07:18 AM
Connect Directly

Untying the Bot Knot

How to tell if your machine is moonlighting on a botnet, the dangers that presents, and what you can (and can't) do about it

You've heard the horror stories of botnet armies recruiting machines by the tens of thousands to help them spread spam and malware and commit crime. But what if your desktop computer, or your corporate user's machine, is living a dual life as a bot? And how can you tell?

It isn't easy to detect whether your machine has been "zombified," especially with botnet operators working harder to camouflage their activity via different command and control channels. (See Botnets Don Invisibility Cloaks.)

"It's never been easy to detect if you're infected with a bot, and it's getting harder and harder," says Johannes Ullrich, chief technology officer for defense at SANS Internet Storm Center. "A lot of bots are being used against smaller groups -- they may be attacking a university, for instance. And a lot of these never make it into antivirus signatures because they are not [widespread] enough and keep changing all the time."

Trend Micro estimates that 100 million machines worldwide are working as bots for the bad guys, and 15 million of them are active at any one point in time. That's about 7 percent of all computers, says Paul Moriarty, director of product development at Trend Micro. Other estimates are higher, at around 11 percent, but security experts say there's no way to know for sure how many machines are botnet-infected.

Broadband home users and corporate road warriors and telecommuters, out of the protective arms of the physical corporate backbone, are most at risk. Traveling users are the weakest link for Fortune 500 companies, says Mark Loveless, security architect for Vernier Networks.

"They're hooking up their laptops to get stuff done," Loveless says. "Some may resort to their home habits back in the hotel, visiting gambling sites or porn sites from a company machine, so they have a greater chance of getting infected. That and whatever stupid decision they [these users] make with wireless are the biggest thing Fortune 500 has to deal with."

Chances are, however, most home users and road warriors may not know their machine has been zombified, nor will they ever know unless their ISP notifies them, or worst case, if their bank account gets drained.

"Now we're starting to see more botnets that are stealth by design," says André M. Di Mino, a director of The Shadowserver Foundation. "The better hidden the malware or infection can remain, the better it is. Unfortunately for the user, they can't always tell when they've been infected."

But there are clues, albeit subtle in most cases, that your machine is taking commands from a botnet. But the most obvious symptom -- your machine slowing down -- could easily be attributed to something else. You could chalk it up to the new screensaver you installed. So a user may not realize that the CPU cycles were being strained instead by files being created on their machine, ports being opened, and their machine scanning other machines to recruit or drop spam, Di Mino says.

"It's all happening behind the scenes."

Aside from performance problems, another sign of a botnet infection can be when the "transmit" and "receive" lights on your broadband router are active more than usual. "They're not going to be lit up and solid or blinking constantly" if your machine is healthy, Loveless says.

"If you're seeing tons of traffic going by, something may be going on." And if you get an unusual message, such as an application trying to get onto the network and asking if you want to allow it, beware: "If it's iTunes, that's okay," but otherwise, be suspicious, he warns.

Most other ways to detect botnet infection require a little technology know-how, which explains why most zombie machines belong to home users and not enterprises who have IT security watching their backs. Studying your firewall logs for signs that you're being scanned on a number of ports from the same IP address, for example, or for activity on the botnet's favorite method of command and control, Internet Relay Chat (IRC) port 6667, for instance, or any outbound traffic to odd ports, can help tip you off that something is amiss, security experts say.

You can also track botnets with IDS/IPS, for instance, or with sniffer tools or protocol analyzers like Wireshark. Many of these tools let you "see" when a bot downloads executables from the botnet server and pings the master to alert its availability say, every 30 seconds, notes researcher LMH, who studies botnets. "It would be easy to detect rogue transmissions by actively inspecting the transmitted information."

Perhaps the biggest incentive to all of this detection work is the inherent danger being a bot can pose. Your data, personal information, and passwords are all at risk of being stolen, especially if the botnet installs a keylogger on the bot. And a bot-infected user could find the FBI kicking down his door if his PC is implicated in a child pornography case, or another criminal act, experts say.

Still, botnets today are mostly used for spam -- 60 percent, according to Trend Micro's Moriarty -- so the biggest risk of being a bot is getting blacklisted for sending spam.

Even after a bot "cleanup" with Trend Micro's, the attacker may still have your passwords in hand, so always assume your data is at risk if your machine was a bot.

There's no way to guarantee your machine won't become a bot, but practicing good computer hygiene is really the only defense, security experts say. Keep your operating system and applications up to date with the latest patches, don't visit risky Websites (think porn and gambling), be suspicious of email attachments from strangers, and run antivirus and antispyware scans regularly (keeping in mind AV alone can't find all malware).

And look out for Web traps, such as unusual Google search results, says Joe Stewart, a senior security researcher with SecureWorks. Search results that are out of context or contain a page path that has the same search parameters you used in your search could be malware waiting to infect your machine and recruit you as a bot. "Don't click on suspicious search results," he says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Trend Micro Inc.
  • Vernier Networks Inc.
  • SecureWorks Inc. Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    5 Security Technologies to Watch in 2017
    Emerging tools and services promise to make a difference this year. Are they on your company's list?
    Flash Poll
    New Best Practices for Secure App Development
    New Best Practices for Secure App Development
    The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    Published: 2015-10-15
    The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

    Published: 2015-10-15
    netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

    Published: 2015-10-15
    Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

    Published: 2015-10-15
    Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

    Published: 2015-10-15
    Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

    Dark Reading Radio
    Archived Dark Reading Radio
    In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.