Detecting Zombies? - Networking

This is a discussion on Detecting Zombies? - Networking ; I am the only person who uses Linux on the desktop at my place of work. Naturally, everyone else has XP except for a couple with new machines and Vista. At any given time half of them are running like ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: Detecting Zombies?

  1. Detecting Zombies?

    I am the only person who uses Linux on the desktop at my place of work.
    Naturally, everyone else has XP except for a couple with new machines and
    Vista. At any given time half of them are running like they were 286's
    from all the malware that they are infested with. So they reload the OS,
    over and over.

    I have long since stopped working on problem windows machines for clueless
    users and have given up on trying to convince anyone that there is a far
    better platform to surf from. If someone has a genuine interest in Linux
    I will gladly help, but they must make the first move.

    So, back to the virus/trojan/zombie problem. How does a person, who is
    not a career network administrator, determine if their XP is zombied?
    Years ago, I used to play with network protocols and stuff, but haven't
    needed it for years. But the average user is never going to learn Snort
    or the like. If the problem were on a Linux box, netstat might give an
    indication, but with current browsers there are so many connections coming
    and going all the time it isn't as simple as just looking at a snapshot of
    the current connections.

    With Windows what would you use? Bear in mind that there is no network
    admin here. (Not me! - not my work assignment - besides, I am temporary
    anyhow). Probably, there is no answer for non-techies.

    Dan

  2. Re: Detecting Zombies?

    DanB wrote:
    > I am the only person who uses Linux on the desktop at my place of work.
    > So, back to the virus/trojan/zombie problem. How does a person, who is
    > not a career network administrator, determine if their XP is zombied?


    Probably the best way is on the XP machine itself by antivirus software,
    and a personal firewall that only allows outgoing traffic from trusted
    applications.

    You might also be able to use some sort of traffic analysis, but a
    zombie could make its communications look like HTML, so I would not
    trust this.

    I always place a firewall between the Microsoft Windows based computers
    and the rest of the network, so that any damage is limited to the Microsoft
    Windows machines.

    --
    Mark Hobley,
    393 Quinton Road West,
    Quinton, BIRMINGHAM.
    B32 1QE.

  3. Re: Detecting Zombies?

    DanB wrote:

    > I am the only person who uses Linux on the desktop at my place of work.
    > Naturally, everyone else has XP except for a couple with new machines and
    > Vista. At any given time half of them are running like they were 286's
    > from all the malware that they are infested with. So they reload the OS,
    > over and over.
    >
    > I have long since stopped working on problem windows machines for clueless
    > users and have given up on trying to convince anyone that there is a far
    > better platform to surf from. If someone has a genuine interest in Linux
    > I will gladly help, but they must make the first move.
    >
    > So, back to the virus/trojan/zombie problem. How does a person, who is
    > not a career network administrator, determine if their XP is zombied?
    > Years ago, I used to play with network protocols and stuff, but haven't
    > needed it for years. But the average user is never going to learn Snort
    > or the like. If the problem were on a Linux box, netstat might give an
    > indication, but with current browsers there are so many connections coming
    > and going all the time it isn't as simple as just looking at a snapshot of
    > the current connections.
    >
    > With Windows what would you use? Bear in mind that there is no network
    > admin here. (Not me! - not my work assignment - besides, I am temporary
    > anyhow). Probably, there is no answer for non-techies.
    >
    > Dan



    Inside a dos box, enter netstat -a to list all the connections.
    If should be about ten lines if idling.

    install privoxy (free and open source - google for it) and direct all your
    web traffic through that - it will log all outgoing standard http urls for
    the user to see himself when his machine is accessing remote sites
    even when WINDUMMY isn't doing anything.



  4. Re: Detecting Zombies?

    > Inside a dos box, enter netstat -a to list all the connections.
    > If should be about ten lines if idling.
    >
    > install privoxy (free and open source - google for it) and direct all your
    > web traffic through that - it will log all outgoing standard http urls for
    > the user to see himself when his machine is accessing remote sites
    > even when WINDUMMY isn't doing anything.


    You mean a dos box in Windows? It never occurred to me that netstat would
    run on windows, if that is what you mean. Thought it was an old Unix
    utility.

