[Dshield] Possible Bot?

Duong, Henry M. (SHB) HDUONG at shb.com
Mon May 12 15:00:04 GMT 2008


Try Trend's RUBotted.

http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted 

And use a couple of standalone anti-malware to scan, i.e. CureIt,
ClamAV, AdAware, Comodo, etc.

Use Process Explorer to see what is opening up.  This should give you an
good insight of what is open or opening during the flood.  This way it
can point you to the right direction of what is causing the flood. 

Wireshark for a sniff of the traffic is good as well.

Definitely take it off the network.  

If the above doesn't work, post again, as there are more ways to skin a
rat, but the above are good starting points.

Cheers.

-----Original Message-----
From: Tony Raboza [mailto:tonyraboza at gmail.com] 
Sent: Saturday, May 10, 2008 9:48 AM
To: list at lists.dshield.org
Subject: [Dshield] Possible Bot?

Hi,

I saw on our MRTG graph and monitoring tool that a PC on our LAN is
sending out large ICMP traffic to a public IP address.  Upon checking on
our Internet gateway, I saw this (output of tcpdump - I purposedly
changed the IP addresses):

18:00:02.788023 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
request, id 4, seq 59931, length 1480 18:00:02.788030 IP 1.2.3.4 (LANIP)
> 4.5.6.7 (PUBLIC IP): icmp
18:00:02.798828 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
request, id 4, seq 60187, length 1480
18:00:02.798841 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
18:00:02.809534 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
request, id 4, seq 60443, length 1480
18:00:02.809546 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
18:00:02.820274 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
request, id 4, seq 60699, length 1480
18:00:02.820286 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): icmp
18:00:02.831246 IP 1.2.3.4 (LANIP) > 4.5.6.7 (PUBLIC IP): ICMP echo
request, id 4, seq 60955, length 1480


Actually, this happened with this PC before - I had our helpdesk check
(its on a remote site) it for virus/worms but according to them nothing
turned up.

I'm thinking this might be a sign that this PC is part of a botnet?
How can I be certain?  And what kind of botnet/worm exhibit the behavior
as above?

Thank you very much.



Sincerely,
Tony


Mail Gate  made the following annotations on Mon May 12 2008 09:59:58 
                                                           
                                               CONFIDENTIALITY NOTICE: This e-mail message including attachments, if any, is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Thank you.



More information about the list mailing list