Как обнаружить сетевого бота по несанкционированной отправке почты

Netstat is similar in intent to the tcpvcon version of tcpview, and is standard on most versions of Unix it’s been around for decades. Secondly, most versions of Windows have it. The main difference with tcpview is that netstat is a command line function that takes a single snapshot of current connections.

In many versions of netstat, the most effective command line to use is:

netstat -nap

Which could, in the case of Darkmailer, show an active infection like this:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      1       SYN_SENT    12614/b.pl
tcp        0      0        ESTABLISHED 7996/ciwhcnsb.pl
tcp        0      0           TIME_WAIT   -
tcp        0      0       TIME_WAIT   -
tcp        0      0        TIME_WAIT   -
tcp        0      1         SYN_SENT    12270/nxhbo.pl
tcp        0      0        TIME_WAIT   -
tcp        0      1         SYN_SENT    9273/yzezihd.pl

The “:25” under “Foreign Address” indicates an outbound SMTP connection. “NNNN/name” under “PID/Progran name” is the process id and process name of the offending program. The large variety of “states” show that it’s starting up/shutting down connections very quickly.