Bots And You

For those of you who are maybe living in a cave (and if so, what ISP services you?), of the millions of computers in the world, a good portion of them are not controlled completely by the person who is paying for their Internet service. These computers, hijacked by a successful hacking campaign, and controlled by another person, we call bots, or zombies. One bot is less useful than a collection of bots, called a botnet. A botnet could range in size from 10,000 to 1.5 million hijacked computers.

I've been observing, and writing about, botnets for some time.


Most people don't realise that botnets are both the origination vehicle, the medium, and the payload of a successful attack. And the smarter botnet managers use botnets to manage the botnets used in an attack, using commercial and very shiny scripts.

>> Top

Attack Origination
Botnets are used to originate an attack. If any of you owns a server, and you review the server access logs (and if you do, and don't, you better remove your head from the place where the sun don't shine, and start), you'll notice anomalies.
  • Password attempts
    aaaaaaaa
    aaaaaaab
    ...
    aaaaaaaz
    aaaaaaba
    ...

    has to be observed - it's an obvious attack!
  • Any persistent, but seemingly random series
    Abracadabra
    MyDogHasFleas
    NowIsTheTime
    coming from the same computer, is pretty obvious too.
  • You probably won't notice
    Abracadabra coming from a computer in Russia
    MyDogHasFleas coming from a computer in Brazil
    NowIsTheTime coming from a computer in USA
    as an attack. That might be one, but how can you tell? Botnets are distributed widely, and are perfect for distributed, throttled attacks.


>> Top

Attack Medium
Botnets are used to transmit an attack. A lot of spam consists of links to websites, and the business of the spammer will be conducted from a website. This requires 3 highly specialised servers.
  • An email distribution server. This will typically be a server running Simple Mail Transfer Protocol (aka SMTP).
  • A website. This will typically be a server running HTTP (and if you use the web, you know about HTTP).
  • A DNS server, providing the IP address of the HTTP server.
If you know anything about reading email headers, you should know about those 3 servers, and the fact that in almost every case, professional email will use 3 separate servers, frequently on the same subnet (Internet address space). Most corporations will frequently locate all servers on the same subnet, for security.

You can generally consider email validity, and filter your email, based upon the servers involved. Any time you get commercial email that includes a link to a product website, and that email / web site uses the same server for DNS, HTTP, and SMTP, it's possibly bogus. If 3 different servers are used, but they are on different subnets, or even in different countries, it's probably bogus.

Modern spammers, though, can easily use 3 separate computers. All the spammer has to do is find 3 computers (legally owned and operated by one, two, or three different individuals) on the same subnet. So open are many ISP address spaces (customers) to being botted, this is not at all difficult.

>> Top

Attack Payload
Botnets are the payload of an attack. A lot of websites linked from the spam (using components described above), which you have gotten used to as simply containing advertisements for products of varying legitimacy, may instead carry trojans. If you fall victim, and infect your computer, it becomes part of the botnet.

>> Top

Attack Management
To understand botnet management, and how sophisticated it has become, let's look at the history of botnet use.
  • Originally, the trojans distributed would contain the IP address of the attacker. Each botted computer would load the bot, contact the computer owned by the botnet master, and await instructions. That was a major exposure to the botnet managers. So, they cloaked their identity.
  • Each botted computer would attach to the Internet, frequently into an IRC forum, and await instructions. The botnet manager would login to the same forum, and provide instructions. That was a slight amount of exposure to the botnet managers, so, they further cloaked their identity.
  • With botnets being so easy to use, the botnet managers will now proxy their access to the IRC forums thru another botnet. That botnet is never used in an attack, it's only used to hide the identity of the botnet master.
  • And now, we see commercial products designed and marketed explicitly to provide GUI controlled manipulation of botnets.


This is why I have described all of this - the attack attempt, the medium, the payload, and attack management, all involve hacking. That's all it is. And botnets are at the center of the hacking.

And that's what botnets have to do with you.

For more information about botnets, see the University Of Maryland Botnet Blog, with a very intense white paper.

>> Top

Automatic Metrics and The Ability To Roam Wirelessly

If you have a portable computer, and you've setup a WiFi LAN in your house or office, you'll enjoy the freedom of moving around the house, at will, while still connected to the LAN. Even so, sometimes there will be times when the WiFi connection isn't enough. You'll never get rid of Ethernet, completely.

Most portable computers come with an Ethernet adapter, and a WiFi adapter, installed and activated. The Automatic Metric feature in Windows XP let you leave both connections activated, and will use the fastest connection, that is working, at any time.

You can use automatic metrics (by default), or you can manually change the settings to prefer either connection, using the TCP/IP Properties - Advanced wizard.

NOTE: Using the Automatic Metric feature on a laptop having a role as a server on your LAN may cause problems with the browser infrastructure. Don't carry a server around without understanding the complications.

