Discussion on:

The top 10 spam botnets: New and improved

That's how many spam email messages 10 botnets kick out each and every day. Learn some surprising facts, like being the biggest botnet doesn't mean it supplies the most spam.

How come, if those 10 botnets are so easy to identify, that i cannot find a simple utility to check if a PC is part of such a botnet.
Something easy to install on a stick, and that i can take anywhere with me, to friends relations and family...
So many $$ invested in counting, reporting, providing spam stopping solutions (to the amount that regular email is not getting through anymore) and nothin to really combat the botnet.....

..but then I suppose the anti-spam solution providers wouldn't make any money pushing their products.

Will detect most of the botnet code. I have found that MBAM works about the best. A few botnets are rootkits, then I would suggest GMER.

http://www.malwarebytes.org/mbam.php

http://www.gmer.net/

Check out this link: http://free.antivirus.com/rubotted/

TrendMicro offers this free of charge. I found this on Google in less than a minute.

Enjoy!

Unfortunately, according to the system requirements, it doesn't run on x64 or Windows 7 (or Server 2008/R2). Hopefully they will fix that.

It is by far my favorite malware scanner. Highest success rate.

It is one of the few applications I recommend (no affiliation) that people purchase as that includes automatic scanning.

I agree. I use it on all my systems at home. I haven't yet, but I plan to purchase it.

Is that the bad guys know it as well. I have had to change the loader name and executable file a few times now to get it to work.

I am working on a USB drive OS/MBAM combination, that I can update on a clean machine and then move the drive to the problem computer. Not there yet.

The malware writers definitely know it and program for it.
I just finished cleaning a client's PC which had been infected with Vundo (among others). It allowed me to install MBAM (after I changed the install file name), but somehow managed to block the install from writing the MBAM exe to the MBAM folder. Got around that by burning a CD from a clean system with the entire MBAM folder and telling the infected system to go find the exe there when the desktop icon couldn't find it.
It took half a dozen runs to clean the PC, but appears to have worked.

.

I am trying to setup a flash drive with an OS and MBAM. I'd like to update MBAM on a clean computer and then scan the suspect computer via the flash drive.

I believe Neon turned me on to this...

http://www.pendrivelinux.com/create-a-xubuntu-9-10-flash-drive-using-windows/

I don't know about pendrive?

Actually it does allow the write of MBAM.exe but deletes it shortly after.

I was in a situation where I didn't have any copies of the newest version and had to clean this machine...I was able to move the mabam.exe from the directory right after the installer created it there, then move it back to the directory after the install. Apparently it only deletes it while the installer is running.


Now I keep a copy of the new versions on a keychain drive just to avoid this.

Could you please go into more detail about your technique. Do you replace MBAM.exe on the key often? What about the signature file?

I am trying to put something like this together, but have not had the time to research it properly yet.

RUBotted is about the most worthless rootkit scanner I have ever used. It never found a single root kit from computers that I know had one. I was able to remove using gmer (free) or hitman (30 day trial, ~$30 to buy).

searching for it returns a host of links to movies, a role-playing game, and news stories about hired killers. Also about a scam:

http://www.fbi.gov/page2/jan07/threat_scam011507.htm

I just did a google for "hitman cnet" and got this:

http://download.cnet.com/Hitman-Pro-3/3000-2239_4-10895604.html

It looks like an abbreviated form of an AV utility without any "signatures". There is no mention in the description as to whether it can find any rootkits.

If the claims are correct, it can not only find root-kits, but create an input/output bubble around the browser to foil key-logging and video capture! I recommend reading the technical specs on PDF for download.

I had been desperately looking for something like that, but I thought Prevx was some old outdated AV from the Windows '98 days. It seems like I heard of it way back when!

It must have its own kernel, because it works at a very low level in the OS layer. I've been fairly impressed with it so far, but I haven't tested the anti-key-logging ability yet. I don't know a safe source to do that. It blocks a lot of bad downloads, so that is probably why I haven't been hit yet.

With XP and limited defenses, Snoopfree Privacy Shield would yield key-logging activity pretty quickly, and block key-logging and video hooking at that layer, but it is obsolete for kernel type root-kits.

