BotNets and Your IT Servers. Who is really in control?
How we detected Malware installations is very different from what the normal users at home would have.
BotNets are using your computer to commit crimes.
Take a few minutes and read this article before you continue with this post.
If you are new to XtremeComputer.Com you might not know about the special applications that monitors connection types and botnet activity.
XtremeComputer.Com is a single website amongst millions of websites online today and we do get our share of Botnet activity.
We are not in the Botnet Network but we see the Botnets attempt to do their crimes against the networks we monitor and protect.
Actually we get more than our share with over 59,000 blocked attempts in the last 3 months shows there is a major problem.
Most all attempts are made from home computers infected with malware.
In the last 2 weeks our own computer have had malware installation attempts made that none of the major Antivirus software have detected.
How we detected Malware installations is very different from from what the normal users at home would have.
We have computers setup to allow the malware to be installed which allows us to gather the botnet traffic information and block the networks with our online API (Application Program Interface) and our local firewalls.
As we continue to gather information we update our firewalls which we share with our clients and customers.
Knowing where the Malware comes from is your first and best defense against being infected.
We report on average 10 computers each day that are running botnet malware.
The bottom line is if thousands or millions of computers can be infected and go undetected from within major corporations do you think your home computer is safe?
Next time you login to your online bank ask yourself this one question.
"Can I see what other connections are coming from my computer?"
If you can't see every connection from your computer you need to have us or a qualified network hack defender tech help you discover just how many connections you have and where they are going before you continue with your banking online.
It's not a joke anymore and it doesn't happen to the "Other Guy" everyone even the best of technicians are at risk today.
The Technician Side of the Story:
I cannot speak for all technicians that run IIS, Email, App, File servers but I can speak for myself and that I have no problems doing.
Because of the issues with BotNets years ago and unchecked spam coming in from just about every SMTP server in the world via proxy or direct hack I had to create addtional scripts to identify patterns.
My first email server that allowed me to program up some serious script monitoring was made by Software601.com but since has discontinued the project. You might still find forum posts with XCTech or something like talking about it.
The issue is today how we report between IT admin's. There is really no set reporting of:
"Sir, I think your SMTP server is hacked. Why? Becuase It attempted a connection on a non-standard port to my SMTP server and had a payload of a virus."
I could send you my server logs, firewall logs, or even the payload if I was trapping that day. But that's time from me that you're most likely not going to pay for or even post about.
The other day I was reviewing some old trap sessions and found a log of who I contacted regarding a mass virus attack on IIS servers. Out of 120 emails and 25 phone calls I had 3 humans reply. One was from the US Forestry Department in Washington State, one local business and some intern at Microsoft. I was only reporting virus infected servers that day and spent more than 10 hours of my time. I was paid because I picked up local companies that had been hacked by the virus and they knew it wasn't me when I showed where to look and Microsofts article that was published 19 days before the virus was activated.
Last year I monitored Pharmaceutical Spam, it was interesting to see how many large corporations, hospitals, and universities were all in the loop. Most likely they didn't even know it. So when I send a note to abuse and I hear nothing back and still see spam coming from your internal servers I can only post a warning in hopes someone responsible at your location would find it from searching.
That's not a very effective method, my database removes anything older than 6 months and if the botnet is still active the only way I would know is if it would return to one of my servers asking for me to join the BotNet. (Sounds like a joke but Botnets are always recruiting open or exploited servers.)
I have had a few IT admins send how they report rogue applications but if I had to fill out a form at hosting sites or at coder sites I once again see lost time and nothing in return for it. It's for this reason I believe the IT community just turns their heads.
Now, if there was a standard API that would be setup to report live traffic that could cross reference activity then we might be talking something good. I know they have a few up for other server types but IIS is one that just doesn't seem to have its bases covered in this respect.
When you have a solution I'm all ears!