Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Checking for bots


  • Please log in to reply
50 replies to this topic

#1 Hitokkiri

Hitokkiri

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 14 January 2015 - 05:41 PM

Hello,
 
for a long time i have been suspect for something on my computer , that makes my conection slowly get saturated.
 
and for some one spyng what im doing, with a bot.
 
 
So i have been on Malware section, and it seems i am clean now.
 
but i was wondering.
 
How do you do guys for search for bots, that could be on your machine making you a part of a big botnet.
 
How can i check all my conections even the hiden ones, to see if there is some one unauthorized.
 
I see SV.CHOST with alot of conection round there.
 
How we can feel the anomalyes "of the Force" meaning the net to detect if there is a bot communicating with his botmaster?
 
How can i check all?
 
Thanks for answer

Edit: Topic moved from Networking to the more appropriate forum.~ Animal

BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 15 January 2015 - 05:13 AM

Are you technical?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Hitokkiri

Hitokkiri
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 15 January 2015 - 09:34 AM

Hello,

 

thanks for answering.

 

No, im not a PC technical, but i am my own technicisian.

 

i start to use PC at 7/8 years old, with a x486. The games i did play were ALL on Ms-dos. The best version of windows was the 95'.

 

So im not a technisician, but im some kind of "Advance user" i use this ***** when im kid.

 

I use to stream all days games on internet, my conection is "best isp provider of argentina" with 12MB.

 

I manage to stream 0.00% lag, ALL FINE, NO LAG, 0.00% drop frame. Then ill go to facebook and post "hey guys im streaming full HD no lag" Then i have drop frames, sudendly, my "Open free broadcast" start to "work bad" my internet conection start "to work bad" i talk with ISP provider and they say from their side is ALL OK, that must be my computer.

 

I did download some TPC view , and watch netstat -ano, but i see SVchost with alot of conections there.

 

I dont have you knowledge, but i understand something

 

Thanks for answer



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 16 January 2015 - 11:33 AM

TCPView is a good first step. Make sure that name resolution is enabled in menu Options.

 

Review all the Remote Addresses for ESTABLISHED connections.

If the Remote Address is an IP address (TCPView was not able to resolve it's name), go to website http://ip2location.com/demo to identify who owns this IP address.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Hitokkiri

Hitokkiri
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 16 January 2015 - 03:44 PM

Hello,

 

thanks for answering.

Trust me, I did , alot of times, but there is allways something i can understand.

 

an image will explaine more then 1.000 words of mine. (you can click on them and they will redirect you to a place with it show bigger and good quality i uploaded on SubeFotos.com)

 
cffc4b81c11aeb96401322fb7bf6b0e5o.jpg
 
2aae8c321b2e3605cac1571c69723f8fo.jpg
 
ece1e9e499bd6be31ac1ccc7a64af001o.jpg
 
13c1f1337214a6127b59a04721a76bcfo.jpg
 
So, my questions!!!!!!!!!!!!!!!!!!!
 
1) why is there a process, more specific, "System" PID:4 that with "Local port" netbios-ns ( I DISABLED NETBIOS WHEN I INSTALL THIS S.O, service Netbios/tcp is DISABLED) is Sent Packes and Sent bytes that moves, i mean now is Sent Packages : 85 , SendBytes:4.300 . rcvd Packes: 3 RCVD Bytes: 150
 
i mean why the process of my S.O system is sending and recibing bytes trought a connection i can not see their Remote Adress or Remote Port, and SOMETHING IS HAPPENING THERE! bytes coming and goes and no one remote adress or port show, thats why i was thinking about HIM, hiding his conections with some rootkit, or on HIM hiding his conectiong trought the windows system process , like svchost.exe o system.exe
 
how much is possible for some one, to use metasploit to vulnerate your S.O, then take control of some process like svchost.exe or system.exe using them to make his conections to spy or communicating trough his program/bots?
 
Please watch the screens and tell me what do you think about the ones i selected on RED!
 
THanks you very much for your time! 

Edited by Hitokkiri, 16 January 2015 - 04:01 PM.


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 16 January 2015 - 04:41 PM

No, that is normal for PID 4, I've seen them on all Windows machines I ran TCPView on.