>> Top

Know Who's Accessing The Server

Most computers in a workgroup will run as a server, and some computers in a domain will too. Servers do not have unlimited capacity to serve you, and occasionally, they run out of available connections. You'll be trying to access another computer, and you'll see a message that you don't want to see

No more connections can be made to this remote computer at this time because there are already as many connections as the computer can accept.


And this can also be an issue, when you need to know, in general, what your computer is doing.

So what do you do now? Do you run around, turning off some computers, just so another computer can connect, or just to see if this computer will stop doing what you're wondering about? Sometimes, that's the only diagnostic left to us, but just maybe you can be a bit more methodical, this time.

You can start by identifying who's accessing the server right now. And you can use either one of two tools.

Computer Management
Computer Management is a tool in the Administrative Tools section of Control Panel.

Under Computer Management, you find System Tools, then Shared Folders.


Shares enumerates each share on the server, and the number of connections that are in use for each share. This is where you start, when the server has exceeded its connection limit.



Sessions enumerates the accounts being used for access, and the remote computers, by IP address.



Open Files enumerates the open files and folders, and what accounts are being used for access.



The command window based Net command, with 3 of its sub commands, will provide information similar to the Shared Folders wizard.

Net Shares enumerates the shares on the server.

C:\>net share

Share name Resource Remark

-------------------------------------------------------------------------------
E$ E:\ Default share
IPC$ Remote IPC
D$ D:\ Default share
ADMIN$ C:\WINDOWS Remote Admin
C$ C:\ Default share
CDrive C:\
DDrive D:\
EDrive E:\
Quarantine E:\Quarantine
System Resources
E:\System Resources
Utility C:\Utility
The command completed successfully.


Net Sessions enumerates the remote computers (by IP address) and the accounts being used for access.

C:\>net sessions

Computer User name Client Type Opens Idle time

-------------------------------------------------------------------------------
\\192.168.203.100 CCROLL_ADMIN Windows 2000 2195 1 00:42:48
The command completed successfully.


Net Files enumerates the shared files or folders being accessed, and the accounts being used for access.

C:\>net file

ID Path User name # Locks

-------------------------------------------------------------------------------
3 E:\Temp\20060925 CCROLL_ADMIN 0
The command completed successfully.


>> Top

The NT Browser and Windows Networking

To find the various computers on a LAN, from each other, you generally open Windows Explorer (don't confuse this with Internet Explorer, please), and look in My Network Places. On a fully working LAN, this will work just fine. It doesn't always work that way though.

The contents of My Network Places (Network Neighbourhood, in some cases) are provided by a subsystem known as the NT Browser. The browser depends upon Server Message Blocks, and anything that interferes with SMBs will cause browser problems, and consequent problems in Network Neighbourhood.

In most cases, browser problems are symptoms of more basic network issues. Computer A and B should be equally visible, and accessible, from each other.

In one common scenario, Computer A shows both Computers A and B, as it should, and files on Computer B are accessible. On Computer B, either you don't see Computer A, or when you try to access Computer A, you get an error. You may, or it may not, see Computer B from itself. This visibility problem may be observed constantly, or it may come and go.


  • Since Computer B is accessible from Computer A, a permanent physical connectivity issue is unlikely, but still possible.
  • Besides physical problems, browser problems can have several possible causes. Browser functionality depends upon several relationships:

    • The browser server (ie the browser), and this computer. If this computer can't access its designated browser server, it may lack browse information, and / or have outdated information.
    • The browser server, and the client server (ie any computer being enumerated by the browser). A server, remember, is any computer being displayed in Network Neighborhood. If the browser server can't contact a client server, or if the client server uses a different browser, that server may not appear in Network Neighborhood.
    • The browser server, and the master browser (if not the same computer). If a browser server can't contact the master browser, it won't get the browse list aggregated by the master browser. Any client computers that use that browser won't have the browse list aggregated by the master browser.
    • The master browser for this domain / workgroup, and master browsers for other domains / workgroups. Any master browsers that can't contact other master browsers won't be able to exchange browse lists with them, and their clients won't have the browse lists for the other domains / workgroups.

  • Problems with any of the above relationships - now, or in the past - can cause various problems with Network Neighborhood. All computers won't try to access the browser simultaneously; if a browser problem just started, all computers won't reflect the problem immediately. If there is a problem, asymmetrical browse lists should be expected.


You will probably best address your problem by continuing with my troubleshooting guide, Irregularities In Workgroup Visibility.

>> Top

Diagnosing Network Problems Using PingPlotter

Many network problems, given enough test cases, can be diagnosd by simple observation and comparison. If you can access Computer C from Computers A and B, but you can't from Computer D, better look at Computer D. If Computer A can access Websites 1 and 2, but can't access Website 3, what's different about Website 3?