    If so that may be great. Thinking about the problem, I wonder if the
    easyist way would be to boot windows, connect to the network but not start
    a browser or do anything on the network. Then run netstat.

    If a bunch of traffic shows up that is not ISP generated, then I assume
    that means they are hosed.

    What do you think?

    Thanx
    Dan

  5. Re: Detecting Zombies?

    On Thu, 04 Sep 2008 21:51:32 -0500, DanB wrote:

    >> Inside a dos box, enter netstat -a to list all the connections. If
    >> should be about ten lines if idling.
    >>
    >> install privoxy (free and open source - google for it) and direct all
    >> your web traffic through that - it will log all outgoing standard http
    >> urls for the user to see himself when his machine is accessing remote
    >> sites even when WINDUMMY isn't doing anything.

    >
    > You mean a dos box in Windows? It never occurred to me that netstat
    > would run on windows, if that is what you mean. Thought it was an old
    > Unix utility.
    >



    well windows has stolen/reused quite some things from BSD

    try ... netstat /aonb
    it'll give port number (n)
    all of them (a)
    pid (o)
    and look for their process name (b)

  6. Re: Detecting Zombies?

    On 05 Sep 2008 15:55:01 GMT, goarilla wrote:

    ....
    >well windows has stolen/reused quite some things from BSD


    BSD license allows commercial reuse, so it's not theft

    Grant.
    --
    Cats, no less liquid than their shadows, offer no angles to the wind.

  7. Re: Detecting Zombies?

    On Thu, 04 Sep 2008 18:59:08 GMT, 7 wrote:
    > Inside a dos box, enter netstat -a to list all the connections.
    > If should be about ten lines if idling.


    You cannot trust anything a potentially-compromised host will tell you.
    Utilities like netstat will probably be replaced with copies that will
    not display the malicious traffic.

    --
    * John Oliver http://www.john-oliver.net/ *

  8. Re: Detecting Zombies?

    On Thu, 04 Sep 2008 10:28:43 -0500, DanB wrote:
    > With Windows what would you use? Bear in mind that there is no network
    > admin here. (Not me! - not my work assignment - besides, I am temporary
    > anyhow). Probably, there is no answer for non-techies.


    There isn't.

    Something like tripwire or cfengine would alert on or correct
    overwritten system files. A firewall would help reduce infestations.
    Having users run as regular users, and not Administrator, would help.
    But all of that requires some kind of admin. If this company is too
    cheap to pay someone, or get a consultant, IIWY I'd stop worrying about
    it. You don't get extra time added to the end of your life to make up
    for time wasted on pointless exercises.

    --
    * John Oliver http://www.john-oliver.net/ *

  9. Re: Detecting Zombies?

    Hello,

    Grant a écrit :
    > On 05 Sep 2008 15:55:01 GMT, goarilla wrote:
    >
    >>well windows has stolen/reused quite some things from BSD

    >
    > BSD license allows commercial reuse, so it's not theft


    The GPL allows commercial reuse too, but would not allow this. It has
    nothing to do with commercial reuse but reuse in proprietary software,
    whether it is commercial or not.

  10. Re: Detecting Zombies?

    DanB wrote:

    > I am the only person who uses Linux on the desktop at my place of work.
    > Naturally, everyone else has XP except for a couple with new machines and
    > Vista. At any given time half of them are running like they were 286's
    > from all the malware that they are infested with. So they reload the OS,
    > over and over.
    >

    What are they doing with their machines? If they do anything work related,
    it won't be reliable, and the competitors may even get their reports before
    the boss has read them.

    > I have long since stopped working on problem windows machines for clueless
    > users and have given up on trying to convince anyone that there is a far
    > better platform to surf from. If someone has a genuine interest in Linux
    > I will gladly help, but they must make the first move.
    >

    Surfing infected sites is not the main goal of computer usage at work. Well,
    sh*t may happen anytime, but it looks like productivity has already gone
    downhill and the shop will soon be a thing of the past.
    You may happily use your linux computer to look for alternative jobs.

    > So, back to the virus/trojan/zombie problem. How does a person, who is
    > not a career network administrator, determine if their XP is zombied?


    They don't at work. Actually, they don't run their boxen as admin, and they
    only surf over a proxy (with the usual squidguard or privoxy). And, they do
    not waste time reinstalling "their" computers.

