How can I tell whether this computer is part of a botnet?

Question

One of the computers that I manage (in the family, not business) has a weird set of files in its boot: bash.exe, curl.exe, uname.exe, sed.exe, rm.exe, tail.exe, cut.exe, awk.exe, cat.exe, chmod.exe, ls.exe, grep.exe and so on.

I know for a fact that no family member has installed anything unusual like cygwin on this computer -- it's a plain consumer pc with Win7 + Skype + Firefox. That's why these entries worry me. As far as I can tell, this computer looks compromised.

• I've checked the list of installed programs (in the Control Panel) and there's nothing unusual there. The machine is practically a "laptop for grandma" so I'm absolutely certain that no user installed anything special. If anything, this comes from "outside" somehow.
• I installed McAfee and did a full scan -- nothing came up.
• I've yet to try tools like CCleaner but perhaps that will reveal something.

How can I confirm whether this computer is compromised, and how can I clean it?

If it's not a botnet, what is it then?

I know a complete reinstall would be best, and I am preparing to do so. But I want to take this situation as a learning opportunity.

Answer 1

For the identification of any presence of infection of botnet, close any running programs that will send requests(browser, game, skype, etc) and you can use wireshark to check for any abnormal traffic.

For a personal computer checkup, you can try Hijackthis or DDS. Get a log of either one of it and analyze for any suspicious programs(you can google for the filename of the program and the path that it SHOULD be at).

A website that you may use to perform a checkup on the file would be systemlookup.com. Just check on the filename at the search bar and type the filename of the file that you wanted to search.

You may also check the CLSID(can be found at Hijackthis's logs) of the file to verify the validity of the file by selecting CLSID on the search bar of systemlookup and copy pasting the CLSID into the search bar and search for it.

NOTE: The two programs above are not a virus removal tool but a check up tool instead.

You can take the incentive to remove the potential malware yourself, but do it at your own risk and do it if and only if you are very sure that it is a malware(through many inspection on the file).

However, if you do not have the knowledge or you require any help on removing the malware, you can seek assistance at bleepingcomputer If you do need help at bleepingcomputer, please read this before posting

Answer 2

Any competent virus or malware will take care to inactivate most antivirus software which could be installed on the machine and may detect the presence of the malware. To make a better test, plug the hard disk into another (clean) system, which will run the antivirus.

This is a bit risky so you might want to add a virtual machine layer: boot a Linux system from a CD-R or DVD (a "live system" which does not install on the disk), then take a byte-to-byte copy of the whole potentially infected disk, as a big file. On another system, build a virtual machine and mount the infected disk as a "disk image" (not the primary boot disk for the VM, but an extra disk). Then, run the analysis tools in the VM. It is best to shut off the external network capabilities of the VM, in order to contain any infection (if your VM manager is VirtualBox, use internal networking).

As for a complete format & reinstall, well, you are right, this is an unavoidable requirement.

Answer 3

CCleaner won't really give you any information on a possible infection, but what it does do is make it quick and simple to clear out temp folders and files where viruses/malware etc typically hide.

Based on the nature of the files you've found this seems to be much more than a "typical" virus..but I'll share some tips on places to look/things to check.

• Check your services for anything unusual. (services.msc)
• Check the event viewer logs for any unusual activity. (eventvwr.exe)
• Check the startup tab in msconfig for any programs that shouldn't be there.
• Check all processes running in task manager and reconcile each one. Google searches come in handy here.
• Check the task scheduler (Taskschd.msc) for any unusual tasks.
• Run "netstat -ABN" (case sensitive) or use a program like Cports to see what the machine is connecting to.
• Check your browsers for any suspicious addons/extensions. In IE go to internet options > program tab > manage addons > make sure and change the filer to show all add ons, not just the currently loaded ones.

Answer 4

I doubt if any antivirus will install in this condition. Try to run a security scan using online tools like http://security.symantec.com

Answer 5

For bot detection you can use bothunter it is a specialized tool that can perform network traffic analytics to detect bot sort of network behavior. Secondly from learning perspective they also provides scan samples of about 70 well known bots i.e. Agobot2, Gobot etc

Answer 6

Either monitoring the network activity for connection to unexpected locations (at a hardware level, not on the system itself) or booting from a liveUSB or liveCD and running a virus scan is the best bet.

Personally, unless I could identify a particular threat, I'd be hesitant to nuke it from orbit since those files all could easily be a legitimate part of a program.

It also might help to do a Google search for the MD5 of one of the utility executables to see if you can identify the particular source..