathered.
>
> Then consider that *their* system is the one enforcing the password
> based restriction policy.
Good point--I never thought of that. So their keystrokes, not mine,
are at issue.
***
Yes, if the keyloggers are indeed on their system.
Some keyloggers (maybe even this one) can also log keys struck on the
OSK (On Screen Keyboard Start - Run - osk to see what I mean) so even a
server without a keyboard attached can have an operational keylogger.
Can you point me to the story about B o' A's keyloggers?
***
David H. Lipman
| http://en.wikipedia.org/wiki/Botnet
| RL
BotHunter by SRI funded by US Army RDECOM
Is a good answer to the post's question...
How do you detect a botnet ?
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
RayLopez99
> "Bad Boy Charlie" wrote:
> > On Thu, 18 Feb 2010 18:25:08 -0000, "Ant" wrote:
> >>"RayLopez99" wrote:
> >>> Followup: if Bank of America's FTP servers have Zeus key logging
> >>> software on it (as says another article),
>
> >>Which article?
>
> So who's claiming BoA servers are compromised?
An article on the web, referencing Zeus, which has made the news
recently due to some corporate networks being hacked.
>
> > Good reply Ant especially the obvious innuendo that all users should
> > know what processes and apps are normally running and to be aware of
> > apps and processes you don't recognize.
>
> If they don't understand the system, then better to get a competent
> technician to sort it out.
OK, but I am not in a position to hire you, as I'm not a Fortune 500
company. I do have a decent understanding of PCs, and have built
quite a few from scratch and program as well. But to assume that a
commercial program is less competent in catching viruses than I is a
bit of a stretch and hubris. I will stay with Kaspersky and hope for
the best.
RL
RayLopez99
wrote:
> ***
> It is hard for an outstanding virus detection engine to stand out when
> it is additionally expected to not only detect non-replicating malware
> samples, but clean-up after the fact of infestation. Your choices of
> protection should address you choices of behavior. Personally, I
> wouldn't base my choice of AV on its clean-up capabilities - it's like
> choosing a bodyguard based on his EMT skills.
>
> Instead, adhere to strict policies and you can restrict the window of
> opportunity for most kinds of malware (trusted downloads only (most
> trojans), frequent software updates (exploit based worms)) and your
> on-access antivirus will probably never see anything viral to alert on.
> ***
Either that or the viruses are too slick. For example, I've often
thought (being a programmer myself) how easy it would be to create a
button that looks like a "close X" at the upper right hand corner of
the window, and when you click on it, it activates something.
> Can you point me to the story about B o' A's keyloggers?
>
It was a web article, I think UK, and it did not name sources.
Apparently (said the article) corporations like in the recent Zeus
mass attack are reluctant to publicize their security breaches.
RL
RayLopez99
> RayLopez99 wrote:
>
> >Either that or the viruses are too slick. For example, I've often
> >thought (being a programmer myself) how easy it would be to create a
> >button that looks like a "close X" at the upper right hand corner of
> >the window, and when you click on it, it activates something.
>
> --
Well that's a slick workaround that escaped me. You're right in that
software cannot (at the Windows level) easily effect the keyboard--
I've tried and it's not possible. Probably on purpose by MSFT as a
security precaution. You can read keys depressed of course, but
manipulating the keyboard so that ALT+F4 will do something other than
close the window is nigh impossible, at least using the tools provided
to you by Visual Studio IDE, and therefore for most programs written
for Windows (Forms, WPF, Silverlight, ASP, etc).
RL
FromTheRafters
On Feb 18, 10:57 pm, "FromTheRafters" <erra...@nomail.afraid.org>
wrote:
> ***
> It is hard for an outstanding virus detection engine to stand out when
> it is additionally expected to not only detect non-replicating malware
> samples, but clean-up after the fact of infestation. Your choices of
> protection should address you choices of behavior. Personally, I
> wouldn't base my choice of AV on its clean-up capabilities - it's like
> choosing a bodyguard based on his EMT skills.
>
> Instead, adhere to strict policies and you can restrict the window of
> opportunity for most kinds of malware (trusted downloads only (most
> trojans), frequent software updates (exploit based worms)) and your
> on-access antivirus will probably never see anything viral to alert
> on.
> ***
Either that or the viruses are too slick. For example, I've often
thought (being a programmer myself) how easy it would be to create a
button that looks like a "close X" at the upper right hand corner of
the window, and when you click on it, it activates something.
***
It's being done. Some scripted messagebox with a "Yes", "No", "Cancel"
and an "X" in the corner - all of which act like "Yes". I've even heard
of some that get a "Yes" from right clicking the task bar icon and
choosing the "X" though I can't confirm this. Most times it is
recommended to use TaskMan to end the process or application generating
the messagebox.
***
David Kaye
>So the question arises, if 'up to a quarter of all PCs are infected by
>botnets' (see Wiki above), [....]
I think that's a wrong assumption. The only computers I see (besides the
occasional HD or video card replacement) are those with malware problems, and
I see very few bots. Mostly I see adware.
Now I did have a situation a year ago where a mail server from a frozen food
company in the Midwest kept hitting my home router. It was a new router, so
best I could determine was that the DHCP address I got with the new router had
belonged to someone the bot was trying to hit.
As to how to detect, you need a port scanner to look at your connections.
Also, Zone Alarm is an interesting firewall in that it will warn you about
each incoming or outgoing connection attempt that you haven't authorized.
RayLopez99
Very interesting. My definition of botnet: I assumed it was a server
that inserted a virus into your computer (the client). So if you
don't have the virus on your machine, you are not part of a botnet.
The Wiki article of 25% is an exaggeration then, noted.
RL
FromTheRafters
On Feb 19, 12:38 pm, sfdavidka...@yahoo.com (David Kaye) wrote:
> RayLopez99 <raylope...@gmail.com> wrote:
> >So the question arises, if 'up to a quarter of all PCs are infected
> >by
> >botnets' (see Wiki above), [....]
>
> I think that's a wrong assumption. The only computers I see (besides
> the
> occasional HD or video card replacement) are those with malware
> problems, and
> I see very few bots. Mostly I see adware.
***
That's probably because 88% of all PCs harbor adware. :oD
(that 88% is just a wild guess BTW)
***
Very interesting. My definition of botnet: I assumed it was a server
that inserted a virus into your computer (the client). So if you
don't have the virus on your machine, you are not part of a botnet.
***
It is best not to use the term "virus" as the all encompassing term for
malware, use the term malware instead.
Usually, it is a "trojan" getting executed on the machine that gives you
the "bot" that makes you a participant in the "botnet". A "trojan" is a
non-replicating malware program in this sense. Often, in the lifecycle
of a botnet, an exploit based "worm" will be used to help distribute the
malware to new territories (Conficker) - in this sense, it is a virus
(or worm) ... until it goes back to being just a bot (which is bad
enough in itself).
***
David H. Lipman
| Very interesting. My definition of botnet: I assumed it was a server
| that inserted a virus into your computer (the client). So if you
| don't have the virus on your machine, you are not part of a botnet.
| The Wiki article of 25% is an exaggeration then, noted.
| RL
NO !