    .....
    > With Windows what would you use? Bear in mind that there is no network
    > admin here. (Not me! - not my work assignment - besides, I am temporary
    > anyhow). Probably, there is no answer for non-techies.
    >

    Be glad you are temporary. Netstat works on windows boxen as well, but once
    a machine is a rootkitten, it may lie to you.

    --
    vista policy violation: Microsoft optical mouse found penguin patterns
    on mousepad. Partition scan in progress to remove offending
    incompatible products. Reactivate MS software.
    Linux 2.6.24. [LinuxCounter#295241,ICQ#4918962]

  11. Re: Detecting Zombies?

    John Oliver wrote:
    > On Thu, 04 Sep 2008 18:59:08 GMT, 7 wrote:
    >> Inside a dos box, enter netstat -a to list all the connections.
    >> If should be about ten lines if idling.

    >
    > You cannot trust anything a potentially-compromised host will tell you.
    > Utilities like netstat will probably be replaced with copies that will
    > not display the malicious traffic.
    >


    You're giving the malware authors (or their potential "users") too much
    credit. Malware will often use basic hiding mechanisms, such as hiding
    its files in explorer or the process from task manager, but there is
    little point doing anything more sophisticated on a windows machine. It
    would be a great deal of work making a windows version of netstat that
    didn't show your malware (on open source OS's it's easy - download the
    source, add a couple of lines of filter, re-compile), and virtually no
    victim is going to think of using it. Any admin will normally use
    something like Spybot Search and Destroy, or some other popular malware
    finder - not netstat.

  12. Re: Detecting Zombies?

    DanB wrote:
    > I am the only person who uses Linux on the desktop at my place of work.
    > Naturally, everyone else has XP except for a couple with new machines and
    > Vista. At any given time half of them are running like they were 286's
    > from all the malware that they are infested with. So they reload the OS,
    > over and over.
    >
    > I have long since stopped working on problem windows machines for clueless
    > users and have given up on trying to convince anyone that there is a far
    > better platform to surf from. If someone has a genuine interest in Linux
    > I will gladly help, but they must make the first move.
    >
    > So, back to the virus/trojan/zombie problem. How does a person, who is
    > not a career network administrator, determine if their XP is zombied?
    > Years ago, I used to play with network protocols and stuff, but haven't
    > needed it for years. But the average user is never going to learn Snort
    > or the like. If the problem were on a Linux box, netstat might give an
    > indication, but with current browsers there are so many connections coming
    > and going all the time it isn't as simple as just looking at a snapshot of
    > the current connections.
    >
    > With Windows what would you use? Bear in mind that there is no network
    > admin here. (Not me! - not my work assignment - besides, I am temporary
    > anyhow). Probably, there is no answer for non-techies.
    >
    > Dan


    Set up the network's Internet gateway/firewall to block all outgoing
    SMTP traffic that is not from the company mail server to the ISP's mail
    server, and to alert some competent person on other attempts to send
    SMTP traffic. That will quickly block the effects of most zombie
    software, and let you know what's happening.

  13. Re: Detecting Zombies?

    > Set up the network's Internet gateway/firewall to block all outgoing
    > SMTP traffic that is not from the company mail server to the ISP's mail
    > server, and to alert some competent person on other attempts to send
    > SMTP traffic. That will quickly block the effects of most zombie
    > software, and let you know what's happening.


    Actually, I have done that. In fact, it is the only computer thing I have
    done there. My career was computers from the mainframe days in 1968 to
    a few years ago when I retired. Now I only work at different jobs that I
    enjoy, and this one happens to have nothing to do with any type of system
    admin or computers of any kind other than using one on occasion.

    But, when I saw that this company (a fairly new startup with not a whole
    lot of capital) didn't even have a firewall, I offered to set one up using
    of an old machine. I loaded Smoothwall on it and turned off everything
    except port 80, so now at least they have a firewall. I have refused their
    offer for system services.

    Someday (If they make it) they will have a real system admin (not me!),
    but for now it is like the average icon clicker's machine all over the
    world. That is to say, no matter how current the virus checker, the
    machines will be polluted just hours after seeing the Internet for the
    first time.

    Dan

+ Reply to Thread