Best bot detection...

General Topics
1

Hi malware fighters,

There is an amazing army of zombied computers (malicious bots)out on the Net to do evil. See what is going around now here: http://www.cyber-ta.org/releases/malware-analysis/public/
or here: http://www.cyber-ta.org/releases/malware-analysis/public/2007-11-19-public/
and look inside the information:
e.g.

11/19-00:05:16.584648 [] [1:2466:7] E2[rb] NETBIOS SMB-DS IPC$ unicode share access [] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 88.29.10.4:2924 → 192.168.1.30:445
11/19-00:05:18.087855 [] [1:99913:2] E2[rb] SHELLCODE x86 0x90 unicode NOOP [] [Classification: Executable code was detected] [Priority: 1] {TCP} 88.29.10.4:2924 → 192.168.1.30:445
11/19-00:05:18.117846 [] [1:2000032:99] E2[rb] BLEEDING-EDGE EXPLOIT LSA exploit [] [Classification: Misc activity] [Priority: 3] {TCP} 88.29.10.4:2924 → 192.168.1.30:445
11/19-00:05:18.117846 [] [1:2000033:5] E2[rb] BLEEDING-EDGE EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) [] [Classification: Misc activity] [Priority: 3] {TCP} 88.29.10.4:2924 → 192.168.1.30:445
11/19-00:05:18.117846 [] [1:99913:2] E2[rb] SHELLCODE x86 0x90 unicode NOOP [] [Classification: Executable code was detected] [Priority: 1] {TCP} 88.29.10.4:2924 → 192.168.1.30:445
11/19-00:05:18.137205 [] [1:2000032:6] E2[rb] BLEEDING-EDGE EXPLOIT LSA exploit [] [Classification: Misc activity] [Priority: 3] {TCP} 88.29.10.4:2924 → 192.168.1.30:445
11/19-00:05:18.137205 [] [1:2000032:99] E2[rb] BLEEDING-EDGE EXPLOIT LSA exploit [] [Classification: Misc activity] [Priority: 3] {TCP} 88.29.10.4:2924 → 192.168.1.30:445
11/19-00:05:19.125848 [] [1:3000000:99] E3[rb] BotHunter HTTP-based .exe Upload on backdoor port [] [Classification: Misc activity] [Priority: 3] {TCP} 88.29.10.4:80 → 192.168.1.30:1031
11/19-00:05:19.147591 [] [1:2001683:3] E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host [] [Priority: 0] {TCP} 88.29.10.4:80 → 192.168.1.30:1031
11/19-00:05:19.147591 [] [1:5001684:99] E3[rb] BotHunter Malware Windows executable (PE) sent from remote host [] [Priority: 0] {TCP} 88.29.10.4:80 → 192.168.1.30:1031

A corporate bot does not spam, the bot owner makes sure it does not use too much bandwidth on your (or is it rather “his”/“their”) machine. You probably do not notice your Windows machine is no longer your machine anymore, but herded from afar, until you get the spam report from your local ISP. The bot-herder already hardened you as a zombie against other competition of bots. Now are there ways to detect if you are already incorporated? It is not that easy. Read this: http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1278377,00.html

polonus