Is this workstation really communicating with a botnet ?

Hi to all of you,
as you can see from the following pics we have a client, inside our network, that is communicating with a botnet called Kelihos.
Capture-expert2.JPG
I made a search and the traffic passed over https.
 Capture-expert1.JPG
I have the following questions:
How can I be sure that the ip mentioned is really part of a botnet.
I made a search on virustotal and http://www.threatstop.com/  then http://botnet.global.sonicwall.com/view 
and the IP is not mentioned.
I run malwarebyte + nod 32 and it didn't find any trace of malware

how can I be sure that the client has no infection even if the antivirus installed ( Nod eset ) confirm that the system is clean?

thank you
Carlettus
CarloAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
On your infected (?) client, open an elevated command prompt and fire:
netstat -bano |findstr 443
This should list processes that communicate via 443 (https).
The last column of the reult will show the process ID ("PID"). Then open task manager (again elevated) and go to the details tab and make sure the column PID is displayed. Then, sort by PID and lookup the process corresponding to the PID you found out using netstat before. What process is it? Do you know that executable? Upload it to virustotal.com

Edit: Wait, this would only work if the connectioon would be successfully established, but you already block it, so netstat will not find anything. You could use tcpview by sysinternals to see what connections are being tried.
0
frankhelkCommented:
Hmm - a search on who.is reveals that the IP's owner (a company which name sounds like some internet hoster) sits in Donetsk, Ukraine.

Have you tried to nail down the process that connects to that IP ?

This could be done i.e. with sysinternal's  TCPview tool. Maybe that reveals more info ?
0
andreasSystem AdminCommented:
If the malware uses rootkit functionality some/all of the analysis tools might lie about the network status.

Best approach is to scan the harddrives of the system offline. e.g. from an anti virus boot cd. A scan on a compromised system might not be of much use.

furthermore recently there were polymorphic worms circulating, AV-scanners have hard times to detect things like that:

https://blogs.mcafee.com/mcafee-labs/takedown-stops-polymorphic-botnet

If the communication is legit you should be able to find out which process comunicates and you should know why you have this binary running and whats its purpose. legit processes usually dont hide.

In doubt you need to assume a infection until you found out what is causing the connections, if it cannot be found out you should consider reinstalling the machine from backup or scratch(if no backup/image).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

Thomas Zucker-ScharffSolution GuideCommented:
you can also check with trend micro's RUBotted. Their complete list of free apps (some of which are trialware) is at http://www.trendmicro.com/us/security/products/#free-tools
0
CarloAuthor Commented:
Hello,
I totally agree with Andreas because at the moment I only see the traffic with the suspected botnet from the firewall logs but I was not able to identify the malware , even if I used tcpview , the map  system process destination port doesn't tell me much.

Could you please suggest me other ways to detect the malware and remove it.
I only know the malware is working .

thank you
Carlettus
0
andreasSystem AdminCommented:
If its that hard to spot. I would not try to disable it manually. I would rather rebuild the machine.

Modern Malware also can entirely hide inside the registry or alternative Data streams of the NTFS filesystem. Some even only do exist im RAM and loaded newly on every boot over the net. To spot the place where the loading is triggered can bo compared to find the needle in the hay stack.

Best chances you have is by removing the harddrive and scan on an external system with several different anti malware and anti virus programs.

If nothing turned up, its really best to rebuild, even something is found you cannot be sure if ALL is found and you really removed all malicious programs.
0
CarloAuthor Commented:
Hello Andreas,
could you please advice the best AV for you that I can use offline?
Thank you
0
andreasSystem AdminCommented:
we use sophos here but the boot cd is not very good, its better to connect the HDD to another PC with sophos running.

Furthermore you should scan with malwarebytes Anti Malware, avg, avast, avira, kaspersky, mcafee.

But its far from sure if it can catch your malware. You should try to scan with as much products you can get hands on.

Depening if you are private person or a bussiness, there are several scanners out there for free, but most only available for free for personal, non commercial use.
0
CarloAuthor Commented:
Thank you to All ,
I close this for the moment but I hope I can reopen it in the future if I have other doubts.
Bye
CArlettus
0
CarloAuthor Commented:
Thanks to All
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.