I like the cloud based aspect of it, and the scans are lighting fast! However I will never use the removal feature, as it is not recommended by forum members everywhere. The heuristic engine seems to work phenomenally.

The cool thing is, it works with all the other safeguards I have on my honeypot! I have the paid version, but I should have waited as they are giving it away free on Facebook!! The screen-shots show the anti-spyware options enabled for that offer!!

This is the most useless piece of software I have ever seen. Not only does it not do what it is designed to do, it plants itself into your system like a virus. INSTALL AT YOUR OWN RISK. CONSIDER YOURSELF WARNED.

This program installs hidden TMPASSTHRUMP devices that use the NDIS API, to every type of network adapter on your system. (including virtual adapters, ie VPN) It then forces windows to use these hidden devices instead of the original. So, if you forcefully remove RUBotted (the only way you can), then it WILL leave these devices behind. If you remove the hidden service using cmd line, you just lost all network connectivity. You then need to manually remove these devices methodically using BOTH the registry, removing system files, and the Device Manager. -Otherwise, it will just reinstall itself using Windows PnP the next time you reboot.

Do yourself a favor and STAY AWAY.

Is this the same TrendMicro that doesn't work and play well others. I removed a ton of malware from a clients PC and told to go buy some AV software ASAP! He bought Trend and it removed both MBam & SpybotS&D. to make way for itself. Can't we all just get along?

A GOOD AV will get along with anything. These do:

NOD32
NIS2010
AVAST
Avira

I would like to know more details about the removal. If you don't mind.

I helped my ex-boss update his Trend Micro whatsit, and when it was done demanding software be uninstalled, I was surprised there was an operating system left. Constant restarts of the installer, and system reboots.

Had to be in the top ten most annoying installs I've ever encountered.

Just curious. We used to use it, and found it lacking; but our perimeter defense, AD policy,server configuration - white/black listing, and user education, made up for it.

One of whatever home user suites they sell. Probably "Internet Security".

Botnets are identified (partly) by the spam they produce. That doesn't mean that the piece of software can be identified just as easily.

Can be loaded by so many different methods and loader malware. That is another real problem. Waledac has been found on several different droppers including Conficker.

Terry Zink writes on gheg and grum:
http://blogs.msdn.com/tzink/archive/2010/02/10/where-are-the-gheg-and-grum-botnets-sending-from.aspx

I was surprised by the dominance of South Korea and the Gheg botnet.

heavily with the fact that they have so many pirated copies of Windows. Of course, free open source is being peddled by the government, but I have my doubts as to popularity with this move yet.

Perhaps with the other botnets?

That pirated copies can download the critical updates. So it is the users that are making the choice to not update.

that put the most compromised users in China and India, but that was a few years ago.

The Chinese want to shut down bot-nets because the resistance movements also use them to communicate.

The Iranian government is finding this out too! HA!

The most difficult part of my research was determining what stats to believe. I have not encountered India in any of my research, so that surprised me.

Truth be told, we in the US have consistently have been first or second in number of compromised computers.

You are right about the stats. However, common sense tells me with the two fastest growing economies in the world, there would be a vast population of new clueless users in those two countries.

I would think the new Indian user would be better prepared than the average Chinese user, as the Indian people are not treated by their government as much like mushrooms as the unfortunate people in the PRC are.

but from what I've read over the years, people who buy pirated software are ordinarily advised:

(1) that the software will never need updating or "patching" to correct flaws, or, if it is updated, then a copy can be bought more cheaply from the pirate; and/or

(2) that updating or "patching" the software will introduce "problems" that might make it impossible to run the software (which is unfortunately sometimes true even for legitimate installations).

So, even if the pirated software is an OS, and some specific deficits can be patched "safely", people who use pirated software (which they may or may not know is pirated) often lack the knowledge that they need to do that and they don't bother.

They depend upon the pirates.

and would also bolster my claims. Michael does point out that the stats he sees are not verifiable, and I must admit, this is true also.

But common sense tells me that with the two fastest growing economies in the world, that those two countries are going to be big targets, and have even more clueless users than the Americas,Europe, and even the former Soviet Union.

If there is a way to track back some of these zombies to an ISP and the ISP fails to deactivate the account, can't the ISP's IP's be blacklisted in the router table of the ISP's bandwidth provider?