A botnet is a group of infected computers (via virus or trojan) that are controlled by a
central operator(s) where the Command and Control (Aka; C&C or C2) tells the 'bots what to
do and and how to act.
There are botnets that perform spam.
There are botnets that perform a DDoS on specified sites.
Botnets in whole or in part can be bought, sold or leased.
FromTheRafters
news:hln2k...@news3.newsguy.com...
> From: "RayLopez99" <raylo...@gmail.com>
>
>
> | Very interesting. My definition of botnet: I assumed it was a
> server
> | that inserted a virus into your computer (the client). So if you
> | don't have the virus on your machine, you are not part of a botnet.
>
> | The Wiki article of 25% is an exaggeration then, noted.
>
> | RL
>
> NO !
>
> A botnet is a group of infected computers (via virus or trojan) that
> are controlled by a
> central operator(s) where the Command and Control (Aka; C&C or C2)
> tells the 'bots what to
> do and and how to act.
>
> There are botnets that perform spam.
>
> There are botnets that perform a DDoS on specified sites.
Did you leave out folding protein math and looking for E.T. on purpose?
:oD
Did Wiki?
RayLopez99
wrote:
> "David H. Lipman" <DLipman~nosp...@Verizon.Net> wrote in
> > There are botnets that perform spam.
>
> > There are botnets that perform a DDoS on specified sites.
>
> Did you leave out folding protein math and looking for E.T. on purpose?
> :oD
>
> Did Wiki?
I think that's the key. Any client in a server is potentially a
"botnet", broadly defined. So the Wiki stat is probably a 'high'
number.
RL
FromTheRafters
***
I was only joking about wiki. Since the word "infected" was used, it is
clear that they were writing about bots that run on stolen computing
power.
***
David Kaye
>I think that's the key. Any client in a server is potentially a
>"botnet", broadly defined. So the Wiki stat is probably a 'high'
>number.
But only if it is being controlled by a server. A good portscan or the
warning messages from a firewall such as ZoneAlarm would show immediately
whether a computer was acting as a bot or not.
Shut down any browsers, Outlook, etc., go away for 10 minutes. Run the
portscan and see what dot-quad addresses are being accessed. Should only be
your router and maybe Apple (if you've installed iTunes or QuickTime) and
maybe Adobe if you have an Adobe product, etc. A good port scanner will
resolve the addresses for you and tell you what your connections are looking
at. If some dot-quads don't resolve to domain names or the domain name ends
in .ch (China), .ru (Russia), .pl (Poland), etc., then you're in trouble. You
likely have a bot.
As I said earlier, very few of my malware customers have these, which is why I
dispute the 88% or 92% or whatever figures. I'm just not seeing many of them.
I suspect that most of this bot activity is taking place not on the majority
of home computers but on computers people don't look at very often such as web
servers, mail servers, etc.
RayLopez99
Interesting, thanks. I am using Webroot, which has a firewall and
virus engine (Sophos licensed) but I guess it doesn't have a port
scan. However, if your clients are not 100% savvy (otherwise they
would not need your expertise) then you can safely say that most of
the time bots are not running on people's machines that run 'ordinary'
virus/firewall commercial packages (I trust almost all of your clients
are running some kind of such package, as it's nearly inconceivable
that they are not). So from these two facts we can deduce that bots
are not as common as stated on Wiki--for "people occupied" PCs that
are not running unattended as servers. So likely I don't have a bot
either. I do have a firewall "Look-n-stop" and on occasion I check
out the IP address on Whois.
Today I notice a slightly suspicious looking entry:
ppp-124-120-170-40.revip2.asian ??? What can this be?
But it's probably nothing (I think).
RL
Ant
> On Feb 21, 4:09 am, (David Kaye) wrote:
>> I suspect that most of this bot activity is taking place not on the majority
>> of home computers but on computers people don't look at very often such as web
>> servers, mail servers, etc.
I don't agree. Servers are more likely to be better managed than end-
user machines. There are also many more home PCs than servers.
> Today I notice a slightly suspicious looking entry:
> ppp-124-120-170-40.revip2.asian ??? What can this be?
You truncated the name, which is:
ppp-124-120-170-40.revip2.asianet.co.th
The IP address (124.120.170.40) associated with that generically-named
host belongs to trueinternet.co.th, an ISP in Thailand. It's the kind
of name that gets assigned to home user IPs.
You should be highly suspicious of it. Find out what process owns the
connection.
John Mason Jr
You say portscan, but it sounds more like the output from something like
netstat, or tcpview.
But once the machine is compromised you can't trust the output of any
installed program, without making sure the program or configuration
hasn't been altered.
I do agree folks should understand the normal behavior of their machine
so they can spot abnormalities.
The stats can be difficult to generate since the only the owners that
notice a problem, do something about it, and the data is proprietary for
many companies
John
David Kaye
>Not to quibble but [ch] is the Confoederatio Helvetica or Switzerland,
>whereas China is [cn]
I'm sorry, I meant .cn not .ch.
David Kaye
>I don't agree. Servers are more likely to be better managed than end-
>user machines. There are also many more home PCs than servers.
But sysadmins tend not to personally use their mail and web servers very
often. Sure, they'll login from time to time, but they're not going to be
using them intensely with word processing, spreadsheets, web browsing, etc.,
and thus are not likely to find slowdowns, suspicious disk activity, freaky
behavior. But people who use home computers are going to find these things
quickly.
And again, I deal with new customers all the time who have malware infections
and seldom do I see bots. These are random people who call me via one of my
yellow pages ads. They call when they have problems. But well over 90% of
them do not have bots on their systems.
RayLopez99
Meaning what? Gets assigned legally? Or nefariously?
>
> You should be highly suspicious of it. Find out what process owns the
> connection.
Too late--it did not show up when I rebooted. It's gone. Is it
possible that bots only "spring to life" certain hours of the day or
week?
You're scaring me Ant. Do you recommend what product for scanning? I
am running XP pro on an old Pentium IV machine with a couple of Gigs
RAM. It's old but works. I cannot upgrade to Vista / 7 on this
machine. So will some (old) version of ZOne Alarm work? I heard bad
things about Zone Alarm when it has a certain version that was akin to
malware (hard to uninstall as I recall). Is Zone Alarm any good
anymore? Or something else?
Thanks,
RL
RayLopez99
This is interesting. A malware infection would be what, typically?
Something like a program that tracks your internet surfing habits, but
resides outside the browser so you cannot flush it clean?
Also what ZoneAlarm type port sniffing / firewall program do you
recommend for an XP running on Pentium IV with 2 GB ram?
RL
David Kaye
>This is interesting. A malware infection would be what, typically?
>Something like a program that tracks your internet surfing habits, but
>resides outside the browser so you cannot flush it clean?
Most of them have been adware, trying to get people to spend $$ to "disinfect"
their computers. About 1/4 have been redirects where the browser or the DNS
are redirected to fake search sites either for phishing or to gain click
money.
I really see very little bot or keylogger activity. Most of my customers are
small entrepreneurs and consultants, many of them seniors. Your results may
vary.
