I read with interest about a group of researchers who have managed to (at least temporarily) disable one of the bigger botnets online. I frequently get junk emails from legitimate email addresses that I’m pretty certain are generated by one of the botnets, which often makes me wonder just how many of the people I’m connected to are inadvertently contributing to the problem. Botnets are a little trickier than viruses in that they mostly aren’t going after anything specific on your computer. They are largely focused on building an army of zombie computers to make distributed attacks elsewhere. This means your computer could easily get infected and you wouldn’t know it because your daily usage won’t be impacted directly.
This is not to say you should be complacent about a botnet infection. In fact you should do what you can to prevent and/or remove a botnet infection because there’s a real possibility someone could use the data on your computer. Many botnets look for things like FTP passwords, so that they can upload code to your web hosting account. By already having code on your computer, a botnet infection could easily start monitoring your credit card numbers and other personal data too.
The other thing being part of a botnet does is contribute to a great deal of malicious behavior. Botnets are routinely used to interrupt service at large websites and steal customer data (possibly including yours) from big companies.
Having antivirus software is no guarantee that you’ll stay botnet free. Avoid free offers inside Facebook and anything that sounds too good to be true. There aren’t enough iPads in the world to fill all the promises of free ones I’ve seen go by on Facebook. It’s a good idea to use some specific checks to make sure you aren’t infected. In this case, the Koobface botnet reportedly has over 20,000 bogus Facebook accounts, along with half a million Gmail accounts.
Malwarebytes is one of the tools you can use to make sure you’re protected. While Malwarebytes is certainly not a botnet panacea, it will provide some protection from adding your computer to the zombie hordes.
Even if you think your safe, take the time to check out your computer. You’ll be doing the global web community a favor. A free scan from some great software never hurt anyone.
7 responses to “Are you infected by a botnet?”
I don’t know if this is much different than anyone else, but my continuing defense against botnets and other viruses is to NEVER click on a link in an email if I don’t know the sender – and know the reason for the link. Also have a copy of Task Manager or Process Explorer running so I can monitor the CPU usage in the Systray. If you don’t know why your CPU usage is high, find out! Of course, I have both a software and a hardware (router) firewall, along with a pretty solid antivirus/antispyware application I keep updated and maintain my subscription.
I’ve been involved with this thing long enough to know nothing is absolute, but I also put the effort into knowing what’s going on pretty much all the time.
My defence against botniks? Use Linux.
Linux is not immune to botnet infections. Most of the compromised servers in botnets run Linux.
I use netstat from a command prompt to see if there is any unexpected activity:
NETSTAT -a -f -n -o
The switches are:
-a Displays all connections and listening ports
-e Displays Eithernet statistics
-f Displays fully qualified domain names for foreign addresses
-n Displays address and port numbers in numerical form
-o Displays the owning process id (PID) associated with each connection
Normally I see only expected local network connections.
Some connections to look out for:
A large number of connections to Internet Relay Chat (IRC) Port 6667 may indicate a trojan.
Other ports to watch include Port 25 (e-mail or spam relay)
and Port 1080 (often used for proxy servers such as Socks,which manages connections between clients and servers)
If the DNS (Domain Name Server) settings point to servers in the 85.255.X.X range,
which are UkrTeleGroup’s IP addresses, your machine is infected with the DNS Changer family of malware.
The Conficker worm has a history of using port 445.
But, it is legitimately used in Vista for Shared printers and file sharing.
Frank Camp
Great advice Frank! Netstat might be a little scary for novice users, but absolutely one of the more revealing tools about where network traffic is going.
This looks like a thinly disguised advertisement for Malware, and outfit I have otherwise not heard of. The best advise is of course: go linux.
What happens on servers is largely irrelevant to this discussion. A particular botnet uses a particular technique, so it affects mostly computers of a particular type. The recently dismantled 15 million (!) botnet used W32.toxbot worm, so it affects by definition windows computers. No home user with Linux could have been recruited for this network.