A botnet is a network consisting of hacked computers that are infected by malware and can be controlled by the botnet owner without the computer owner’s knowledge. They bots can be used to launch DDoS attacks that causes a website to go offline, sending spam messages, driving fake traffic, clicking advertisements and many more depending on the creativity of the botnet owner. Normally the user won’t even notice that their computer is a zombie bot being controlled because the malware is programmed to stay infected as long as possible bypassing both known antivirus or firewall software and does not damage or change any part of the operating system that may trigger the owner’s attention.
Some of the ways for an Internet user to get infected by malware turning their computer into a zombie bot is by downloading unknown files, visiting hacked websites and running email attachments blindly. Most of the time a computer infected by a bot malware will not find anything suspicious because it is very light on the system other than taking up the Internet bandwidth. Some bots can even run an invisible speedtest to determine the full speed so that it only uses up half of the bandwidth to avoid any suspicion by the owner.
Detecting infection associated with bots using antivirus and firewall is ineffective because they are normally made fully undetected through obfuscation before they are spread. A more effective way to detect bot infection is by analyzing the computer’s behavior and here are 6 tools that does that.
1. DE-Cleaner powered by Avira
DE-Cleaner is a free service initiated by the Association of the German Internet Industry to increase the awareness of the user’s computer being a part of botnets. The official website contains information explaining botnets, how you get infected and etc. Two well-known security companies that creates one of the most popular antivirus software, Avira and Kaspersky has participated in this project, offering free scanner tools to detect and remove malicious software including bot malware.
Avira DE-Cleaner installer requires an Internet connection to download the program and latest pattern files. Take note that the graphical user interface is only in German but it can be easily used by clicking two buttons. It is possible to copy the Avira DE-Cleaner to an external USB drive for portable usage by clicking the “Auf USB-gerät kopieren” option located at the top of the program window.
2. DE-Cleaner powered by Kaspersky
DE-Cleaner powered by Kaspersky is actually the same as Kaspersky Virus Removal Tool or simply known as AVPTool with a German language interface. Unlike Avira De-Cleaner, Kaspersky De-Cleaner doesn’t have an online update so you’ll have to download the latest version from their website if you need an up-to-date version.
Unfortunately Kaspersky DE-Cleaner is using the previous version of Kaspersky Virus Removal Tool version 10 while the current build with an English interface is already at version 11 which can be downloaded from the official Kaspersky’s website.
RuBotted is a free bot infection monitoring tool created by Trend Micro that is very easy to use with zero configuration or knowledge required. Simply download, install and allow the program to run automatically during Windows startup which will sit quietly in the notification area monitoring your Windows system.
When an infection is found, RuBotted uses another one of their free tool called HouseCall to clean up the bot malware. Other than monitoring files for suspicious bot-like behavior, RuBotted also works with their cloud based technology called Smart Protection Network to further detect both known and unknown botnets. One of the downside of RuBotted is it was last updated end of 2010 and still labelled as beta.
4. Mirage Anti-Bot
Mirage Anti-Bot is created by Jean-Pierre LESUEUR, the founder of Phrozen Software and is also the creator of DarkComet RAT. Basically Mirage Anti-Bot uses the Windows HOSTS file to prevent you from connecting the known command and control servers. The list of known bad URLs are downloaded from abuse.ch that tracks ZeuS, SpyEye and Palevo C&C servers. Other than that, PhrozenSoft also has their own global database and you can also add custom new host.
By defeault Mirage Anti-Bot will automatically updated the block list but you can also manually force an update check by clicking the Update button. One of the potential problem with Mirage Anti-Bot is it doesn’t backup the original HOSTS file before adding a bunch of hosts into it and there is no option to restore the original HOSTS file.
5. Bot Revolt
Bot Revolt claims to an anti botnet consumer software that protects your computer from virus, bots and hackers. After testing, we found that Bot Revolt merely does the exact same thing as PeerBlock which is blocking known bad IP addresses according to categories such as governments, corporations, anti-P2P machines and countries. Their IP address list are compiled from a few sources such as spamcop, i-blocklist, spamhaus, blocklistpro and claims to block over 1 billion IP address. IPv4 only has a total of 4.3 billion addresses which means Bot Revolt has already blocked 23% of it…
Whenever your computer receive a packet, Bot Revolt checks the source of the incoming packet with their blocklist and will automatically allow or block the packet depending on the configuration. Bot Revolt is a shareware that cost $47 per year and the downloadable demo trial version is nearly fully crippled because you can only install and run the program. All buttons are disabled and you cannot even scroll the scrollbar to check on the lists of connections.
6. Norton Power Eraser
Norton Power Eraser used to be part of DE-Cleaner but has been withdrawn for some unknown reason. Unlike an antivirus software, the Norton Power Eraser uses aggressive method to detect rootkits, bot, scamware and can also result in being advised to remove legitimate programs.
Running the program will automatically check for an updated version and will download if it is available. At the main window, the Scan for Risks button will only run after a restart. Clicking on Advanced allows you to run 3 different types of scan which is reputation scan, system scan and multi-boot scan. Norton has always relied heavily on their reputation system scan whereby an unknown or less popular application will automatically get flagged as suspicious.