I am a bit confused by your comment.

Not being as educated in the ways of the net, my solution may be simplistic.

By example, a piece of spam reached me today with the following info in the header:

"Received: (qmail 22985 invoked by uid 399); 4 Mar 2010 09:16:46 -0500
Received: from mail.paysderennes.fr (HELO serveur.GIP.local) (217.167.22.6)"

now, my mail server has no way of knowing if that IP is forged but assuming that the router that sent this mail on to me is in fact at that IP why can't (or won't) the owner of that IP make an effort to stop whatever machine is sending this crap?

1. The address could be spoofed.

2. The public IP is that of the network most likely, so the actual bot machine would not be known.

3. Most owners of compromised computers are not aware of the problem.

4. Some botnets are setup to use the e-mail server that the person owning the bit-infected computer uses.

not interested in the legal consequences of such activity. I must admit, though, my syslog records a greatly reduced amount of overall "background radiation", as they are want to call it.

Perhaps my mailing of offending IPs to them, convinced them to educate the public, and do better blocking in the servers/gateways.

I'm a little fuzzy as to the inner working of the bots in general. Here's a simplistic run down as I see it now. Then again, I can be quite the dunderhead.
1) Intially a server is set up to send out spam for some product by one or a few enterprising individuals.
2) Someone clicks on an ad to order a product.
3) Zing! They're infected and start sending out more spam which is monitored by the C&C machine. This process continues until there are 10,000s of thousands of members (however, members usually refer to people who sign up voluntarily for something or other.)
4) Question. What happens to the orignal product ordered? Does it get shipped. Is it just a ruse to get machine infected? Or both?

I doubt most people get infected with any purchase. Usually infection involves downloading a file. The file is usually something free that looks good. After you download it and go to use it, that is when your computer gets infected. Once infected someone else can control your PC and make it send out spam.

There where a few truckloads of perfectly resealed WindowsXP disks a few years back. Every one was pre-infected with malware and on it's way to being injected back into the legitimate supply chain for retail shelf sales. If that's what was caught, how much wasn't?

Years ago, network hardware was also discovered. I believe it was Cisco boxes that where leaving out a factory side door; nothing stopping the criminals from adding "value" into the hardware in that case either.

By definition, the crapware including with pre-built machine purchases easily falls into the malware category. Installed without the previous permission of the owner and doing things the owner may not agree with. There was a time when dial-home code was blatantly considered malware; the code is still here and "dial-home by default" makes it worse with always on network connections.

Microsoft Windows98 harvested user data and delivered it directly back to there databases until the behavior was discovered by a researcher. Microsoft got a lot of heat over that and had to change Windows Update's methods as a result.

A requirement of Lenovo's Thinkvantage "value add" software is Message Center which is now been made a required dependency for Thinkvantage System Update. Message Center's purpose is to spam users with popups. You may not be able to imagine the confusion when my users start getting popups asking them to buy new batteries or larger hard drives.

Lest we leave out DRM and similar badly implemented things that lock the owner out of there own property and treat them like a criminal by default (guilty until proven less guilty).

I think it was barely two years ago that batches of flashdrives where discovered to have had malware injected at the production factory. Criminals actually got a modified firmware onto the production line so every unit that came out of there was pre-infected before being packaged for retail shelves.

I'm sure there is a long list of examples I'm unaware of but those are some of the cases where infection has happened long before consumer purchase let alone downloading.

There have been more than a few "drive by" attacks that require no interaction from the user at all. They get the attack code onto a legitimate site or well designed duplicate and your system is infected just by you viewing the site. This same approach is even older in email; why have the user click on a link when you can send them an html email with attack code in it.

You've probably seen my write about my buddy who was slammed by a flash ad. He was only sitting there on a legit site reading the specs for some software!

We took a sledgehammer to that drive!

Botnet code can be delivered and installed just like any other malware. You might be interested in this link. I describe the different types of malware and what they do:

http://blogs.techrepublic.com.com/10things/?p=881

This next link is a good paper on the economics of spam:

http://cc.uoregon.edu/cnews/summer2003/spameconomics.html

In many cases it is not wanting to sell something, but a way to get the victim's identification and financial information. That's why rogueware is doing so well.