This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi, some scriptkiddy is bragging about having my PC in his botnet. I don't really know what to do or even if I'm really in his botnet, so I'd like to check that point first.

Is it possible to detect a botnet via wireshark? If yes, how would I know I'm infected?

Thanks in advance fellows...

asked 19 Dec '12, 07:31

QAI's gravatar image

QAI
0113
accept rate: 0%


Wouldn't it be better to detect a bot infection with a malware scanner?

I suggest to use one of the boot cd images mentioned in the following article

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

If none of those tools finds anything, then

  • you have no infection
  • or your script kiddie is a genius (99,99% are not!) and developed something that is yet unknown by the AV vendors. However, how clever would it be to brag about that botnet in public ?? ;-)

Regards
Kurt

permanent link

answered 19 Dec '12, 08:19

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thank you, I will try some of these discs now :)

Well, this kiddy was bragging via PM in a Forum, also stating the "honour" of beeing on of his few zombies. It's an annoying kid, but since I have no knowledge about networking, I get a bit nervous about such things^^

(19 Dec '12, 08:24) QAI

also stating the "honour" of beeing on of his few zombies

first scan your PC. If you don't find anything, demand a proof ;-) Just in case: BACKUP, BACKUP, BACKUP !!!

(19 Dec '12, 08:26) Kurt Knochner ♦

No virus found, now waiting for response to my proof demanding :)

Thank you Kurt!

(19 Dec '12, 12:05) QAI
1

Just in case: Run dumpcap with a ringbuffer to capture the whole traffic from your machine.

Get the interface number

dumpcap -D -M

Run dumpcap

dumpcap -ni xxx -w bot_traffic.pcap -b filesize 200000 -b files 40

Replace xxx with the interface number of step one. This will generate a max. of 8 Gbyte data. Make sure there is enough free space on disk.

As soon as you think there is something suspicious going on, stop dumpcap and note the exact time (incl. seconds). Then you can open the capture files with Wireshark and look for possible botnet traffic (around the time you stopped dumpcap). Unfortunately I can't tell you what to look for, as different bots use different communication methods.

BTW: To figure out if something suspicious is going on, you can run a network monitor tool that shows all connections from your system to the internet.

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
http://www.nirsoft.net/utils/cports.html

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.

(19 Dec '12, 12:26) Kurt Knochner ♦

Thanks a lot again, the scriptkiddy admitted he just wanted some attention. Network also shows nothing out of the usual, if I don't do something myself everything idles completely :)

(20 Dec '12, 11:17) QAI

Apparently one of those 99.99% ;-)

(20 Dec '12, 12:46) Kurt Knochner ♦
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×8
×4
×3

question asked: 19 Dec '12, 07:31

question was seen: 6,175 times

last updated: 20 Dec '12, 12:48

p​o​w​e​r​e​d by O​S​Q​A