Botnets: How to Keep Your Systems Clean!

It used to be that an infected system was obvious. Your system crawled to a stop, or people (your entire address book) would ask, “Why are you sending me this?”

Botnets have a slightly different approach. Your system could get infected from a web site, an email, a video, any number of sources. If it slipped by your anti-virus/anti-spyware software, you will see nothing for days, weeks, months, even years. Then the signal is sent to ‘wake up’ the dormant software on your system. It may work overnight or in the background, but when it is activated, your system is part of a VERY large network that seeks to do harm. Really? Yes!

What is a Bot / Botnet?

A Bot is like a Trojan horse but instead of merely installing a key logger or password stealer (which it might still do anyway), a Bot gets your machine ready to work with other infected PCs, compelling them like zombies to all act together - in some ways like a very large computer.

A Botnet is a rogue network of compromised "zombie" PCs. But these zombies are not nearly as entertaining as those in the movie Zombieland, and are likely controlled by criminals.

Your machine can become infected if you visit a site and download tainted code disguised as a video. It can happen if you visit a site that has been compromised itself. It can piggyback itself on, and install itself when a ‘traditional’ virus or other piece of malware enters your system. Once a Bot infects your PC, it calls out to its command-and-control (CnC) server for instructions.

Why do they do it?

Spammers alone will pay big money to have a Bot blast their message to thousands of machines. Have you ever received emails from different sources for Canadian Pharmaceuticals mail order at rock bottom prices? If you have, and I am betting that either you or someone you know has, you have been a target of email from a Botnet.

Other Botnet attacks cans be used to shut down commercial websites, or at the very least, generate so much traffic that people are unable to access the REAL website. In July 2009, thousands of Bot infected computers attacked U.S. government websites including the Federal Trade Commission and the White House.

How Can I Detect Them?

In an enterprise environment, network appliances can watch for this traffic and proactively monitor and block it from a network. But what about smaller companies and home users, is there a tool that will watch out for this traffic there? Yes, actually there is.

Many of the security companies now bundle monitoring with their anti-virus offerings. Just as with other forms of layered security software, there is a standalone product called BotHunter (http://www.bothunter.net). It was the first, and many consider to still be, the best network-based infection diagnosis system. In fact, it was BotHunter that first found the Conficker before the anti-virus software did. It is kind of like the way Spybot Search and Destroy is often first with Malware and Spyware detection.

Can The Battle Be Won?

YES! The week of November 11, 2011 saw one of the most significant victories ever. In the ongoing fight against cyber crime, the DNS Changer Botnet was dismantled and seven people were charged. This was just another in a series of Botnet detection, location and takedowns over the past two years. It took much longer for the security industry and the government authorities to find some answers than it did for hackers to move hundreds of steps ahead of them. It has been a long, grueling process, but since 2008 however, the good guys have been gaining momentum.

When McColo Botnet was shut down, the impact was immediate - with a drop in Spam levels by as much as 80 per cent. Mariposa, which had infected around 13 million PCs, and Mega-D were the first major Botnets to fall after the McColo operation. Waledac was next followed by Bredolab in 2010 bringing down two massively powerful Botnets surreptitiously controlling tens of millions of machines. This year, Coreflood, which had compromised millions of Windows machines, was taken out by the FBI. Then in March, Rustock was toppled and again, a massive drop in spam was recorded following the takedown. Finally in October 2011, the Kelihos Botnet was terminated, and legal action was taken against 24 individuals in connection with the case. Now, the published reports show another victory with the takedown of the DNS Changer Botnet in the first two weeks of November 2011.

How was it possible to draw together all the resources from different companies to make this happen?

Microsoft to the rescue?

Yes! To bring the different sides together, the security industry needed a big player to step up and not only coordinate the effort, but to interject its sizable resources. Microsoft did just that when it took on the role of chief Botnet slayer.

While Microsoft has not always been popular with everyone, it has been the linchpin in many significant battles against Botnets. Microsoft was responsible for drawing together industry players and law enforcement in smashing Waledac, Rustock and Kelihos. They have all worked together and have formed part of Project Microsoft Active Response for Security (MARS), which has one goal: “To annihilate Botnets and help make the internet a safer place".

Microsoft has used its sizable resources to go after Botnets and it has worked. The MARS team has worked with a host of security companies, including Kaspersky and FireEye, to share information relating to infections.

In the case of destroying Kelihos, Kaspersky loaned Microsoft its live Botnet tracking system. The Russian company also led the operation to reverse-engineer the Bot malware, crack the communication protocol and develop tools to take apart the bonnet’s peer-to-peer infrastructure. It was another truly communal effort.

The Mariposa and DNS Changer takedowns did not involve Microsoft, but Microsoft has shown what is possible when everyone cooperates and others have subsequently proven that point: the simple act of sharing is the key to identifying Botnets and successfully destroying them.

What’s next?

As always, make sure your system and your anti-virus are up to date. Same for anti-malware, and you might just want to make sure you add a Botnet detection layer to your bag of tricks.

If you have questions or comments about this article, contact me. JohnBoline@hagerman.com

All product names / logos, company names / logos are copyrights of their respective holders. John Boline is an MCSE, MCTS, CNE, USE, a member of the Network Professional Association and the Microsoft Partner Research Panel, . The content herein is often based on late-breaking events. Much of the material is based on information from sources that are believed to be reliable. Hagerman & Company, Inc. disclaims all warranties as to the ultimate accuracy or completeness of the information. Hagerman & Company, Inc. and its employees shall have no liability for errors, omissions or inadequacies in the information contained within this article or for any interpretations thereof. The recommendations, positions and best practice policies outlined herein represent Hagerman & Company, Inc. initial analysis and therefore are subject to change as further information which may have bearing on these positions is made available. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. Hagerman & Company, Inc. assumes no obligation to update the forward-looking statements made in this newsletter to reflect any change in circumstances, after the date of publication. Entire contents © 2011, Hagerman & Company, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden.

This page last edited on !--webbot bot="Timestamp" S-Type="EDITED" S-Format="%A, %B %d, %Y" -->