Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:18 AM
Connect Directly

Untying the Bot Knot

How to tell if your machine is moonlighting on a botnet, the dangers that presents, and what you can (and can't) do about it

You've heard the horror stories of botnet armies recruiting machines by the tens of thousands to help them spread spam and malware and commit crime. But what if your desktop computer, or your corporate user's machine, is living a dual life as a bot? And how can you tell?

It isn't easy to detect whether your machine has been "zombified," especially with botnet operators working harder to camouflage their activity via different command and control channels. (See Botnets Don Invisibility Cloaks.)

"It's never been easy to detect if you're infected with a bot, and it's getting harder and harder," says Johannes Ullrich, chief technology officer for defense at SANS Internet Storm Center. "A lot of bots are being used against smaller groups -- they may be attacking a university, for instance. And a lot of these never make it into antivirus signatures because they are not [widespread] enough and keep changing all the time."

Trend Micro estimates that 100 million machines worldwide are working as bots for the bad guys, and 15 million of them are active at any one point in time. That's about 7 percent of all computers, says Paul Moriarty, director of product development at Trend Micro. Other estimates are higher, at around 11 percent, but security experts say there's no way to know for sure how many machines are botnet-infected.

Broadband home users and corporate road warriors and telecommuters, out of the protective arms of the physical corporate backbone, are most at risk. Traveling users are the weakest link for Fortune 500 companies, says Mark Loveless, security architect for Vernier Networks.

"They're hooking up their laptops to get stuff done," Loveless says. "Some may resort to their home habits back in the hotel, visiting gambling sites or porn sites from a company machine, so they have a greater chance of getting infected. That and whatever stupid decision they [these users] make with wireless are the biggest thing Fortune 500 has to deal with."

Chances are, however, most home users and road warriors may not know their machine has been zombified, nor will they ever know unless their ISP notifies them, or worst case, if their bank account gets drained.

"Now we're starting to see more botnets that are stealth by design," says André M. Di Mino, a director of The Shadowserver Foundation. "The better hidden the malware or infection can remain, the better it is. Unfortunately for the user, they can't always tell when they've been infected."

But there are clues, albeit subtle in most cases, that your machine is taking commands from a botnet. But the most obvious symptom -- your machine slowing down -- could easily be attributed to something else. You could chalk it up to the new screensaver you installed. So a user may not realize that the CPU cycles were being strained instead by files being created on their machine, ports being opened, and their machine scanning other machines to recruit or drop spam, Di Mino says.

"It's all happening behind the scenes."

Aside from performance problems, another sign of a botnet infection can be when the "transmit" and "receive" lights on your broadband router are active more than usual. "They're not going to be lit up and solid or blinking constantly" if your machine is healthy, Loveless says.

"If you're seeing tons of traffic going by, something may be going on." And if you get an unusual message, such as an application trying to get onto the network and asking if you want to allow it, beware: "If it's iTunes, that's okay," but otherwise, be suspicious, he warns.

Most other ways to detect botnet infection require a little technology know-how, which explains why most zombie machines belong to home users and not enterprises who have IT security watching their backs. Studying your firewall logs for signs that you're being scanned on a number of ports from the same IP address, for example, or for activity on the botnet's favorite method of command and control, Internet Relay Chat (IRC) port 6667, for instance, or any outbound traffic to odd ports, can help tip you off that something is amiss, security experts say.

You can also track botnets with IDS/IPS, for instance, or with sniffer tools or protocol analyzers like Wireshark. Many of these tools let you "see" when a bot downloads executables from the botnet server and pings the master to alert its availability say, every 30 seconds, notes researcher LMH, who studies botnets. "It would be easy to detect rogue transmissions by actively inspecting the transmitted information."

Perhaps the biggest incentive to all of this detection work is the inherent danger being a bot can pose. Your data, personal information, and passwords are all at risk of being stolen, especially if the botnet installs a keylogger on the bot. And a bot-infected user could find the FBI kicking down his door if his PC is implicated in a child pornography case, or another criminal act, experts say.

Still, botnets today are mostly used for spam -- 60 percent, according to Trend Micro's Moriarty -- so the biggest risk of being a bot is getting blacklisted for sending spam.

Even after a bot "cleanup" with Trend Micro's housecall.com, the attacker may still have your passwords in hand, so always assume your data is at risk if your machine was a bot.

There's no way to guarantee your machine won't become a bot, but practicing good computer hygiene is really the only defense, security experts say. Keep your operating system and applications up to date with the latest patches, don't visit risky Websites (think porn and gambling), be suspicious of email attachments from strangers, and run antivirus and antispyware scans regularly (keeping in mind AV alone can't find all malware).

And look out for Web traps, such as unusual Google search results, says Joe Stewart, a senior security researcher with SecureWorks. Search results that are out of context or contain a page path that has the same search parameters you used in your search could be malware waiting to infect your machine and recruit you as a bot. "Don't click on suspicious search results," he says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Trend Micro Inc.
  • Vernier Networks Inc.
  • SecureWorks Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
    Jai Vijayan, Contributing Writer,  4/15/2021
    Dependency Problems Increase for Open Source Components
    Robert Lemos, Contributing Writer,  4/14/2021
    FBI Operation Remotely Removes Web Shells From Exchange Servers
    Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-04-22
    Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.
    PUBLISHED: 2021-04-22
    FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.
    PUBLISHED: 2021-04-22
    Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.
    PUBLISHED: 2021-04-22
    An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. Its AbuseFilterCheckMatch API reveals suppressed edits and usernames to unprivileged users through the iteration of crafted AbuseFilter rules.
    PUBLISHED: 2021-04-22
    An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. A MediaWiki user who is partially blocked or was unsuccessfully blocked could bypass AbuseFilter and have their edits completed.