Top Ways to Fight Back Against Botnets
A botnet, i.e. a bot network (also known as a zombie army) is a network made up of a large number of computers that have been hijacked by malware to serve the whims of the hacker who unleashed it. By taking control of hundreds or thousands of computers, botnets are typically used to send out spam or viruses, steal personal data, or to stage DDoS attacks. They’re considered one of the biggest online threats today.
Where do botnets come from?
For your computer to be part of a botnet, it first needs to become infected with a type of malware that either contacts a remote server, or other infected computers in the network, to get instructions from whoever is controlling the botnet, which is typically hackers and criminals. Despite being grander in scope and scale, however, a botnet malware infection is no different from a typical malware infection.
How do you recognize botnets?
You can recognize a computer infected with a botnet in much in the same way as you can identify a computer infected with other types of malware. Signs include the computer running slowly, acting strangely, giving error messages or the fan starting up suddenly when the computer is idle. These are all possible symptoms of someone using your computer remotely as part of a bot network.
How Botnets Get into Your Company
There are several ways in which a botnet might initially enter your organization and spread throughout your infrastructure:
Email – An employee may open a malicious attachment or follow a link to a website containing malware.
Web-based – Employees may visit an infected website and download the botnet’s malicious software.
Social networking apps – A user may interact with a messaging app, link to a malicious website, and infect your network.
IoT – Any connected device is at risk, not just computers and mobile devices; a botnet attacked 25,000 connected CCTV cameras.
Here’s a list of a few ways you can safeguard your organization from Botnet attacks.
- Hire a Web-filtering service.
Web-filtering services are one of the best ways to fight bots. These services scan for Web sites exhibiting unusual behavior or known malicious activity and block those sites from users.
- Switch browsers
Another tactic to prevent bot infections is to standardize on a browser other than Internet Explorer or Mozilla Firefox, the two most popular and hence the browsers for which most malware is written. The same tactic works for operating systems. Macs statistically are safe from botnets, as is desktop Linux, because most bot herders target Windows.
- Disable scripts
A more extreme measure is to disable browsers from scripts altogether, though this could put a damper on productivity if employees use custom, Web-based applications in their work.
- Deploy intrusion-detection and intrusion-prevention systems
Another approach is to fine-tune your IDS (intrusion detection system) and IPS (intrusion detection and prevention system) to look for botlike activity. For example, any machine suddenly blasting away on Internet Relay Chat is certainly suspicious. Ditto those connecting to offshore IP addresses or illegitimate DNS addresses. Harder to notice, but another telltale sign, is a sudden uptake in SSL traffic on a machine, particularly in unusual ports. That could indicate a botnet-control channel has been activated. Look for machines routing e-mail to servers other than your own e-mail server. Botnet hunter Gadi Evron further suggests that you learn to watch for Web crawlers that operate at high “fetch levels.” Fetch levels activate all links located on a Web page, and a high level could indicate a machine is being sent to a malicious Web site.
An IPS monitors for behavior anomalies that indicate hard-to-spot HTTP-based attacks and those from remote-call-procedure, Telnet- and address-resolution-protocol spoofing, among others. Worth noting, however, is that many IPS sensors use signature-based detection, meaning that attacks are added to a database as they are discovered. The IPS must be updated regularly to recognize them, so after-the-fact detection will require ongoing effort.
- Protect user-generated content
Your own Web operations must also be protected from becoming unwitting accomplices to malware writers. Unless you are trying to become the next hip, Web 2.0 social network, your company’s public blogs and forums should be restricted to text-only entries, advises Michael Krieg, vice president of Web Crossing, maker of social-networking software and hosting services.
Dan Hubbard, vice president of security research at Websense, adds, “That is one of the big problems of user-created content sites, the Web 2.0 phenomenon. How do you balance the great functionality of allowing people to upload stuff but not allow them to upload anything bad?”
The answer is to be specific. If your site needs to let members swap files, it should be set to allow only limited and relatively safe file-types, those with .jpeg or .mp3 extensions, for instance. (Malware writers have begun to target the MP3 players themselves with worms, however).
- Use a remediation tool
If you do find an infected machine, the jury is out about how best to do remediation. Companies like Symantec assert they can detect and clean even the deepest rootkit infection. In Symantec’s case, it points to technology it acquired with Veritas, VxMS (Veritas Mapping Service), which lets the antivirus scanner bypass Windows File System APIs, which are controlled by the operating system and therefore vulnerable to manipulation by a rootkit. VxMS directly accesses raw Windows NT File System files. Other antivirus vendors trying to protect against rootkits include McAfee and FSecure. Their success has varied, given how inventive malware writers can be.
Yet Evron argues that detecting malware after the fact could really be a false scent — bait intended to make IT professionals believe they’ve scrubbed the PC while the real bot code remains hidden. “Antivirus is not a solution, because it is naturally reactive. The antivirus would have to recognize [the problem], and therefore the antivirus could have been manipulated,” he says.
This is not to say you shouldn’t try to implement the best rootkit fighter you can find in your antivirus software, just that you should be aware that doing so is a bit like buying a safe after your valuables have been stolen. Evron believes the only way to be sure that a machine is clean after bot malware is detected is to wipe it and start from scratch.
By not letting your users visit known malicious sites, monitoring your network for strange behaviors and defending your public sites from attacks, you’ll be in good shape, security experts unanimously agree.