[whoknows]

Hi :),
I am working on analyzing the BOT nets in different type of networks.
My question is, how does a BOT realizes that it has a Public IP and not a Private one? Does every BOT has its own version of detection?
Thanks in advance! :)

[whoknows]

I know how it can be done manually by the following methods:

[*]Compare the IP address of the current Ethernet interface with the IP address returned by the web services like http://www.whatismyip.info

[*]TRACEROUTE or TRACERT and find the reply of the first packet!

But, is there any other method then these above?

[malaya_zemlya]

On most home or office computers your local ip will be something like 10.*.*.* or 192.168.*.* A bot would be very lucky to land on a server with an external IP.
I think the easiest way is just to contact C&C or some other external server and ask it to tell you what ip does it see.
You also slightly vary the traceroute technique by looking at contents of the returned ICMP Time Exceeded headers. By the standard, they should contain the IP header of the original packet.
If the ttl was exceeded after crossing the NAT, then the embedded IP should also be the public one.

[Ormu]

These ranges are reserved for local network use so seeing such an address means that the external address is something different:

192.168.x.y
10.x.y.z
172.16.0.0 - 172.31.255.255