 

I don't know exactly these UDP entries are, but it is not a sign of malicious activity.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 16 January 2015 - 04:47 PM

I think I just realized what they are: since the remote address and port is *, they must be UDP broadcast packets. That's normal.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Hitokkiri

Hitokkiri
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 16 January 2015 - 04:50 PM

Hello, 

 

i use open free broadcast for casting games, and with a good internet conection i start to have lag before i dosen't but its fine.

 

its all seems to be "normal" or should be there, i supouse there is nothing else i can do

 

or there is no problem to look at.

 

is not there another more powerfull program then TCP view, to see the conections?

 

thankxs


Edited by Hitokkiri, 16 January 2015 - 05:38 PM.


#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 16 January 2015 - 05:40 PM

I'm not saying everything is normal, or abnormal, I just didn't analyze all the entries in your screenshots. I answered your question about the UDP connections (in particular PID 4).

 

If you want to analyze the TCP connections, first make your life easier and stop all processes that you know and trust, and that have connections. For example, I saw Skype in your screenshots.

So stop these processes, and then analyze what TCP connections are left. If you see a remote IP address you wonder about, analyze it with the link I gave you earlier.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 Hitokkiri

Hitokkiri
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 16 January 2015 - 06:05 PM

Hello,

 

this is . i closed "all" then watch it.

 

cf7bbab5ab26dba5434d17b5666bf20do.jpg

 

 

only weird conection i see is amazon , like 2 o 3 times , but not established.

 

Ireland Dublin City, really? wtf?

 

d1744f1252098bbada4524ac3140db92o.jpg

 

65a135520d2a1271ec38ff93b7555649o.jpg

 

 

other seems to be normal: Microsoft corporation, google, kaspery and twitter :S 

 

i was wondering

 

is there any Method, is there any way, for some one, to hide the status of a connection from "Established" to " * " for example?

 

i mean is there some programs, methods, to hide the status established from a conection?

 

Thanks for answer , you all are very kind, and professional, i really appreciate it!



#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 16 January 2015 - 06:38 PM

No, don't look at the entries marked with TIME_WAIT, these are closed TCP connections and their entry will disappear after some time. That's how the TCP stack works.

For TCP, look only at LISTENING (those are open ports) and ESTABLISHED (those are active connections).

 

Yes, there are ways to hide connections. A rootkit for example can hide all traces of a connection, so that it even doesn't appear in the list.

One way I know to try to detect these connections is to work with a network tap: you install this device on the network cable, and it captures all traffic.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 Hitokkiri

Hitokkiri
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 16 January 2015 - 07:20 PM

I love you =)

 

thanks for allways listening to me.

 

so one way to "prove" if im right or wrong is to check for rootkis no?

 

because i ran some rootkit detecters many times when i suspect of something. but some are "false / positive" they say, and i never can prove it.

 

im not too good to use a Network tap, but HEY! is now a option i have and i didint know before, thats why i need you knowledge on this matter =)!

 

i can show you OLD screenshooot of me, runing a Rkhunter, from a Portable DVD of ubuntu on my Suspect machine infected with windows.

 

RKHUNTER 

 

177df4571732475b86e6faf5ced341d5o.jpg

 

db1d40d0f4532f2da5cc2ab6edd5c779o.jpg

 

697e495db5c3dd503890b7cdd03e7059o.jpg

 

3e4b4396dee5c6cbe4251b39b793f507o.jpg

 

 

CHKhunter

 

47f9bb72d42255ab18ebdbb94f78a479o.jpg

 

dda1e3c61a1bbd79492a30666c301ae3o.jpg

 

8715a52aed9f8f961c3786d72d48e065o.jpg

 

 

My Theory, ALLWAYS was, this person, is using a rootkit, to hide his conection and unwanted programs like a Bot, this person hide the unauthorized conections with rootkits, and use a bot to make automatic his work, send data , logs, run a Desktop viewer. run a plug in for Browser to watch my browser or check it history!

 

 

What do you think my friend?

 

how we can do to be certain there is no hiding conections?