FromTheRafters
news:hls8me$plc$1...@news.eternal-september.org...
...but you can't say anything about the ones that you don't see. Bots
might not cause any symptoms for the home user to see. They don't
complain about strange behavior because there *is* no strange behavior.
Think of a bot as an application running in the background mostly
waiting for instructions, not like a worm gobbling up your resources to
spread itself or adware getting 'in your face'.
Ant
> On Feb 21, 8:34 pm, "Ant" wrote:
>> ppp-124-120-170-40.revip2.asianet.co.th
>>
>> The IP address (124.120.170.40) associated with that generically-named
>> host belongs to trueinternet.co.th, an ISP in Thailand. It's the kind
>> of name that gets assigned to home user IPs.
> Meaning what? Gets assigned legally? Or nefariously?
It means the connection is likely to be nefarious. Why is some unknown
user connecting to you (or you connecting to them)? You wouldn't see a
name like that for a say, a legitimate website in Thailand you had
just visited. However, it could be you visited a site hosted on some
user's home PC. The prefix 'ppp' (point to point protocol, I believe)
gives it away. That's the kind of name assigned to dialup users and
certainly not regular hosting services. You know it's not your own
because yours has this format: athedsl-4482237.home.otenet.gr
and suggests you're a home user on (A)DSL, perhaps near Athens?
>> You should be highly suspicious of it. Find out what process owns the
>> connection.
> Too late--it did not show up when I rebooted. It's gone. Is it
> possible that bots only "spring to life" certain hours of the day or
> week?
Yes, that can happen.
> You're scaring me Ant. Do you recommend what product for scanning?
Hopefully, someone else can advise since I don't use any! How well do
you know the registry? Autoruns from Sysinternals (now Microsoft) is
useful to see what starts automatically. My only defence is knowing
my system inside-out; e.g. what drivers load and other programs run in
a normal configuration, what files are supposed to be in the system
directories and other places and what they look like internally, etc.
Plus visually monitoring all connections while online (I'm only ever
physically connected for very short periods). I'm also pretty familiar
with malware, as most days I'm disassembling it.
> I
> am running XP pro on an old Pentium IV machine with a couple of Gigs
> RAM. It's old but works. I cannot upgrade to Vista / 7 on this
> machine.
Nothing wrong with that and no point installing a new OS on an older
PC. I'm still running Win2k on my internet facing PC and only use XP
for testing - it's on a faster machine but runs slower!
> So will some (old) version of ZOne Alarm work? I heard bad
> things about Zone Alarm when it has a certain version that was akin to
> malware (hard to uninstall as I recall). Is Zone Alarm any good
> anymore? Or something else?
Isn't XP's built-in "firewall" any use here? I've not really looked at
it. Of course, none of this packet filtering software is any good if
you're already infected.
David Kaye
>Think of a bot as an application running in the background mostly
>waiting for instructions, not like a worm gobbling up your resources to
>spread itself or adware getting 'in your face'.
I know what a bot is, thank you very much.
FromTheRafters
Then what makes you think they would manifest themselves as "slowdowns,
suspicious disk activity,
freaky behavior."? You could be hosting a bot without *any* user
noticeable symptoms.
David H. Lipman
Often the ONLY indication is "beaconing" to a foreighn host.
FromTheRafters
> From: "FromTheRafters" <err...@nomail.afraid.org>
>
> | "David Kaye" <sfdavi...@yahoo.com> wrote in message
> | news:hlt6og$3us$2...@news.eternal-september.org...
>>> "FromTheRafters" <err...@nomail.afraid.org> wrote:
>
>>>>Think of a bot as an application running in the background mostly
>>>>waiting for instructions, not like a worm gobbling up your resources
>>>>to
>>>>spread itself or adware getting 'in your face'.
>
>>> I know what a bot is, thank you very much.
>
> | Then what makes you think they would manifest themselves as
> "slowdowns,
> | suspicious disk activity,
> | freaky behavior."? You could be hosting a bot without *any* user
> | noticeable symptoms.
>
>
>
> Often the ONLY indication is "beaconing" to a foreighn host.
Something not at all obvious to the casual observer. Bots share that
trait with the slow polymorphic virus - if you don't draw attention to
yourself, it is a clear advantage in stickiness - hiding yourself (and
your activities), even more so.
David H. Lipman
Yes and in this case the rate of beaconing can further limit detection.
David Kaye
>Then what makes you think they would manifest themselves as "slowdowns,
>suspicious disk activity,
> freaky behavior."? You could be hosting a bot without *any* user
>noticeable symptoms.
Could, but most of this malware is written so badly that it's usually evident.
I used to write software for a living. 20% of the time was spent writing
software and 80% was spent debugging. It's hard to write good code that will
work well on all flavors of Windows with all kinds of hardware. Malware
writers generally want to get it written and out the door; debugging is the
least of their concerns. If it runs on 1% of the infected computers they're
happy.
RayLopez99
> "RayLopez99" wrote:
> > On Feb 21, 8:34 pm, "Ant" wrote:
> >> ppp-124-120-170-40.revip2.asianet.co.th
>
> >> The IP address (124.120.170.40) associated with that generically-named
> >> host belongs to trueinternet.co.th, an ISP in Thailand. It's the kind
> >> of name that gets assigned to home user IPs.
> > Meaning what? Gets assigned legally? Or nefariously?
>
> It means the connection is likely to be nefarious. Why is some unknown
> user connecting to you (or you connecting to them)? You wouldn't see a
> name like that for a say, a legitimate website in Thailand you had
> just visited. However, it could be you visited a site hosted on some
> user's home PC. The prefix 'ppp' (point to point protocol, I believe)
> gives it away. That's the kind of name assigned to dialup users and
> certainly not regular hosting services. You know it's not your own
> because yours has this format: athedsl-4482237.home.otenet.gr
> and suggests you're a home user on (A)DSL, perhaps near Athens?
Yes, that's right.
>
> >> You should be highly suspicious of it. Find out what process owns the
> >> connection.
> > Too late--it did not show up when I rebooted. It's gone. Is it
> > possible that bots only "spring to life" certain hours of the day or
> > week?
>
> Yes, that can happen.
But unlikely? Less than 5% or even 1%?
>
> > You're scaring me Ant. Do you recommend what product for scanning?
>
> Hopefully, someone else can advise since I don't use any! How well do
> you know the registry? Autoruns from Sysinternals (now Microsoft) is
> useful to see what starts automatically. My only defence is knowing
> my system inside-out; e.g. what drivers load and other programs run in
> a normal configuration, what files are supposed to be in the system
> directories and other places and what they look like internally, etc.
> Plus visually monitoring all connections while online (I'm only ever
> physically connected for very short periods). I'm also pretty familiar
> with malware, as most days I'm disassembling it.
You're the man I need to talk to then! I code for fun, but using
Visual Studio .NET family of languages it's hard to get to the system
level, which I take it malware writers are working at.
