Botnet detection

Has your computer become slow and unresponsive? Do you suddenly find the internet slow and unusable? Chances are you have been infected with a botnet worm and your PC has been turned into a ‘zombie’ and is being remotely controlled over the internet by a hacker or botmaster.

What is a botnet

Botnets are large groups of computers that have been infected by a network worm. These are like viruses only with fewer noticeable effects, and are often designed to serve a purpose, which is in most cases to perform large network attacks against other computers, or to commit fraud by harvesting data from the infected PC’s (zombies). Often network attacks are used in an attempt to extort money from victims, often businesses operating large websites such as Poker websites. Harvesting of data such as credit card information or personal details of the victims themselves to sell on to the black market for around $10 a pop. This is why botnet detection is important, and if you feel your PC may have become infected you should read on!

Botnet detection and removal

Firstly we need to take a baseline reading of your PC activity, to confirm you are most likely infected with a network worm. The first step is to download a user friendly TCPView tool by Sysinternals/Microsoft. This shows what programs are running on your computer and if they are connecting out to the internet. A quick Google search will allow you to find and install TCPView. Take a look below at the screen shot.

What to look for in Tcpview (Click to Enlarge):

Botnet detection

1) Lots of green connections being constantly established. This means the worm is scanning or attacking other websites. In this example you can see the victim has had his internet explorer infected (iexplore.exe) and it is scanning websites. You can tell this as there are lots of iexplore.exe processes open and many green established connections.

2) High port numbers often indicate a hijacked or rogue executable file is running on the system. In this example you can see the iexplore is running on a high local port ‘59698’. This is probably the controlling port, and allows the botmaster to control the botnet. Although in this example you see all the remote ports as http (80) that is not always the case. Port 80 is the www port, which websites operate over, and it could be the botmaster is being controlled via a website. A lot of the time botnets connect up to higher remote ports also, these are common port numbers to watch out for:

6667, 7000, 3267, 5555, 4367

If you see remote connections to these ports and you are not chatting to someone on Internet Relay Chat (IRC) we would highly advise running the tool RUBOTTED by Trendmicro to aid in botnet detection and removal.

After you have run this tool, be sure to check TCPView again after a fresh reboot, and check the level of active connections leaving your computer. If you still have further problems, we recommend doing a free online virus scan that ESET provide.

Staying clean after botnet detection and removal

1) Maintain your Anti Virus by renewing your annual subscription, and ensure it is updated automatically every day. Ensure your PC is kept up2date with Windows/Mac/Linux system updates and security patches for the software running on it.

2) Avoid BAD websites, don’t click on popup adverts, just cross them off, or if need be kill the process.

3) If you are comfortable with controlling what applications have access to the internet install a free firewall such as the one Comodo provide.