What if the problem comes and goes - now you can access with no problem, and now you can't? Maybe Computer A doesn't work now, but it's working later when Computer B stops working? Or if Website 1 is accessible, but Website 2 isn't, how do you identify the problem? How do you even track the problem, without having assistants to help you watch all of the computer involved?

I start with PingPlotter. PingPlotter combines a traceroute (traditionally a single timed ping of all addressed hosts between one computer and another) with repetitious pinging, and an interactive GUI display. PingPlotter lets you look for geographical problems (showing that you have connectivity between your computer and the first router, but not the second), or for repetitous problems (showing when you lose connectivity, whether chronic, cyclical, or randomly).

Let's say that you are losing connection with the Internet, on all computers on your LAN, periodically. By running PingPlotter on your computers, you can note whether the problem is with your router (if all computers show loss of connectivity with that router), with your ISP (if all computers show loss of connectivity with your ISPs gateway, but no problem with your router), or with a given server on the Internet. If the problem is intermittent, the PingPlotter display will show when the problem happens - and if its a chronic problem which includes loss of connectivity with your ISP, having a PingPlotter display may be worth a thousand words.

Since PingPlotter shows ping times for every host between you and your target, when there is a break in connectivity somewhere, it will show the break. You will see a red ping display for any hosts that do not respond at all, and the host that is causing the problem will probably be the closest one showing as red.

A PingPlotter display is interactive too. If there are a dozen hosts between you and a given website, maybe you only want to examine connectivity details with 4 hosts - yours, your ISPs gateway, your ISPs border, and the target server. You can selectively configure PingPlotter to show only those hosts, saving valuable screen space for other tasks. At any time, you can add any of the other hosts to the display, and the past history for those hosts will be visible too.

You can also vary the time scope of the display. You can look at an entire 48 hours in a 6 inch horizontal display, or zoom in on any 5 minutes, and look at those 5 minutes in detail. Or you can select any of 8 other scales in the display.

The paid version of PingPlotter can even be set to trigger alerts when certain definable network conditions occur, and to contact you by text messaging, or by email. So you need not be at your desk, watching the display, to be notified of a chronic problem.

All in all, PingPlotter is one network diagnostic that has a place in my toolbox. The paid version, PingPlotter Pro, is well worth the expense.

>> Top

The Network Adapter Settings Wizard

The drivers for every network adapter produced allow various settings to be changed, to suit your idea of how you would like your network to perform. Modern network adapters let you change your settings thru a wizard, generally accessed thru the (Local Area) Connection Properties Wizard.

From the Connection Properties Wizard, hit Configure.

This gives you a whole array of selections, which will vary according to to vendor, and how the configuration driver, for your network adapter, is constructed.

My adapter here is a 3Com Etherlink XL 10/100. Your adapter, and the settings, may differ.




On the advanced tab, you will find most of the settings which will help you.


  • Media Type
    • 10M Full duplex
    • 10M Half duplex
    • 100M Full duplex
    • 100M Half duplex
    Most networks will work fine with Auto Select enabled. If your network is slow, it may be because of errors, caused by either network adapter, or by the the cable / WiFi channel connecting the two. Changing it to 10M Half duplex may eliminate speed related errors, and stabilise things. Or, it may run better with 100M Full duplex explicitly enabled.
  • Network Address. Here you can change the MAC address.
  • If you change any of these settings, be prepared to restart the computer.











Consider carefully if the possible inconvenience is worth the minor power savings. Power consumption, by the typical desktop Ethernet NIC, is neglible. With a WiFi adapter on a portable computer, if the computer is running on battery power, this may not be the case. Consider both cases carefully.



>> Top

Process Explorer

Microsoft Windows gives us the ability to run multiple processes simultaneously - it's called multitasking. Some processes we start intentionally - we call them applications or programs. Other processes are started by the system - we call them services. Keeping track of all of the processes running, at any time, is a major activity.

Microsoft gives us Task Manager, to track the processes. Task Manager lets us choose a total of 25 items that we can learn about each process. This is the original tool that you might use, in watching what your computer is doing.

SysInternals (now another division of Microsoft, but that's another story) gives us Process Explorer, which lets us choose, in a tabbed menu

  • DLL - 15 items.
  • Handle - 6 items.
  • Process Image - 14 items.
  • Process Memory - 14 items.
  • Process Performance - 24 items.
  • Status Bar - 13 items.

There are 3 Process (Image, Memory, and Performance) tabs. The complement of 52 items selectable there is comparable to the complement of 25 items selectable for Task Manager.

Task Manager


This is how I use Task Manager.




You can choose any of 25 items here for display.



Process Explorer


This is how I use Process Explorer.




You can choose from 14 items in Process Image.




You can choose from 14 items in Process Memory.




You can choose from 24 items in Process Performance.




You can choose from 13 items in Status Bar.




You can choose from 15 items in DLL.




You can choose from 6 items in Handle.



>> Top