What are best practice forensics after finding IRC bot

Posted on 2007-10-12
Last Modified: 2013-11-29
What are the best practices for followup to a bot removal?  I was called on site to a clients small busines and found a very simple IRC bot installed that launched on startup and made no attempt to conceal itself. I was able to locate it without a great deal of time and effort, it was installed in a folder in System32\ but the ease with which I could find and remove it lead me to ask if there is false sense of security since the system scans show no virus and the system is working as expected. I cleaned a  Storm Worm infected machine about two months ago and that was the most stubborn cleanup that I had seen in many years. With this one I deleted the folder and the registry entries and it was gone, just seemed too easy. The owner told me that he always ckill the applicaiton as soon as he booted up so I want to believe it never got past the immediate IRC logins.

In the properties of the executable the company name was 'GoHack, Inc.'

Question by:BrianDSy
    LVL 32

    Accepted Solution

    Here is my list of suggestions for a case like this:

    (1) Examine all user accounts, disable or delete any accounts known to be fraudulent, then change passwords on all admin accounts, using at least 10 chars and avoid common names and words.
    (2) Download RootkitRevealer ( and do a scan. Post the log here if it shows anything suspect. If the log is very long then just post the first 30 lines or so. Be sure to save the log in any case.
    (3) Download Autoruns from:
    (a) Run the program. It lists a bunch of things that start when Windows starts.
    (b) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
        Important -> Then click the Refresh button in the toolbar.
    (c) This will give you a shorter, more meaningful list.
    (d) Post the log here if anything interesting.
    (4) Run "netstat -ab" from a command prompt, save the output to a text file (e.g. "netstat -ab > list.txt") then copy-and-paste the list here. If you like you can just post the suspect entries, or replace your ip with xx.xx
    (5) If you identify any files installed by the hacker, search the rest of your C: drive for any other files created/modified around that date and time. Also, rather than deleting files left behind by the hackers, move them to another disk or CD for possible later study.
    (6) After things have been cleaned up, download and run MBSA from: and do a scan and follow as many steps as reasonable.
    LVL 6

    Assisted Solution


    imho it doesn't matter what you find - the best practice is to reinstall workstation. of course, make images before doing it and then analyse with some forensic toolkit to understand how that software got there in the first place.


    LVL 38

    Assisted Solution

    by:Rich Rumble
    A tool no admin should be without are USB(and or firewire) drive adapters like these:

    Take the HD out of the PC, place in/onto the USB adapter, scan the drive using updated AV tools and spyware tools. This will assure you that no root-kit is messing with your results, and you can easily scan files that may have been protected or hiden while the HD was running the OS.
    There are IDE and SATA drive adapters (laptop and pc style) for a very low price, and they help assure your results are accurate.
    When you do find spyware/viri on a PC running winME or XP Pro, the following page describes some other best practices to follow:

    You should likely reinstall from scratch or image if you do find something big like a root-kit, some mal-ware as well.

    Author Comment

    It's hard to rate any of these as the ultimate solution, since I need to maintain a balance between the users freedom of choice in a small office and budget choices about offline storage. But after removing the registry keys that started the processes and restarting the machine I was able to remove the rest of the malware and run the System Restore function of windows using the boot CD. The first and last solutions are the best for the small business, the second one is an enterprise type solution. Resources in many of the small businesses I go to are stretched to the maximum.


    Author Closing Comment

    Thanks for the feedback. My clients happy. I feel like I got the job done. There have been no further issues.


    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now