Attacks/Breaches

1/8/2007
07:18 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Untying the Bot Knot

How to tell if your machine is moonlighting on a botnet, the dangers that presents, and what you can (and can't) do about it

You've heard the horror stories of botnet armies recruiting machines by the tens of thousands to help them spread spam and malware and commit crime. But what if your desktop computer, or your corporate user's machine, is living a dual life as a bot? And how can you tell?

It isn't easy to detect whether your machine has been "zombified," especially with botnet operators working harder to camouflage their activity via different command and control channels. (See Botnets Don Invisibility Cloaks.)

"It's never been easy to detect if you're infected with a bot, and it's getting harder and harder," says Johannes Ullrich, chief technology officer for defense at SANS Internet Storm Center. "A lot of bots are being used against smaller groups -- they may be attacking a university, for instance. And a lot of these never make it into antivirus signatures because they are not [widespread] enough and keep changing all the time."

Trend Micro estimates that 100 million machines worldwide are working as bots for the bad guys, and 15 million of them are active at any one point in time. That's about 7 percent of all computers, says Paul Moriarty, director of product development at Trend Micro. Other estimates are higher, at around 11 percent, but security experts say there's no way to know for sure how many machines are botnet-infected.

Broadband home users and corporate road warriors and telecommuters, out of the protective arms of the physical corporate backbone, are most at risk. Traveling users are the weakest link for Fortune 500 companies, says Mark Loveless, security architect for Vernier Networks.

"They're hooking up their laptops to get stuff done," Loveless says. "Some may resort to their home habits back in the hotel, visiting gambling sites or porn sites from a company machine, so they have a greater chance of getting infected. That and whatever stupid decision they [these users] make with wireless are the biggest thing Fortune 500 has to deal with."

Chances are, however, most home users and road warriors may not know their machine has been zombified, nor will they ever know unless their ISP notifies them, or worst case, if their bank account gets drained.

"Now we're starting to see more botnets that are stealth by design," says André M. Di Mino, a director of The Shadowserver Foundation. "The better hidden the malware or infection can remain, the better it is. Unfortunately for the user, they can't always tell when they've been infected."

But there are clues, albeit subtle in most cases, that your machine is taking commands from a botnet. But the most obvious symptom -- your machine slowing down -- could easily be attributed to something else. You could chalk it up to the new screensaver you installed. So a user may not realize that the CPU cycles were being strained instead by files being created on their machine, ports being opened, and their machine scanning other machines to recruit or drop spam, Di Mino says.

"It's all happening behind the scenes."

Aside from performance problems, another sign of a botnet infection can be when the "transmit" and "receive" lights on your broadband router are active more than usual. "They're not going to be lit up and solid or blinking constantly" if your machine is healthy, Loveless says.

"If you're seeing tons of traffic going by, something may be going on." And if you get an unusual message, such as an application trying to get onto the network and asking if you want to allow it, beware: "If it's iTunes, that's okay," but otherwise, be suspicious, he warns.

Most other ways to detect botnet infection require a little technology know-how, which explains why most zombie machines belong to home users and not enterprises who have IT security watching their backs. Studying your firewall logs for signs that you're being scanned on a number of ports from the same IP address, for example, or for activity on the botnet's favorite method of command and control, Internet Relay Chat (IRC) port 6667, for instance, or any outbound traffic to odd ports, can help tip you off that something is amiss, security experts say.

You can also track botnets with IDS/IPS, for instance, or with sniffer tools or protocol analyzers like Wireshark. Many of these tools let you "see" when a bot downloads executables from the botnet server and pings the master to alert its availability say, every 30 seconds, notes researcher LMH, who studies botnets. "It would be easy to detect rogue transmissions by actively inspecting the transmitted information."

Perhaps the biggest incentive to all of this detection work is the inherent danger being a bot can pose. Your data, personal information, and passwords are all at risk of being stolen, especially if the botnet installs a keylogger on the bot. And a bot-infected user could find the FBI kicking down his door if his PC is implicated in a child pornography case, or another criminal act, experts say.

Still, botnets today are mostly used for spam -- 60 percent, according to Trend Micro's Moriarty -- so the biggest risk of being a bot is getting blacklisted for sending spam.

Even after a bot "cleanup" with Trend Micro's housecall.com, the attacker may still have your passwords in hand, so always assume your data is at risk if your machine was a bot.

There's no way to guarantee your machine won't become a bot, but practicing good computer hygiene is really the only defense, security experts say. Keep your operating system and applications up to date with the latest patches, don't visit risky Websites (think porn and gambling), be suspicious of email attachments from strangers, and run antivirus and antispyware scans regularly (keeping in mind AV alone can't find all malware).

And look out for Web traps, such as unusual Google search results, says Joe Stewart, a senior security researcher with SecureWorks. Search results that are out of context or contain a page path that has the same search parameters you used in your search could be malware waiting to infect your machine and recruit you as a bot. "Don't click on suspicious search results," he says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Trend Micro Inc.
  • Vernier Networks Inc.
  • SecureWorks Inc. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Microsoft President: Governments Must Cooperate on Cybersecurity
    Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
    Veterans Find New Roles in Enterprise Cybersecurity
    Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
    Understanding Evil Twin AP Attacks and How to Prevent Them
    Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    Flash Poll
    Online Malware and Threats: A Profile of Today's Security Posture
    Online Malware and Threats: A Profile of Today's Security Posture
    This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2015-9274
    PUBLISHED: 2018-11-15
    HarfBuzz before 1.0.4 allows remote attackers to cause a denial of service (invalid read of two bytes and application crash) because of GPOS and GSUB table mishandling, related to hb-ot-layout-gpos-table.hh, hb-ot-layout-gsub-table.hh, and hb-ot-layout-gsubgpos-private.hh.
    CVE-2018-19286
    PUBLISHED: 2018-11-15
    The server in mubu note 2018-11-11 has XSS by configuring an account with a crafted name value (along with an arbitrary username value), and then creating and sharing a note.
    CVE-2018-19287
    PUBLISHED: 2018-11-15
    XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter.
    CVE-2018-19288
    PUBLISHED: 2018-11-15
    Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the updateWidget API.
    CVE-2018-19289
    PUBLISHED: 2018-11-15
    An issue was discovered in Valine v1.3.3. It allows HTML injection, which can be exploited for JavaScript execution via an EMBED element in conjunction with a .pdf file.