07:18 AM
Connect Directly

Untying the Bot Knot

How to tell if your machine is moonlighting on a botnet, the dangers that presents, and what you can (and can't) do about it

You've heard the horror stories of botnet armies recruiting machines by the tens of thousands to help them spread spam and malware and commit crime. But what if your desktop computer, or your corporate user's machine, is living a dual life as a bot? And how can you tell?

It isn't easy to detect whether your machine has been "zombified," especially with botnet operators working harder to camouflage their activity via different command and control channels. (See Botnets Don Invisibility Cloaks.)

"It's never been easy to detect if you're infected with a bot, and it's getting harder and harder," says Johannes Ullrich, chief technology officer for defense at SANS Internet Storm Center. "A lot of bots are being used against smaller groups -- they may be attacking a university, for instance. And a lot of these never make it into antivirus signatures because they are not [widespread] enough and keep changing all the time."

Trend Micro estimates that 100 million machines worldwide are working as bots for the bad guys, and 15 million of them are active at any one point in time. That's about 7 percent of all computers, says Paul Moriarty, director of product development at Trend Micro. Other estimates are higher, at around 11 percent, but security experts say there's no way to know for sure how many machines are botnet-infected.

Broadband home users and corporate road warriors and telecommuters, out of the protective arms of the physical corporate backbone, are most at risk. Traveling users are the weakest link for Fortune 500 companies, says Mark Loveless, security architect for Vernier Networks.

"They're hooking up their laptops to get stuff done," Loveless says. "Some may resort to their home habits back in the hotel, visiting gambling sites or porn sites from a company machine, so they have a greater chance of getting infected. That and whatever stupid decision they [these users] make with wireless are the biggest thing Fortune 500 has to deal with."

Chances are, however, most home users and road warriors may not know their machine has been zombified, nor will they ever know unless their ISP notifies them, or worst case, if their bank account gets drained.

"Now we're starting to see more botnets that are stealth by design," says André M. Di Mino, a director of The Shadowserver Foundation. "The better hidden the malware or infection can remain, the better it is. Unfortunately for the user, they can't always tell when they've been infected."

But there are clues, albeit subtle in most cases, that your machine is taking commands from a botnet. But the most obvious symptom -- your machine slowing down -- could easily be attributed to something else. You could chalk it up to the new screensaver you installed. So a user may not realize that the CPU cycles were being strained instead by files being created on their machine, ports being opened, and their machine scanning other machines to recruit or drop spam, Di Mino says.

"It's all happening behind the scenes."

Aside from performance problems, another sign of a botnet infection can be when the "transmit" and "receive" lights on your broadband router are active more than usual. "They're not going to be lit up and solid or blinking constantly" if your machine is healthy, Loveless says.

"If you're seeing tons of traffic going by, something may be going on." And if you get an unusual message, such as an application trying to get onto the network and asking if you want to allow it, beware: "If it's iTunes, that's okay," but otherwise, be suspicious, he warns.

Most other ways to detect botnet infection require a little technology know-how, which explains why most zombie machines belong to home users and not enterprises who have IT security watching their backs. Studying your firewall logs for signs that you're being scanned on a number of ports from the same IP address, for example, or for activity on the botnet's favorite method of command and control, Internet Relay Chat (IRC) port 6667, for instance, or any outbound traffic to odd ports, can help tip you off that something is amiss, security experts say.

You can also track botnets with IDS/IPS, for instance, or with sniffer tools or protocol analyzers like Wireshark. Many of these tools let you "see" when a bot downloads executables from the botnet server and pings the master to alert its availability say, every 30 seconds, notes researcher LMH, who studies botnets. "It would be easy to detect rogue transmissions by actively inspecting the transmitted information."

Perhaps the biggest incentive to all of this detection work is the inherent danger being a bot can pose. Your data, personal information, and passwords are all at risk of being stolen, especially if the botnet installs a keylogger on the bot. And a bot-infected user could find the FBI kicking down his door if his PC is implicated in a child pornography case, or another criminal act, experts say.

Still, botnets today are mostly used for spam -- 60 percent, according to Trend Micro's Moriarty -- so the biggest risk of being a bot is getting blacklisted for sending spam.

Even after a bot "cleanup" with Trend Micro's, the attacker may still have your passwords in hand, so always assume your data is at risk if your machine was a bot.

There's no way to guarantee your machine won't become a bot, but practicing good computer hygiene is really the only defense, security experts say. Keep your operating system and applications up to date with the latest patches, don't visit risky Websites (think porn and gambling), be suspicious of email attachments from strangers, and run antivirus and antispyware scans regularly (keeping in mind AV alone can't find all malware).

And look out for Web traps, such as unusual Google search results, says Joe Stewart, a senior security researcher with SecureWorks. Search results that are out of context or contain a page path that has the same search parameters you used in your search could be malware waiting to infect your machine and recruit you as a bot. "Don't click on suspicious search results," he says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Trend Micro Inc.
  • Vernier Networks Inc.
  • SecureWorks Inc. Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    Security Operations and IT Operations: Finding the Path to Collaboration
    A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
    Flash Poll
    New Best Practices for Secure App Development
    New Best Practices for Secure App Development
    The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    Published: 2017-05-09
    NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

    Published: 2017-05-08
    unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

    Published: 2017-05-08
    A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

    Published: 2017-05-08
    Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

    Published: 2017-05-08
    Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

    Dark Reading Radio
    Archived Dark Reading Radio
    In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.