My brother recently asked me how to tell if your computer was part of a botnet. Now, I'm not a real Windows jock any more, so I don't know how much help I can be:
I'm not really up on the mechanics of telling if your computer is
compromised from the inside.
I can tell you, though, that it may not be
practical to even try.
The problem is that if your computer has been compromised, the
attacker can install components that change the behavior of tools
running inside the computer. There are specific toolkits, "rootkits",
that target antivirus and other security software to hide the presence
of the compromising code, even modifying the running security
applications so they don't see the files that the malware is hiding in.
If you "run a security" and don't see anything, you still can't be sure.
The best way to tell if your computer is part of a botnet is from
outside your computer. What I used to do, before virtual machines, was
run an external firewall router. Since the firewall isn't inside the
computer's trust boundary, it's not going to be compromised by the
malware. You can look through your logs on the firewall to see
connections to unexpected sites or connections when you're not actually
using the computer. These days, you can run Windows in a virtual
machine, and get the same result more cheaply.
But really, for most people, you still can't be sure. It could be
sleeping. It could be that you're just not familiar with reading log
files.
So the best thing to do if you even suspect your computer
might be infected is to back up all the data (you're keeping backups,
right?) and reinstall from scratch, reinstalling any applications from
the original media. Again, if you're running Windows in a virtual
machine, you can roll back to the original snapshot. Even if you're not
infected, this cleans up cruft and dander and leaves your computer
feeling years younger with a lovely silky complexion.
I used to do that every year or so, when I was using Windows at home
for more than the occasional videogame. Just because it ended up making
my computer faster. Apart from the external backup drive, I kept two
drives inside the system and switched which one was primary. The
process: unhook the "current" drive, and install Windows over again on
the "old", reformatting the drive in the install process. Now the "old"
drive is "current", and the current is "old". Hook up the "old" drive
long enough to copy the data off it (just the data, no applications),
then disconnect it, leaving it powered off until next time. If you put
your ear up against it, maybe you can hear the botnet screaming to be
let out...
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment