How to know if your part of someone elses botnet?

[brownninja97]

So i noticed on my network meter gadget that i was uploading something, takeing around 100kbps which never happens alone. I was thinking that i had been hacked and then i thought its some other rubbish. Anyways how can i identify being part of someone elses botnet and how to stop it. 

[Cacao]

Have you done an antivirus scan?

[brownninja97]

Have you done an antivirus scan?

i did one over night, on schedule. didnt find anything. unless mcafee cant keep up

[Xploda]

If you are using Windows 8, you should be able to determine which application/process is using the bandwidth through the advanced view in the built in task manager ("processes" tab).

 

If not, there are probably other tools available to check this.

 

If you are 100% sure that you are part of a botnet, it would be best to just back up the files you need and do a clean install of your OS.

 

To me it sounds very unlikely, given the slow upload speed it is doing (except if it's the cap of your line, which i doubt). From what i know, botnets usually make you upload hundreds of gigabytes.

[brownninja97]

Windows 7 and a clean install isnt  really an option. Im not 100% sure its a botnet. It could be anything sending information for an update. 

[Xploda]

Windows 7 and a clean install isnt  really an option. Im not 100% sure its a botnet. It could be anything sending information for an update. 

If you are part of a botnet, it's really pretty much the only way to get rid of it, especially if your anti virus isn't detecting anything.

Start by going through your list of running processes and google the ones you don't know. Kill the processes you think that are unnecessary, one by one, and find out which one exactly is causing it.

[brownninja97]

You guys recommend a program to detect what processes are uploading stuff. I can only tell what overall is uploaded.

[rufee]

There is a program called Wireshark, it lets you see what packets are being sent and received by your NIC (ports, ip's, content of the packet), not sure if it shows what application uses the network.

[Cryptonite]

If you are using Windows 8, you should be able to determine which application/process is using the bandwidth through the advanced view in the built in task manager ("processes" tab).

 

If not, there are probably other tools available to check this.

 

If you are 100% sure that you are part of a botnet, it would be best to just back up the files you need and do a clean install of your OS.

 

To me it sounds very unlikely, given the slow upload speed it is doing (except if it's the cap of your line, which i doubt). From what i know, botnets usually make you upload hundreds of gigabytes.

sorry man but you are ill informed on botnets. the botnet itself uploads hundreds of gigabytes of data at a time to a single target and that in turn slows the target down, but a botnet consists of up to thousands of infected computers doing constant uploads so small it's nearly undetectable by the people infected with the botnet. (not the target but the thousands of computers unwillingly uploading to the target).

https://en.wikipedia.org/wiki/Botnet

it depends on what the Botnet controller's goal is though. the biggest ones are used for DDoS attacks.

[Cryptonite]

There is a program called Wireshark, it lets you see what packets are being sent and received by your NIC (ports, ip's, content of the packet), not sure if it shows what application uses the network.

he'll just have to be clever and be sure nothing like twitter, IRC, skype or w/e is running because botnets tend to hide themselves behind these masks.

[Xploda]

sorry man but you are ill informed on botnets. the botnet itself uploads hundreds of gigabytes of data at a time to a single target and that in turn slows the target down, but a botnet consists of up to thousands of infected computers doing constant uploads so small it's nearly undetectable by the people infected with the botnet. (not the target but the thousands of computers unwillingly uploading to the target).

https://en.wikipedia.org/wiki/Botnet

it depends on what the Botnet controller's goal is though. the biggest ones are used for DDoS attacks.

Okay, hundreds might be a slight exaggeration, but i think it's very likely to see a substantial increase in traffic when you are taking part in a DDoS attack.

Actually it doesn't upload gigabytes of traffic to the target but it just makes a new request and immediately closes it all the time, giving the server so many requests it gets overloaded and eventually crashes. This potentially results in gigabytes of traffic being generated on both sides. That's actually what i was trying to make clear  :D .

[Cryptonite]

Okay, hundreds might be a slight exaggeration, but i think it's very likely to see a substantial increase in traffic when you are taking part in a DDoS attack.

Actually it doesn't upload gigabytes of traffic to the target but it just makes a new request and immediately closes it all the time, giving the server so many requests it gets overloaded and eventually crashes. This potentially results in gigabytes of traffic being generated on both sides. That's actually what i was trying to make clear  :D .

I think we're having some sort of translation problem here. yes it doesn't send a lot of data at a time, it just opens and closes a packet request you are correct which actually means that for you to send a request to a website or sending this post for that matter takes about the same amount of bandwidth. what a DDoS excels in is producing these opening and closing of packets on a wide scale which in turn causes gigabytes of data requests to a server, overloading it. The client that is part of the web chain of botnets doesn't feel a thing though since it's like he is sending a message over the internet, hardly touching your bandwidth. so no it is not a generation of gigabytes of data on both sides but a generation of Gigabytes on the server and bytes - kilobytes to MAYBE megabytes of data to the single botnet link. ofcourse that does accumulate after time and turns into gigabytes of data, but by the time you hit a gigabyte of data sent to the server the server would have received hundreds of gigabytes if not already well over a terabyte of data. usually it stops before you would hit a gigabyte of data sent to server though.

 

You kind of contradict yourself though since you said "To me it sounds very unlikely, given the slow upload speed it is doing (except if it's the cap of your line, which i doubt). From what i know, botnets usually make you upload hundreds of gigabytes." even if you meant it would be less, the less data sent over at a time (the less bandwidth it uses) the bigger the botnet he is connected to could be since they don't want to get spotted they take the minimal performance from each computer infected by the botnet.

 

By the way did you notice we're born on the same day? o.O

[tom564]

You could run netstat -b from an elevated command prompt and get a list of executable s  that tare communicating / listening. 

[WALK3R]

 just run malwareBytes and REMOVE Mcafee & netstat -b. Most botnets today are sh*t and hidden poorly.

[Blade of Grass]

If you go into performance monitor -> network, you can see which process are sending data.