Here's another one I 'found' today using LookNStop's firewall log on
my XP machine--either my machine is complete full of malware (and I
run Webroot antivirus and malware remover almost daily, full scan), or
this is another false positive: host-79-121-44-74.kabelnet.hu
Which Whois says is some website server in Hungary:
host-79-121-44-74.kabelnet.hu
Now I don't remember visiting any Hungarian website, but since Greece
is near Hungary, it's possible my DSL provider somehow links to them
maybe? Or something like that.
>
> > I
> > am running XP pro on an old Pentium IV machine with a couple of Gigs
> > RAM. It's old but works. I cannot upgrade to Vista / 7 on this
> > machine.
>
> Nothing wrong with that and no point installing a new OS on an older
> PC. I'm still running Win2k on my internet facing PC and only use XP
> for testing - it's on a faster machine but runs slower!
I hear you. Check out my flamebait in computer.os.linux.advocacy on
this theme (an old machine that runs fine on Win2k but I could not get
it to work in Linux--which is too resource heavy for it right now--
another example of 'if it ain't broke don't fix it', though in this
case it was an old PC I was going to trash anyway so no big loss).
>
> > So will some (old) version of ZOne Alarm work? I heard bad
> > things about Zone Alarm when it has a certain version that was akin to
> > malware (hard to uninstall as I recall). Is Zone Alarm any good
> > anymore? Or something else?
>
> Isn't XP's built-in "firewall" any use here? I've not really looked at
> it. Of course, none of this packet filtering software is any good if
> you're already infected.
But using the Thai and Hungary examples, how do you know if these
sites are innocent or not? Very complicated. I also see in this
thread the post by David Kaye that most malware is badly written, and
this seems to make sense to me as an amateur coder, so perhaps the
stuff caught by commercial anti-malware / AV products (and they catch
less than 50% according to the report I cited in this thread), they
are only catching the 'obvious' (badly written) malware / viruses?
The more I know about this topic the stupider I feel, LOL.
RL
Ant
> On Feb 22, 6:02 am, "Ant" wrote:
>> "RayLopez99" wrote:
>>> Too late--it did not show up when I rebooted. It's gone. Is it
>>> possible that bots only "spring to life" certain hours of the day or
>>> week?
>>
>> Yes, that can happen.
>
> But unlikely? Less than 5% or even 1%?
Not unlikely and I would say it's common with bots. They don't so much
go by the time of day but a sleep period which may be anything from a
few minutes to several hours.
>> I'm also pretty familiar
>> with malware, as most days I'm disassembling it.
>
> You're the man I need to talk to then! I code for fun, but using
> Visual Studio .NET family of languages it's hard to get to the system
> level, which I take it malware writers are working at.
Yes, you don't see that many .NET executables. It's sometimes useful
for code obfuscation but they can't rely on users having the correct
run-time libraries installed. Language preferences tend to be C/C++ or
assembly and malware writers often like to use undocumented functions
at the lowest level exported from ntdll.dll.
> Here's another one I 'found' today using LookNStop's firewall log on
> my XP machine--either my machine is complete full of malware (and I
> run Webroot antivirus and malware remover almost daily, full scan), or
> this is another false positive: host-79-121-44-74.kabelnet.hu
>
> Which Whois says is some website server in Hungary:
> host-79-121-44-74.kabelnet.hu
Another end user. There's no services (e.g. web server) running on
that host unless it's using unconventional ports.
> Now I don't remember visiting any Hungarian website, but since Greece
> is near Hungary, it's possible my DSL provider somehow links to them
> maybe? Or something like that.
No, not your ISP. I thought you may be seeing these as active
connections with something like netstat but you're looking at firewall
logs. In that case, it may be just background noise or infected PCs
trying to make contact which the firewal blocked. The log should
indicate whether incoming or outgoing and if blocked or not.
> But using the Thai and Hungary examples, how do you know if these
> sites are innocent or not? Very complicated.
They're not "sites" as such but end-user PCs and, innocent or not,
if you didn't initiate the connection your machine should not
communicate with them. As long as they're incoming connection attempts
and your firewall is blocking them, you have nothing to worry about.
> I also see in this
> thread the post by David Kaye that most malware is badly written, and
> this seems to make sense to me as an amateur coder,
Most is written well enough to do damage and some is very well written
in that it efficiently does its job and can have experts puzzled for a
while. Certainly not what you would call amateur. Organised crime pays
good money for talented coders.
> so perhaps the
> stuff caught by commercial anti-malware / AV products (and they catch
> less than 50% according to the report I cited in this thread), they
> are only catching the 'obvious' (badly written) malware / viruses?
It's not to do with how good or bad the code is. A lot of malware is
wrapped in polymorphic packers or obfuscators so every sample (of the
same underlying executable) is different. It's impossible for
signature-based detection to keep up with this and, even with
heuristics, once AV products start to reliably detect it the authors
will modify the packing engine. They also submit samples to places
like Virus Total to check their work.
RayLopez99
> RayLopez99 wrote:
> >But using the Thai and Hungary examples, how do you know if these
> >sites are innocent or not? Very complicated.
>
> with a properly secured browser,
> all sites are innocent
> ...or inoperative.
What is a properly secured browser? Does the latest Internet Explorer
with all the patches installed qualify?
RL
RayLopez99
> "RayLopez99" wrote:
> > On Feb 22, 6:02 am, "Ant" wrote:
> >> "RayLopez99" wrote:
> >>> Too late--it did not show up when I rebooted. It's gone. Is it
> >>> possible that bots only "spring to life" certain hours of the day or
> >>> week?
>
> >> Yes, that can happen.
>
> > But unlikely? Less than 5% or even 1%?
>
> Not unlikely and I would say it's common with bots. They don't so much
> go by the time of day but a sleep period which may be anything from a
> few minutes to several hours.
>
> >> I'm also pretty familiar
> >> with malware, as most days I'm disassembling it.
>
> > You're the man I need to talk to then! I code for fun, but using
> > Visual Studio .NET family of languages it's hard to get to the system
> > level, which I take it malware writers are working at.
>
> Yes, you don't see that many .NET executables. It's sometimes useful
> for code obfuscation but they can't rely on users having the correct
> run-time libraries installed. Language preferences tend to be C/C++ or
> assembly and malware writers often like to use undocumented functions
> at the lowest level exported from ntdll.dll.
Very interesting. Though the .NET code obfuscation engine is very
weak I hear, so I take it you mean obfuscate maybe people who write AV
software, who maybe don't expect a .NET virus.
>
> > Here's another one I 'found' today using LookNStop's firewall log on
> > my XP machine--either my machine is complete full of malware (and I
> > run Webroot antivirus and malware remover almost daily, full scan), or
> > this is another false positive: host-79-121-44-74.kabelnet.hu
>
> > Which Whois says is some website server in Hungary:
> > host-79-121-44-74.kabelnet.hu
>
> Another end user. There's no services (e.g. web server) running on
> that host unless it's using unconventional ports.
Really? How in the world did you deduce that? From the majority of
these data entries (see below) being PC to Internet, I would hazard
this one was also PC to Internet). So why did my PC initiate this
communication to Hungary is the question?
>
> > Now I don't remember visiting any Hungarian website, but since Greece
> > is near Hungary, it's possible my DSL provider somehow links to them
> > maybe? Or something like that.
>
> No, not your ISP. I thought you may be seeing these as active
> connections with something like netstat but you're looking at firewall
> logs. In that case, it may be just background noise or infected PCs
> trying to make contact which the firewal blocked. The log should
> indicate whether incoming or outgoing and if blocked or not.
YES, it works! I did click on "details" in my Firewall (Look 'n' See)
and indeed it shows direction. Yesterday's log is lost, but I found
another 'suspicious'??? or maybe not entry today, here:
aedz253.neoplus.adsl.tpnet.pl which maps to this Polish server:
DOMAIN: tpnet.pl registrant's handle: nsk80879
(CORPORATE) nameservers: dns2.man.lodz.pl. [212.51.192.5]
Polska/Poland +48.22 3808300
And it's 'outgoing', and even shows the "Ethernet" outgoing
destination address, and the incoming (which is my Ethernet Card ID I
guess). as well as the length 60, identification 491 and DF MF =
(0,0), Frag offset = 0 and "Time to Live" = 64, and I have no idea
what that means, but probably byte related. It even shows a fragment
of data in HexDecimal form. Pretty cool, but how do I know if this PC
to Internet data transfer was malware or not? I would venture to say
that many commercial programs probably have "regional" servers to
handle any data pings output from a user's PC, and since I'm in Europe
(Greece), it stands to reason maybe the nearest server is Poland. But
I don't know how you would know what program sent this data
fragment...maybe ZoneAlarm? Look 'n' Stop is a decent, cheap little
firewall insofar as I can tell, and does have a bunch of recommended
rules (about 22, including such obscure ones like: 'Stops UDP
broadcasts to *.*.*.255.')
Again the more I learn the dumber I feel. But thanks Ant...
>
> > But using the Thai and Hungary examples, how do you know if these
> > sites are innocent or not? Very complicated.
>
> They're not "sites" as such but end-user PCs and, innocent or not,
> if you didn't initiate the connection your machine should not
> communicate with them. As long as they're incoming connection attempts
> and your firewall is blocking them, you have nothing to worry about.
But they're not incoming, see above.
> It's not to do with how good or bad the code is. A lot of malware is
> wrapped in polymorphic packers or obfuscators so every sample (of the
> same underlying executable) is different. It's impossible for
> signature-based detection to keep up with this and, even with
> heuristics, once AV products start to reliably detect it the authors
> will modify the packing engine. They also submit samples to places
> like Virus Total to check their work.
Virus Total I take it 'legitimizes' software, from what I can tell:
VirusTotal is a free virus and malware online scan service, so they
game the system. Very devious.
RL
Ant
> On Feb 24, 8:45 am, "Ant" wrote:
>> Yes, you don't see that many .NET executables. It's sometimes useful
>> for code obfuscation but they can't rely on users having the correct
>> run-time libraries installed. Language preferences tend to be C/C++ or
>> assembly and malware writers often like to use undocumented functions
>> at the lowest level exported from ntdll.dll.
> Very interesting. Though the .NET code obfuscation engine is very
> weak I hear, so I take it you mean obfuscate maybe people who write AV
> software, who maybe don't expect a .NET virus.
No, I mean code obfuscation. It doesn't matter how weak because
scanners don't unravel it on the fly. It can be difficult to determine
maliciousness of executables which rely on external interpreting
engines, like .NET assemblies and old style Visual Basic with its
various vbrunxxx DLLs. All these type of executables do is make a
single call to the installed MS runtime package which then interprets
and runs the code. They are not what I would call standard executables
with standard ready-to-run machine code and, good or bad, they all
look much the same to a scanner.
>> Another end user. There's no services (e.g. web server) running on
>> that host unless it's using unconventional ports.
> Really? How in the world did you deduce that?
Simple, just try to connect to a port you would expect a service to be
running on; e.g. 80 for HTTP (web server), 25 for SMTP (mail), 21 for
FTP and so on. If you get a response you know a server is up and
running, although it may not let you connect. You can do this with the
telnet program but it's quicker to use a port scanner. I checked only
the well-known ports but a service could be running on any one of
65535 possible ports.
> From the majority of
> these data entries (see below) being PC to Internet, I would hazard
> this one was also PC to Internet). So why did my PC initiate this
> communication to Hungary is the question?
Why, indeed. It's up to you to know what's running on your machine and
what it's doing.
>> The log should
>> indicate whether incoming or outgoing and if blocked or not.
> YES, it works! I did click on "details" in my Firewall (Look 'n' See)
> and indeed it shows direction. Yesterday's log is lost, but I found
> another 'suspicious'??? or maybe not entry today, here:
> aedz253.neoplus.adsl.tpnet.pl which maps to this Polish server:
The IP address of that host is 79.186.103.253 which is being used by
a customer of tpnet.pl, a Polish ISP responsible for that IP.
> And it's 'outgoing'
Bad news.
> [...] how do I know if this PC
> to Internet data transfer was malware or not?
You've got to ask yourself why your machine is connecting to random
users in Thailand, Hungary, Poland and who knows where else. I
strongly suggest you block them and investigate. Once you've found
the cause and cleaned up you'd better change all your passwords.
As I said before, check all registry and other startup points for
suspicious things that might be loading automatically.
> I would venture to say
> that many commercial programs probably have "regional" servers to
> handle any data pings output from a user's PC, and since I'm in Europe
> (Greece), it stands to reason maybe the nearest server is Poland.
Then you would expect to see recognisable host names, either belonging
to the company or known server farms and load balancers like Akamai,
not generic ones assigned to ordinary end users like you and me.
> But
> I don't know how you would know what program sent this data
> fragment...maybe ZoneAlarm? Look 'n' Stop is a decent, cheap little
> firewall insofar as I can tell, and does have a bunch of recommended
> rules (about 22, including such obscure ones like: 'Stops UDP
> broadcasts to *.*.*.255.')
Are you running more than one software firewall? That's a bad idea.
Can't you configure Zone Alarm to deny all outbound traffic and get
it to prompt you to allow on a case-by-case basis? That way you'll get
an idea of what is trying to call home if it gives a message like
"program x is trying to connect to host y, do you want to allow?".
I thought the built-in XP firewall could do this anyway.
FromTheRafters
"RayLopez99" <raylo...@gmail.com> wrote in message
news:16592792-4aab-4ce0...@b2g2000yqi.googlegroups.com...
On Vista and Windows 7 it might be more secure. Of course it depends on
the configuration.
Quite a bit if the "danger" comes from scripting support, so if you
disallow scripting you are more secure. Better yet, a text only browser
offers quite a bit of security, it is you that must draw the line
between functionality and security.
FromTheRafters
news:4b85bf7c.857093@EDCBIC...
> FromTheRafters wrote:
>>What is a properly secured browser?
>
> but I feel comfortable with Opera in a sandbox.
>
> Opera v10.10 (didn't care for the beta v10.50)
> http://www.opera.com/download/
>
> Sandboxie v 3.44
> http://www.sandboxie.com/index.php?DownloadSandboxie
Good stuff there.
