Jump to content

malwarebytes (and all others...) can't detect a botnet....


Recommended Posts

I suspect new variant of rustock botnet to be invisible to many anti-virus softwares...

i try on 28/03/10 : malwarebytes, eset nod32, online bitdefender, online trendmicro, hijackthis logs normal ... none of them find any virus files ... all is ok they said .... Ok BUT ...

when i use wireshark to see what happens on networks ... when pc startup... it sends encrypted mails, make dns MX queries, and downloads something on a mysterious "forum"...

My only hope now to find this xxx is to use GMER ... i hope it find something (i'll try maybe next weeks...).

For now the only things i see it's a system32/processes.exe (microsoft process) who open/close rapidly and use ports tcp 1035-1040 to send ecnrypted mails..

i think it's an hidden services who cheat antivirus softwares... gmer maybe help ...

I founds theses links with sames captures... and i think it's ruskov botnet...

http://lists.emergingthreats.net/pipermail...ary/005837.html

http://malwarelab.tistory.com/83

http://superuser.com/questions/88788/how-d...ed-by-wireshark

Here links who talks about ruskov botnet ...

http://www.m86security.com/labs/i/Rustock-...trace.1243~.asp

http://securitythreat.info/online-security...rustock-botnet/

So i post this only to says .... BE CARREFUL AND DON'T TRUST "BLINDLY" YOUR MANY ANTIVIRUS SOFTWARE .... in this cases... they all says "all is fine brother !" !

For now i'am going to always recommend the use of wireshark or another packet sniffing sotware to make SURE you have no virus ... and i hope found this xxxx botnet...

have nice days :rolleyes:

Link to post
Share on other sites

oups sorry the process involved is system32/services.exe and not processes.exe ... anyways a legal microsoft process...

Of course i have .pcap ... but i thinks they don't be helpfull ... this virus may know billions ip adress to contact... and my captures are quite sames with thoses on the link "superuser.com"....

i can send them by email to an admin if it can help detection of this thing... but i don't thinks it help so much...

if you see referer like this in tcp stream ...

POST /download.php?file=66dd7fe9e8b101980ed55b170532fc24 HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: http://muza-flowers.biz/

Content-Type: application/x-www-form-urlencoded

Content-Encoding: gzip

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Host: muza-flowers.biz

Content-Length: 182

Connection: Keep-Alive

Cache-Control: no-cache

......

if you see DNS MX queries ... and smtp TCP 25 grey encrypted streams ... and if of course you are not sending emails... surely somethings is going wrong... (and the best is watching at startup of the pc )...

my next move is the use of gmer maybe i found something .... for know i have nothing to send ... all is fine on this pc .... :rolleyes: it's just sends encrypted mails without my consent ....

have nice days ...

Link to post
Share on other sites

Hello maba ,Welcome to Malwarebytes.org

As we don't work on Malware removal or diagnostics in the general forums and you may have an infection Please follow these directions to get help -

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.