Eliminating The Right Botnets

Hello readers,

Are all botnets bad? Certainly not, there are countless beneficial botnets that do everything from indexing to counter attacking &… other stuff. But certainly there are bad botnets and getting rid of them is challenging work. Most botnets consist of handlers, compromised machines, and a command center that passes along instructions to target systems for a denial of service attack, and possibly/potentially other kinds of attacks.

Realistically “bad” botnets can potentially index information much like beneficial botnets, but the information they could collect would probably be vulnerabilities, open ports, or possibly even different types of data coming from the ports of the system they are infecting. This is critical to consider when routers are targeted because at least in some instances, rerouting traffic can pose a variety of new threats altogether.

Botnets are often distributed via script – but can be attached to anything from routers to game servers and are most often something the compromised system’s user would never detect.

 

Detecting Bot Nodes

On a local system – for example a Windows system, noticing a bot among the running processes can be trickier than it sounds. A port scan might detect unusual traffic but not enough to alert the user. Windows oriented tools that can detect/eliminate a bot node include:

 

On a Linux System

Our beloved python may be the solution as well as the potential problem… It turns out that there are a whole bunch of ways to build a botnet in python. Libraries & modules like fabric, pexpect, pxssh, pyhook, pythoncom, are commonly used in botnet construction, and there are dozens of tutorials online. Eliminating libraries on the host system probably isn’t as useful as knowing how to prevent the infection on a target system.

It starts with preventing privilege escalation. Using tools like chattr to lock your etc/shadow folder, as well as password folders, etc. Then moves into ssh key validation and or removal in the case of invalid keys. This would be adequate to prevent 80+% of possible infections but if the system is already infected you need to go a bit further.

Building a Working Port Scanner That Detects Suspicious Activity

On Linux this is fairly straightforward and requires very little aside from the terminal – but a simple scripting tool like geany can help. A basic implementation of pescanner involves little more than the 8-12 steps in the documentation. But you can avoid this entire process if you are handy with netstat and can figure out which (if any) activity actually looks suspicious.

It helps to know how to close a socket when it is in use!

How to close a socket while it’s running a process:

Lifted from stack exchange for illustration purposes
locate the process :

netstat -np

You get a source/destination ip:port portstate pid/processname map
locate the the socket’s file descriptor in the process

lsof -np $pid

You get a list: process name, pid, user,fileDescriptor, … a connection string.

Locate the matching fileDescriptor number for the connection.

Now connect the process:

gdb -p $pid

Now close the socket:

call close($fileDescritor)

//does not need ; at end.
Then detach:

quit

And the socket is closed.

After this point you can eliminate the ssh key used.

ssh-keygen -R hostname

You can generate new ssh keys and the instructions are here. Though there are different kinds of ssh keys and other ways to generate them, validate them, etc.

With any luck you’ll find the whole process easy enough to follow, or you need a developer.

Spread the love

1,312 thoughts on “Eliminating The Right Botnets”

  1. Greetings! This is my first visit to your blog! We are a group of volunteers and starting a new initiative in a community in the same niche. Your blog provided us valuable information to work on. You have done a wonderful job!

  2. Thanks for the marvelous posting! I truly enjoyed reading it, you will be a great author.I will ensure that I bookmark your blog and will often come back someday. I want to encourage you to continue your great job, have a nice afternoon!

  3. It’s a pity you don’t have a donate button! I’d certainly donate to this outstanding blog! I suppose for now i’ll settle for book-marking and adding your RSS feed to my Google account. I look forward to new updates and will share this website with my Facebook group. Chat soon!

  4. I was wondering if you ever considered changing the layout of your blog? Its very well written; I love what youve got to say. But maybe you could a little more in the way of content so people could connect with it better. Youve got an awful lot of text for only having 1 or 2 images. Maybe you could space it out better?

  5. My spouse and I stumbled over here by a different website and thought I might check things out. I like what I see so now i am following you. Look forward to looking into your web page again.

  6. Hi there! Do you know if they make any plugins to help with Search Engine Optimization? I’m trying to get my blog to rank for some targeted keywords but I’m not seeing very good results. If you know of any please share. Cheers!

  7. Hello terrific blog! Does running a blog like this require a lot of work? I’ve absolutely no knowledge of programming however I was hoping to start my own blog soon. Anyhow, should you have any suggestions or tips for new blog owners please share. I know this is off topic nevertheless I simply needed to ask. Cheers!

  8. I’m really enjoying the theme/design of your weblog. Do you ever run into any web browser compatibility issues? A small number of my blog visitors have complained about my website not working correctly in Explorer but looks great in Opera. Do you have any advice to help fix this issue?

  9. This design is spectacular! You certainly know how to keep a reader amused. Between your wit and your videos, I was almost moved to start my own blog (well, almost…HaHa!) Excellent job. I really loved what you had to say, and more than that, how you presented it. Too cool!

  10. I know this if off topic but I’m looking into starting my own blog and was wondering what all is required to get setup? I’m assuming having a blog like yours would cost a pretty penny? I’m not very web smart so I’m not 100% certain. Any tips or advice would be greatly appreciated. Appreciate it

  11. Does your site have a contact page? I’m having problems locating it but, I’d like to send you an e-mail. I’ve got some creative ideas for your blog you might be interested in hearing. Either way, great website and I look forward to seeing it develop over time.

  12. My developer is trying to persuade me to move to .net from PHP. I have always disliked the idea because of the costs. But he’s tryiong none the less. I’ve been using WordPress on numerous websites for about a year and am worried about switching to another platform. I have heard excellent things about blogengine.net. Is there a way I can import all my wordpress posts into it? Any kind of help would be really appreciated!

Leave a Reply

Your email address will not be published. Required fields are marked *