I was reminded of Norman when I mentioned text-only browsing.
http://beacon.chebucto.ca/Content-2006/norman.html
Funny how some people leave a lasting impression.
David H. Lipman
Chih-Cherng Chin
> So the question arises, if 'up to a quarter of all PCs are infected by
> botnets' (see Wiki above), and presumably most of these PCs have anti-
[snip]
I think it's kind of exaggerated. The most bots I have detected in one
day was around 5400, and I have been tracking botnets since last June.
Now I can only detect 3000-4000 bots daily. If a quarter of all PCs
were part of botnets, I would do much better than that.
--
Chih-Cherng Chin
Botnet Detection with Greylisting
http://botnet-tracker.blogspot.com/search/label/greylisting
RayLopez99
> whereas my Opera seems a bit more secure,
> at least I have a warmer fuzzier feeling about it.
I have Opera too (right now this is an Opera post), but I've surfed
porn sites with IE, and so far (I think) no viruses got past the
commercial AV program (Webroot in my case). That's the ultimate
compliment (no viruses from a free porn site!)
RL
RayLopez99
wrote:
> I think it's kind of exaggerated. The most bots I have detected in one
> day was around 5400, and I have been tracking botnets since last June.
> Now I can only detect 3000-4000 bots daily. If a quarter of all PCs
> were part of botnets, I would do much better than that.
>
> --
let's say (as is my case) you are noticing suspicious burst of data
from your PC to some server, but you have not caught any viruses using
Webroot Antivirus with Spysweeper nor with Kaspersky. You also have a
firewall (Look N See). You scan (full scan) every other day. One
potential virus in the last five years. Running Windows XP Pro on a
Pentium IV.
What's the 'most probable bad thing' that can happen?
What I mean is this: say my PC is part of a botnet. So what? It
does not have a keylogger on it, right? It is not able to open and
read my Outlook emails (which are scanned by the AV program prior to
sending).
What's the 'most probable bad thing' that is happening? I'm asking
because Ant in this thread scared me--so I want to see 'so what'? Of
course I'm sure if some super duper hacker is involved, he will drain
all my bank accounts, but this anomalous activity has been going on
for a while, and so far my bank accounts have not been hit.
RL
RayLopez99
>
> No, I mean code obfuscation. It doesn't matter how weak because
> scanners don't unravel it on the fly.
OK, understood.
>
> >> Another end user. There's no services (e.g. web server) running on
> >> that host unless it's using unconventional ports.
> > Really? How in the world did you deduce that?
>
> Simple, just try to connect to a port you would expect a service to be
> running on; e.g. 80 for HTTP (web server), 25 for SMTP (mail), 21 for
> FTP and so on. If you get a response you know a server is up and
> running, although it may not let you connect. You can do this with the
> telnet program but it's quicker to use a port scanner. I checked only
> the well-known ports but a service could be running on any one of
> 65535 possible ports.
OK, got it.
>
> > From the majority of
> > these data entries (see below) being PC to Internet, I would hazard
> > this one was also PC to Internet). So why did my PC initiate this
> > communication to Hungary is the question?
>
> Why, indeed. It's up to you to know what's running on your machine and
> what it's doing.
So I block it? (and how would I block it if it only pops up once in a
while? Look 'n' See, my firewall, only allows you to block
*programs*, like Office Word, not IP addresses (at least from what I
can tell)
>
> >> The log should
> >> indicate whether incoming or outgoing and if blocked or not.
> > YES, it works! I did click on "details" in my Firewall (Look 'n' See)
> > and indeed it shows direction. Yesterday's log is lost, but I found
> > another 'suspicious'??? or maybe not entry today, here:
> > aedz253.neoplus.adsl.tpnet.pl which maps to this Polish server:
>
> The IP address of that host is 79.186.103.253 which is being used by
> a customer of tpnet.pl, a Polish ISP responsible for that IP.
>
> > And it's 'outgoing'
>
> Bad news.
>
Why? I need more data. How often does this happen to others? Any
logs out there I can inspect?
> > [...] how do I know if this PC
> > to Internet data transfer was malware or not?
>
> You've got to ask yourself why your machine is connecting to random
> users in Thailand, Hungary, Poland and who knows where else. I
> strongly suggest you block them and investigate. Once you've found
> the cause and cleaned up you'd better change all your passwords.
> As I said before, check all registry and other startup points for
> suspicious things that might be loading automatically.
No, I beg to differ. Why change passwords? You are assuming a bot is
also a keyboard logger? Are you playing "worse case"? In appears
so. Let's change the topic to "most probable cause", not "worse
case". I've not had any security breaches in my bank accounts, email,
etc. So let's say this is a bot--so what? Perhaps my machine is
being used as a 'rerouter' or 'router' to distribute messages
elsewhere--is that the 'most probable' case?--but I tend to think it's
improbable my bank accounts are being compromised--not impossible, but
improbable.
>
> > I would venture to say
> > that many commercial programs probably have "regional" servers to
> > handle any data pings output from a user's PC, and since I'm in Europe
> > (Greece), it stands to reason maybe the nearest server is Poland.
>
> Then you would expect to see recognisable host names, either belonging
> to the company or known server farms and load balancers like Akamai,
> not generic ones assigned to ordinary end users like you and me.
Right--that's why I need to inspect a log. How often does ordinary
activity (and I include occasional free porn surfing as such!)
generate such 'end user' FTP type domain names? That's the question.
>
> > But
> > I don't know how you would know what program sent this data
> > fragment...maybe ZoneAlarm? Look 'n' Stop is a decent, cheap little
> > firewall insofar as I can tell, and does have a bunch of recommended
> > rules (about 22, including such obscure ones like: 'Stops UDP
> > broadcasts to *.*.*.255.')
>
> Are you running more than one software firewall? That's a bad idea.
I dont' think so. XP and Look 'n' Stop.
> Can't you configure Zone Alarm to deny all outbound traffic and get
> it to prompt you to allow on a case-by-case basis? That way you'll get
> an idea of what is trying to call home if it gives a message like
> "program x is trying to connect to host y, do you want to allow?".
> I thought the built-in XP firewall could do this anyway.
So you recommend Zone Alarm? Any experience with it? Remember I'm
running XP, not Vista or 7.
Thanks in advance.
RL
RayLopez99
> > >> The log should
> > >> indicate whether incoming or outgoing and if blocked or not.
> > > YES, it works! I did click on "details" in my Firewall (Look 'n' See)
> > > and indeed it shows direction. Yesterday's log is lost, but I found
> > > another 'suspicious'??? or maybe not entry today, here:
> > > aedz253.neoplus.adsl.tpnet.pl which maps to this Polish server:
>
> > The IP address of that host is 79.186.103.253 which is being used by
> > a customer of tpnet.pl, a Polish ISP responsible for that IP.
>
> > > And it's 'outgoing'
>
> > Bad news.
>
Update: I think, and I am checking with the firewall people at Look N
Stop, that this is in fact an IP address that is being BLOCKED, not
going through. It still raises the question of what program residing
in my system would want to hook up with Poland, Thailand, etc. But if
I have some bot in my system, it has not been detected by any
antivirus program, and like I say it's being blocked from calling out
anyway.
