If you are diagnosing a single machine, there are several steps you can take to discover a possible bot infection.On the other hand, if you are investigating an entire network, you can uncover a slew of infected drones or a c&c itself.

Host based detection strategies

Finding a bot on a single machine can often point to botnet involvement. One can look for the following symptoms:

  • AntiVirus detection of an infection. Do NOT rely on this solely however. Many infections will simply not be detected.
  • Rootkit detection packages
  • Modification of the windows hosts file
  • Random unexplained popups are likely an adware infection, however it can also be a primative form of botnet related clickfraud activity.
  • Machine slowness. This can be a lot of things, however in many situations it is massive spyware infections. Whether it is botnet related or not is another story. If your once fast machine is now struggling to respond, consider looking under the hood with a adware/spyware scanner.
  • Check the machine's default DNS resolution servers. Are they what you would expect to see (a company's or ISP's DNS servers, or that of your internal LAN's router?) If not, malware may be redirecting DNS requests to a shady source. For extra precaution, you may want to investigate the DNS traffic on the network itself with a trusted clean host.

↑ Contents

Network based detection strategies

If one is monitoring a network as a whole, the following can reveal botnet issues.

  • Since IRC is not as commonly used amongst the general public, seeing any IRC traffic, across typical IRC ports, may be a worthwhile subject of investigation, especially when such patterns simply don't belong on your network.
    • IRC traffic usually manifests itself in cleartext, so sensors can be built to sniff particular IRC commands or other protocol keywords on a network gateway. Emerging Threats provides excellent IRC signatures you can put to use.
    • Look for the most commonly used default irc port: 6667. The full port range specified by the RFC: 6660-6669,7000. Also, since many IRC services can utilize ident, port 113 can also serve as a (less common) detection parameter. In general however, many botnet administrators will use non-standard IRC ports. If you have a firewall serving your organization, take a look at outbound connection attempts on any suspicious ports.
  • If you have access to a list of known botnet command and control (c&c) servers, you can simply look for outbound connection attempts to these services and/or ranges.
    • Emerging Threats provides signatures for c&c detection designed for the snort IDS; they may serve you well. Making use of an appropriately tuned IDS is a wise strategy to take in this regard.
  • If a large quantity of machines in your direct control are making the same DNS requests, or accessing the same server at once, you can rest assured you likely have a problem on your hands.
    • Similarly, check your DNS caches. Many c&c mechanisms will make use of a DNS domain that the herder can easily change if he needs to relocate his c&c infrastructure.
  • Malware detection on your network:
    • Installing a malware-based honeypot in your internal network will allow you to detect malware propagations from infected machines you may have control over. If your network is penetrated, so too eventually shall an appropriately placed honeypot.
    • Keep an eye on the ports of any typically vulnerable or exploited service. If you see a lot of traffic on 135,139,445 (windows file sharing), you may have a malware propagation scheme attempting to spread its payloads.
    • Portscan traffic is an obvious symptom of any infection. Again, use a proper IDS signature to find these, and then investigate the machine.
  • Keep an eye out for a massive amount of SMTP outbound traffic. Such patterns, especially coming from machines that are not supposed to be SMTP servers, will likely point to a malware spam bot that has implanted itself in your organization. e.g. SpamThru
  • Does your organization make use of an HTTP proxy? If so, malware processes may reveal themselves by requesting http data external to the proxy, and you may catch binary download attempts in your firewall logs if you monitor outbound port 80.

↑ Contents

<< Botnets | Knowledge Base | Honeypots >>