Is this workstation really communicating with a botnet ?

Hi to all of you,
as you can see from the following pics we have a client, inside our network, that is communicating with a botnet called Kelihos.
Capture-expert2.JPG
I made a search and the traffic passed over https.
 Capture-expert1.JPG
I have the following questions:
How can I be sure that the ip mentioned is really part of a botnet.
I made a search on virustotal and http://www.threatstop.com/  then http://botnet.global.sonicwall.com/view 
and the IP is not mentioned.
I run malwarebyte + nod 32 and it didn't find any trace of malware

how can I be sure that the client has no infection even if the antivirus installed ( Nod eset ) confirm that the system is clean?

thank you
Carlettus
CarloAsked:
Who is Participating?
 
andreasSystem AdminCommented:
If the malware uses rootkit functionality some/all of the analysis tools might lie about the network status.

Best approach is to scan the harddrives of the system offline. e.g. from an anti virus boot cd. A scan on a compromised system might not be of much use.

furthermore recently there were polymorphic worms circulating, AV-scanners have hard times to detect things like that:

https://blogs.mcafee.com/mcafee-labs/takedown-stops-polymorphic-botnet

If the communication is legit you should be able to find out which process comunicates and you should know why you have this binary running and whats its purpose. legit processes usually dont hide.

In doubt you need to assume a infection until you found out what is causing the connections, if it cannot be found out you should consider reinstalling the machine from backup or scratch(if no backup/image).
0
 
McKnifeCommented:
On your infected (?) client, open an elevated command prompt and fire:
netstat -bano |findstr 443
This should list processes that communicate via 443 (https).
The last column of the reult will show the process ID ("PID"). Then open task manager (again elevated) and go to the details tab and make sure the column PID is displayed. Then, sort by PID and lookup the process corresponding to the PID you found out using netstat before. What process is it? Do you know that executable? Upload it to virustotal.com

Edit: Wait, this would only work if the connectioon would be successfully established, but you already block it, so netstat will not find anything. You could use tcpview by sysinternals to see what connections are being tried.
0
 
frankhelkCommented:
Hmm - a search on who.is reveals that the IP's owner (a company which name sounds like some internet hoster) sits in Donetsk, Ukraine.

Have you tried to nail down the process that connects to that IP ?

This could be done i.e. with sysinternal's  TCPview tool. Maybe that reveals more info ?
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
Thomas Zucker-ScharffSolution GuideCommented:
you can also check with trend micro's RUBotted. Their complete list of free apps (some of which are trialware) is at http://www.trendmicro.com/us/security/products/#free-tools
0
 
CarloAuthor Commented:
Hello,
I totally agree with Andreas because at the moment I only see the traffic with the suspected botnet from the firewall logs but I was not able to identify the malware , even if I used tcpview , the map  system process destination port doesn't tell me much.

Could you please suggest me other ways to detect the malware and remove it.
I only know the malware is working .

thank you
Carlettus
0
 
andreasSystem AdminCommented:
If its that hard to spot. I would not try to disable it manually. I would rather rebuild the machine.

Modern Malware also can entirely hide inside the registry or alternative Data streams of the NTFS filesystem. Some even only do exist im RAM and loaded newly on every boot over the net. To spot the place where the loading is triggered can bo compared to find the needle in the hay stack.

Best chances you have is by removing the harddrive and scan on an external system with several different anti malware and anti virus programs.

If nothing turned up, its really best to rebuild, even something is found you cannot be sure if ALL is found and you really removed all malicious programs.
0
 
CarloAuthor Commented:
Hello Andreas,
could you please advice the best AV for you that I can use offline?
Thank you
0
 
andreasSystem AdminCommented:
we use sophos here but the boot cd is not very good, its better to connect the HDD to another PC with sophos running.

Furthermore you should scan with malwarebytes Anti Malware, avg, avast, avira, kaspersky, mcafee.

But its far from sure if it can catch your malware. You should try to scan with as much products you can get hands on.

Depening if you are private person or a bussiness, there are several scanners out there for free, but most only available for free for personal, non commercial use.
0
 
CarloAuthor Commented:
Thank you to All ,
I close this for the moment but I hope I can reopen it in the future if I have other doubts.
Bye
CArlettus
0
 
CarloAuthor Commented:
Thanks to All
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.