RL
Ant
> On Feb 24, 10:10 pm, "Ant" wrote:
>> Why, indeed. It's up to you to know what's running on your machine and
>> what it's doing.
> So I block it? (and how would I block it if it only pops up once in a
> while? Look 'n' See, my firewall, only allows you to block
> *programs*, like Office Word, not IP addresses (at least from what I
> can tell)
Sounds like you need a better firewall. You should be able to specify
only your browser and any other programs you know need to connect as
'allowed' and block everything else by default.
>> Bad news.
> Why? I need more data. How often does this happen to others? Any
> logs out there I can inspect?
It's bad news because you have outgoing connections to non-websites
and you don't know why or what program is doing it. The only relevant
logs are yours. Don't they show which program initiated the connection
and on which ports?
> No, I beg to differ. Why change passwords? You are assuming a bot is
> also a keyboard logger?
Any malware on your computer can get passwords from protected storage,
it doesn't need to log key presses.
> Are you playing "worse case"? In appears so.
No, a common case is data stealing.
> Let's change the topic to "most probable cause", not "worse
> case". I've not had any security breaches in my bank accounts, email,
> etc. So let's say this is a bot--so what? Perhaps my machine is
> being used as a 'rerouter' or 'router' to distribute messages
> elsewhere--is that the 'most probable' case?
All equally probable. A bot will do whatever its controller tells it
to do. This can include infecting your machine with more malware,
sending spam, participating in DDoS and information theft.
> --but I tend to think it's
> improbable my bank accounts are being compromised--not impossible, but
> improbable.
Perhaps you've just been lucky so far.
>> Then you would expect to see recognisable host names, either belonging
>> to the company or known server farms and load balancers like Akamai,
>> not generic ones assigned to ordinary end users like you and me.
> Right--that's why I need to inspect a log. How often does ordinary
> activity (and I include occasional free porn surfing as such!)
> generate such 'end user' FTP type domain names? That's the question.
Surfing for porn is a pretty dangerous activity without tight
security. I hope you are completely up-to-date with OS, Java and
browser patches, including any for PDF, Flash, Quicktime, etc. plugins
you may be using.
I don't know what you mean by "FTP type domain names". These are hosts
you should not be sending traffic to under normal conditions. However,
so as not to scare you too much, it could be they are just end-users
receiving affiliate clicks from the sites you visit. But - so you
don't relax too much, such clicks would normally be collated by a
click-tracking centre on a standard web server. You really should
investigate more. Check the log times and note if you were actually
browsing when the traffic was sent.
> So you recommend Zone Alarm? Any experience with it?
I know nothing about it. When you said: "I don't know how you would
know what program sent this data fragment...maybe ZoneAlarm?" it gave
the impression you were using it.
RayLopez99
> "RayLopez99" wrote:
> > On Feb 24, 10:10 pm, "Ant" wrote:
> >> Why, indeed. It's up to you to know what's running on your machine and
> >> what it's doing.
> > So I block it? (and how would I block it if it only pops up once in a
> > while? Look 'n' See, my firewall, only allows you to block
> > *programs*, like Office Word, not IP addresses (at least from what I
> > can tell)
>
> Sounds like you need a better firewall. You should be able to specify
> only your browser and any other programs you know need to connect as
> 'allowed' and block everything else by default.
I think in fact that's what's happening w/ Look 'N Stop, which I
learned today is rules based not what they call (forget the acronym -
[it's HIPS], see: http://www.wilderssecurity.com/showthread.php?t=265295)
security certificate based.
> > No, I beg to differ. Why change passwords? You are assuming a bot is
> > also a keyboard logger?
>
> Any malware on your computer can get passwords from protected storage,
> it doesn't need to log key presses.
That's interesting. Sounds like MSFT should plug that hole.
>
> > Are you playing "worse case"? In appears so.
>
> No, a common case is data stealing.
OK
>
> > Let's change the topic to "most probable cause", not "worse
> > case". I've not had any security breaches in my bank accounts, email,
> > etc. So let's say this is a bot--so what? Perhaps my machine is
> > being used as a 'rerouter' or 'router' to distribute messages
> > elsewhere--is that the 'most probable' case?
>
> All equally probable. A bot will do whatever its controller tells it
> to do. This can include infecting your machine with more malware,
> sending spam, participating in DDoS and information theft.
OK
>
> >> Then you would expect to see recognisable host names, either belonging
> >> to the company or known server farms and load balancers like Akamai,
> >> not generic ones assigned to ordinary end users like you and me.
> > Right--that's why I need to inspect a log. How often does ordinary
> > activity (and I include occasional free porn surfing as such!)
> > generate such 'end user' FTP type domain names? That's the question.
>
> Surfing for porn is a pretty dangerous activity without tight
> security. I hope you are completely up-to-date with OS, Java and
> browser patches, including any for PDF, Flash, Quicktime, etc. plugins
> you may be using.
Yes, I figured that.
>
> I don't know what you mean by "FTP type domain names". These are hosts
> you should not be sending traffic to under normal conditions. However,
> so as not to scare you too much, it could be they are just end-users
> receiving affiliate clicks from the sites you visit. But - so you
> don't relax too much, such clicks would normally be collated by a
> click-tracking centre on a standard web server. You really should
> investigate more. Check the log times and note if you were actually
> browsing when the traffic was sent.
OK.
>
> > So you recommend Zone Alarm? Any experience with it?
>
> I know nothing about it. When you said: "I don't know how you would
> know what program sent this data fragment...maybe ZoneAlarm?" it gave
> the impression you were using it.
No, I am using the "rules based" Look N Stop, which is very
lightweight and fast. Sorry, I mean if ZoneAlarm tracks programs, and
I think the answer is "yes", because ZoneAlarm, unlike L'n'S, is not
'rules based' as much as application based (from what I can read
between the lines at the L'n'S website, here:
http://www.wilderssecurity.com/showthread.php?t=265295 ). While
ZoneAlarm has a learn feature, it heavily relies on a series of rules
as to what to do.
Also, L'n'S, my firewall, is blocking these weird Polish, Thai, etc
outbound connections I'm pretty sure, but I'm curious what programs
are asking it to do so. It could be the "affiliate clicks from the
sites I visited", possibly those devious free porn sites. Or some
malware residing deep in the bowels of my hard drive? Hard to tell.
RL
RayLopez99
>
> You should be highly suspicious of it. Find out what process owns the
> connection.
OK, I got more info. I checked my Webroot AV log, and found an old
virus "in quaranteen" (not yet deleted, but apparently inert, since
the Sophos engine that Webroot uses is known to produce a lot of false
positives). See below.
Now my question is: is it possible for a "rootkit-masked registry" to
get installed, attempt to dial out info, and get blocked by your
firewall? That might explain some weird stuff, but, on the other
hand, if it's in 'quaranteen' (inert), it should not be doing that.