 

i recieve any advice, i take any advice for you , no matters how small it could be , it helps me, as you ! 

 

Thanks you very much i really apreciate your help

 

Checking for hidden ports = skipped . REALLY WTF?


Edited by Hitokkiri, 16 January 2015 - 07:21 PM.


#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 17 January 2015 - 07:37 AM

But in your first post you say that your computer has been checked and is clean.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#14 Hitokkiri

Hitokkiri
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 17 January 2015 - 01:58 PM

Hello,

 

yes i say so, you know i been tracking this "malware" this "anomalie" in diverses S.O i had.

 

1° i had some games of the company were this guys that doings this belong, they are game publisher, so i had their launchers installed on my machine, when i try to access some webpage, like Twitch.tv , i get 404 error, when i try to open Facebook some times i had 404 error, so i said "WTF MEN" i checked and on Configuration > LAN CONFIGURATION > connect via this server proxy > there was some proxy conecction.

 

so they was making me, conect my browser via their proxy and no one ask me for that, and they do that to me and they were blocking webpages that are free from me like twitch. 

 

and when i uncheck conect via server proxy, it connects again, so i FORMAT.

 

2° i have been format the machine and for NO ONE REASON I NO INSTALLED THEIR GAMEs, meaning , i format , and dont download their launchers or nothing from they, i just check their website time to time

 

So with the cookies i supouse , they got my info again, and they proced to acess my machine in other ways, Metasploit > runing a desktop viewer > runing a browser viewer and hide that all with a rootkit

 

When i suspect of this, i decide to move myself to a Portable DVD of ubuntu, and not install it, just run from the DVD.

 

So i say, my S.O is on a DVD that is not R+ so they can't rewrite it from this position i will try to examine my machine and the windows i have "Infected"

 

in 2 days , linux start to act REALLY badly, i mean

 

when i hit "grep -r IP" to find all the words with "IP" there was a BIG BIG BIG BIG BIG list , ALOT of archives with the word IP 

 

2 days after i was doing this : i hit "grep -r IP" only 2 lines show to me, we change from alot of files and alot of information with files with the word "IP" to just 2 lines

 

fc63d29009a277205e34625160c465dao.jpg

 

 

so i suspected from some Bot on the MBR.

 

my mind process was the next >>>>>>>>>

 

1° i have downloaded they files, was my fault, thats why they gain access ima format the machine.

2° Hey i have been format, i do not downloaded anything and i feel something weird on my windows ima check it from a portable DVD of ubuntu

3° Hey this is weird, my S.O is on a DVD , but the first 2 times i execute him, it works in "X" way, 2 days latter of that, this DVD portable is working on "Z" way with easy commands like Grep, why is this happening

how it is possible for him to change something if im running my S:O from a portable DVD

4° ok, he is able to change things from linux, cause he is running me a MRB Bot, bot is not on windows, it is on the MBR of the harddisk, everytime i turn on machine it goes from HardDisk to MBR , so thats why he can took 2 S.O differents and i can not remove him.

5° i will change this bleep harddrive cause im done, and i will install a new one.

 

So after format that new hard drive 2 times, im here, i was suspecting of getting infected again, so i decide, to format the machine, and 1 day after, answer the malware response team, so i practically give them a clean S.O to look with few files too look at to make the work "easier" so they said me im clean.

 

but i have been pass trought all this. and i was not very good at explain my situation.

 

it seems that im clean, but i do not insist on him to look for rootkit exaustive, i think it is a good idea try to check for some rootkits and Focus on find the rootkits first if they exist, to find all the other.

 

Thanks for answer

 

 

I meaning, this Linux screens are old, but for me, could be a prove of some malware or maybe some one with more knowledge could see there the "error" o the "virus" , i still have that HD


Edited by Hitokkiri, 17 January 2015 - 02:03 PM.


#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 18 January 2015 - 05:11 AM

I have not seen malware samples that can infect Windows And Linux via MBR. It is technically possible, maybe there is a Proof Of Concept, but I've not seen this in the wild.

 

And if you boot via a Life CD, the MBR code does not get executed. Hence an infected MBR can not infect the OS running from your Life CD.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users