Untying the Bot Knot

How to tell if your machine is moonlighting on a botnet, the dangers that presents, and what you can (and can't) do about it

You've heard the horror stories of botnet armies recruiting machines by the tens of thousands to help them spread spam and malware and commit crime. But what if your desktop computer, or your corporate user's machine, is living a dual life as a bot? And how can you tell?

It isn't easy to detect whether your machine has been "zombified," especially with botnet operators working harder to camouflage their activity via different command and control channels. (See Botnets Don Invisibility Cloaks.)

"It's never been easy to detect if you're infected with a bot, and it's getting harder and harder," says Johannes Ullrich, chief technology officer for defense at SANS Internet Storm Center. "A lot of bots are being used against smaller groups -- they may be attacking a university, for instance. And a lot of these never make it into antivirus signatures because they are not [widespread] enough and keep changing all the time."

Trend Micro estimates that 100 million machines worldwide are working as bots for the bad guys, and 15 million of them are active at any one point in time. That's about 7 percent of all computers, says Paul Moriarty, director of product development at Trend Micro. Other estimates are higher, at around 11 percent, but security experts say there's no way to know for sure how many machines are botnet-infected.

Broadband home users and corporate road warriors and telecommuters, out of the protective arms of the physical corporate backbone, are most at risk. Traveling users are the weakest link for Fortune 500 companies, says Mark Loveless, security architect for Vernier Networks.

"They're hooking up their laptops to get stuff done," Loveless says. "Some may resort to their home habits back in the hotel, visiting gambling sites or porn sites from a company machine, so they have a greater chance of getting infected. That and whatever stupid decision they [these users] make with wireless are the biggest thing Fortune 500 has to deal with."

Chances are, however, most home users and road warriors may not know their machine has been zombified, nor will they ever know unless their ISP notifies them, or worst case, if their bank account gets drained.

"Now we're starting to see more botnets that are stealth by design," says André M. Di Mino, a director of The Shadowserver Foundation. "The better hidden the malware or infection can remain, the better it is. Unfortunately for the user, they can't always tell when they've been infected."

But there are clues, albeit subtle in most cases, that your machine is taking commands from a botnet. But the most obvious symptom -- your machine slowing down -- could easily be attributed to something else. You could chalk it up to the new screensaver you installed. So a user may not realize that the CPU cycles were being strained instead by files being created on their machine, ports being opened, and their machine scanning other machines to recruit or drop spam, Di Mino says.

"It's all happening behind the scenes."

Aside from performance problems, another sign of a botnet infection can be when the "transmit" and "receive" lights on your broadband router are active more than usual. "They're not going to be lit up and solid or blinking constantly" if your machine is healthy, Loveless says.

"If you're seeing tons of traffic going by, something may be going on." And if you get an unusual message, such as an application trying to get onto the network and asking if you want to allow it, beware: "If it's iTunes, that's okay," but otherwise, be suspicious, he warns.

Most other ways to detect botnet infection require a little technology know-how, which explains why most zombie machines belong to home users and not enterprises who have IT security watching their backs. Studying your firewall logs for signs that you're being scanned on a number of ports from the same IP address, for example, or for activity on the botnet's favorite method of command and control, Internet Relay Chat (IRC) port 6667, for instance, or any outbound traffic to odd ports, can help tip you off that something is amiss, security experts say.

You can also track botnets with IDS/IPS, for instance, or with sniffer tools or protocol analyzers like Wireshark. Many of these tools let you "see" when a bot downloads executables from the botnet server and pings the master to alert its availability say, every 30 seconds, notes researcher LMH, who studies botnets. "It would be easy to detect rogue transmissions by actively inspecting the transmitted information."

Perhaps the biggest incentive to all of this detection work is the inherent danger being a bot can pose. Your data, personal information, and passwords are all at risk of being stolen, especially if the botnet installs a keylogger on the bot. And a bot-infected user could find the FBI kicking down his door if his PC is implicated in a child pornography case, or another criminal act, experts say.

Still, botnets today are mostly used for spam -- 60 percent, according to Trend Micro's Moriarty -- so the biggest risk of being a bot is getting blacklisted for sending spam.

Even after a bot "cleanup" with Trend Micro's housecall.com, the attacker may still have your passwords in hand, so always assume your data is at risk if your machine was a bot.

There's no way to guarantee your machine won't become a bot, but practicing good computer hygiene is really the only defense, security experts say. Keep your operating system and applications up to date with the latest patches, don't visit risky Websites (think porn and gambling), be suspicious of email attachments from strangers, and run antivirus and antispyware scans regularly (keeping in mind AV alone can't find all malware).

And look out for Web traps, such as unusual Google search results, says Joe Stewart, a senior security researcher with SecureWorks. Search results that are out of context or contain a page path that has the same search parameters you used in your search could be malware waiting to infect your machine and recruit you as a bot. "Don't click on suspicious search results," he says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights