Eliminating The Right Botnets

Hello readers,

Are all botnets bad? Certainly not, there are countless beneficial botnets that do everything from indexing to counter attacking &… other stuff. But certainly there are bad botnets and getting rid of them is challenging work. Most botnets consist of handlers, compromised machines, and a command center that passes along instructions to target systems for a denial of service attack, and possibly/potentially other kinds of attacks.

Realistically “bad” botnets can potentially index information much like beneficial botnets, but the information they could collect would probably be vulnerabilities, open ports, or possibly even different types of data coming from the ports of the system they are infecting. This is critical to consider when routers are targeted because at least in some instances, rerouting traffic can pose a variety of new threats altogether.

Botnets are often distributed via script – but can be attached to anything from routers to game servers and are most often something the compromised system’s user would never detect.

 

Detecting Bot Nodes

On a local system – for example a Windows system, noticing a bot among the running processes can be trickier than it sounds. A port scan might detect unusual traffic but not enough to alert the user. Windows oriented tools that can detect/eliminate a bot node include:

 

On a Linux System

Our beloved python may be the solution as well as the potential problem… It turns out that there are a whole bunch of ways to build a botnet in python. Libraries & modules like fabric, pexpect, pxssh, pyhook, pythoncom, are commonly used in botnet construction, and there are dozens of tutorials online. Eliminating libraries on the host system probably isn’t as useful as knowing how to prevent the infection on a target system.

It starts with preventing privilege escalation. Using tools like chattr to lock your etc/shadow folder, as well as password folders, etc. Then moves into ssh key validation and or removal in the case of invalid keys. This would be adequate to prevent 80+% of possible infections but if the system is already infected you need to go a bit further.

Building a Working Port Scanner That Detects Suspicious Activity

On Linux this is fairly straightforward and requires very little aside from the terminal – but a simple scripting tool like geany can help. A basic implementation of pescanner involves little more than the 8-12 steps in the documentation. But you can avoid this entire process if you are handy with netstat and can figure out which (if any) activity actually looks suspicious.

It helps to know how to close a socket when it is in use!

How to close a socket while it’s running a process:

Lifted from stack exchange for illustration purposes
locate the process :

netstat -np

You get a source/destination ip:port portstate pid/processname map
locate the the socket’s file descriptor in the process

lsof -np $pid

You get a list: process name, pid, user,fileDescriptor, … a connection string.

Locate the matching fileDescriptor number for the connection.

Now connect the process:

gdb -p $pid

Now close the socket:

call close($fileDescritor)

//does not need ; at end.
Then detach:

quit

And the socket is closed.

After this point you can eliminate the ssh key used.

ssh-keygen -R hostname

You can generate new ssh keys and the instructions are here. Though there are different kinds of ssh keys and other ways to generate them, validate them, etc.

With any luck you’ll find the whole process easy enough to follow, or you need a developer.

Spread the love

410 thoughts on “Eliminating The Right Botnets

  1. Hello there! Do you use Twitter? I’d like to follow you if that would be okay. I’m undoubtedly enjoying your blog and look forward to new updates.

  2. Heya! I’m at work browsing your blog from my new iphone! Just wanted to say I love reading through your blog and look forward to all your posts! Keep up the fantastic work!

  3. I was curious if you ever considered changing the layout of your website? Its very well written; I love what youve got to say. But maybe you could a little more in the way of content so people could connect with it better. Youve got an awful lot of text for only having one or two pictures. Maybe you could space it out better?

  4. Hey! Do you know if they make any plugins to protect against hackers? I’m kinda paranoid about losing everything I’ve worked hard on. Any tips?

  5. Sweet blog! I found it while surfing around on Yahoo News. Do you have any suggestions on how to get listed in Yahoo News? I’ve been trying for a while but I never seem to get there! Many thanks

  6. Do you mind if I quote a couple of your posts as long as I provide credit and sources back to your blog? My blog is in the very same area of interest as yours and my users would certainly benefit from some of the information you present here. Please let me know if this ok with you. Regards!

  7. Do you mind if I quote a couple of your articles as long as I provide credit and sources back to your website? My blog site is in the very same area of interest as yours and my users would certainly benefit from a lot of the information you provide here. Please let me know if this alright with you. Thank you!

  8. Howdy! Quick question that’s completely off topic. Do you know how to make your site mobile friendly? My web site looks weird when browsing from my iphone4. I’m trying to find a template or plugin that might be able to correct this problem. If you have any recommendations, please share. Thank you!

  9. Wow that was odd. I just wrote an incredibly long comment but after I clicked submit my comment didn’t show up. Grrrr… well I’m not writing all that over again. Anyway, just wanted to say excellent blog!

  10. Currently it appears like WordPress is the best blogging platform out there right now. (from what I’ve read) Is that what you’re using on your blog?

Leave a Reply

Your email address will not be published. Required fields are marked *