So my hypothesis is that your suggestion that a site I visited
(probably porn) attempted to route my presence at that site (simply
for marketing purposes, nothing nefarious) via the browser(?), to
another web server--that explains perhaps the Polish and southern
Russia and Thai ports that are/were attempted to be accessed
(unsuccessfully, since the firewall blocked them).
RL
the virus under 'quaranteen' is here:
Profile - Potentially rootkit-masked registry
Name Potentially rootkit-masked registry
Unique Code EH8URCFZ
Type System Monitor
Severity Critical
Description Potentially rootkit-masked registry is a monitoring
program that secretly tracks all activities of computer users.
Characteristics Potentially rootkit-masked registry may monitor and
capture your computer activity, including recording all keystrokes, e-
mails, chat room dialogue, instant message dialogue, Web sites
visited, usernames, passwords, and programs run. This program may be
capable of taking screen shots of your desktop at scheduled intervals,
storing the information on your computer in an encrypted log file for
later retrieval. These log files may be e-mailed to a pre-defined e-
mail address. This program can run in the background, hiding its
presence.
Method of Infection Potentially rootkit-masked registry may be
installed via other threats, such as music downloads and Trojan
downloaders.
Consequences This system monitor may allow an unauthorized, third
party to view potentially sensitive information, such as passwords, e-
mail, and chat room conversation. Additional Comments: It is
recommended that you change all of your passwords after removing this
program. If you bank online, you might consider changing your credit
card and bank account numbers. You should also monitor your credit
card and bank statements carefully over the next several months for
signs of fraudulent activity.
George Orwell
> at least I have a warmer fuzzier feeling about it.
Il mittente di questo messaggio|The sender address of this
non corrisponde ad un utente |message is not related to a real
reale ma all'indirizzo fittizio|person but to a fake address of an
di un sistema anonimizzatore |anonymous system
Per maggiori informazioni |For more info
https://www.mixmaster.it
Nomen Nescio
> but I feel comfortable with Opera in a sandbox.
RayLopez99
>
> The IP address (124.120.170.40) associated with that generically-named
> host belongs to trueinternet.co.th, an ISP in Thailand. It's the kind
> of name that gets assigned to home user IPs.
>
> You should be highly suspicious of it. Find out what process owns the
> connection.
I think I detect a pattern (I am researching it now). These kind of
funny addresses seem to appear when I'm connected to the internet by
firing up a browser. So, like you suggested in another post, it could
be something "innocent" like a request to the browser to ping this
remote site (for marketing purposes). But how they would get a
browser to ping is not clear to me, but it's a programming detail
that's probably possible.
Of course the simpler explanation is that there is a undetectable
virus (that escaped my antivirus program) that is alive in my system
and attempts to 'dial out', but is blocked by the firewall. Why it
springs up at certain times is of course simply due to the way it is
programmed, to act irregularly.
All of this is new to me--I always assumed that with firewalls you can
set them up and forget them, I did not realize you have to monitor
them--a lot of work. There should be a better way (set up and
forget).
RL
Ant
>> Sounds like you need a better firewall. You should be able to specify
>> only your browser and any other programs you know need to connect as
>> 'allowed' and block everything else by default.
> I think in fact that's what's happening w/ Look 'N Stop, which I
> learned today is rules based not what they call (forget the acronym -
> [it's HIPS], see: http://www.wilderssecurity.com/showthread.php?t=265295)
> security certificate based.
Ok, from the comments I've read, Look 'N Stop appears to be quite good
after all.
> Also, L'n'S, my firewall, is blocking these weird Polish, Thai, etc
> outbound connections I'm pretty sure, but I'm curious what programs
> are asking it to do so. It could be the "affiliate clicks from the
> sites I visited", possibly those devious free porn sites. Or some
> malware residing deep in the bowels of my hard drive? Hard to tell.
My feeling is that you have some unwanted executable on your PC.
Ant
> I think I detect a pattern (I am researching it now). These kind of
> funny addresses seem to appear when I'm connected to the internet by
> firing up a browser.
Perhaps it's a BHO (Browser Helper OBject). Sysinternals' AutoRuns
will show those.
> So, like you suggested in another post, it could
> be something "innocent" like a request to the browser to ping this
> remote site (for marketing purposes). But how they would get a
> browser to ping is not clear to me, but it's a programming detail
> that's probably possible.
It could be a normal HTTP request via script or an HTML element which
pointed to the host. The link in the page source might look something
like this:
http://123.456.789.255:33137/stat.php?id=xyz
That's an invalid IP address, by the way, but the port (33137) is
unconventional and would be the reason why testing for a web server
on that host (at the usual port 80) would fail.
Ant
>> So, like you suggested in another post, it could
>> be something "innocent" like a request to the browser to ping this
>> remote site (for marketing purposes). But how they would get a
>> browser to ping is not clear to me, but it's a programming detail
>> that's probably possible.
>
> It could be a normal HTTP request via script or an HTML element which
> pointed to the host. The link in the page source might look something
> like this:
> http://123.456.789.255:33137/stat.php?id=xyz
>
> That's an invalid IP address, by the way, but the port (33137) is
> unconventional and would be the reason why testing for a web server
> on that host (at the usual port 80) would fail.
On second thoughts, that would register as incoming traffic so I may
be mistaken about the possibility of affiliate clicks generating
unexpected outgoing packets.
Anyway, I see you've found the likely culprit - Skype. Their protocol
is proprietory so you would have to trust their motives for making
these connections. Since you're blocking them and, presumably Skype
still works, all should be well.
RayLopez99
> Anyway, I see you've found the likely culprit - Skype. Their protocol
> is proprietory so you would have to trust their motives for making
> these connections. Since you're blocking them and, presumably Skype
> still works, all should be well.
Yes, that's the only thing I could think of other than undetected/
undetectable malware, and BHOs (which you say will generate an
download UDP, so there should be some symmetry in IP addresses, which
there is not in my log). BTW this stuff seems to happen around 7:30
pm and when I fire up the machine, but not in the account that does
not have Skype (the Admin account), so that further fingers Skype as
the culprit. Since Skype works despite the blocked UDPs, like you
say, it's not a big deal but I will continue to monitor it.
Thanks Ant you have been a big help. Without you I never would have
even thought about the firewall...
Now back to my programming project (doing an ASP.NET project now
involving a web service).
RL
RayLopez99
> Anyway, I see you've found the likely culprit - Skype. Their protocol
> is proprietory so you would have to trust their motives for making
> these connections. Since you're blocking them and, presumably Skype
> still works, all should be well.
On Feb 27, 2:26 pm, RayLopez99 <raylope...@gmail.com> wrote:
>
> Anybody else notice this in their firewall? It's just a working
> hypothesis at this point.
Yes, confirmed. Took a time out and loaded and unloaded Skype, and
sure enough, within seconds, you start getting pinged (and UDP packets
get requested to be uploaded from your PC to ports all over the
world), from all over the world, including Brazil (I'm posting from
Greece), Hungary, Korea, Russia and central asian countries / regions
I've never heard of (start with a K, not Kazakstan either).
Skype is the "virus"!
My firewall blocks all such requests of course.
RL