informa
/
Risk
News

Big, Fat Bot-Ache

Even the most diligent and hygienic users can lose their machines to a botnet

5:15 PM -- Okay, so you've run an antivirus scan and the report says your machine is clean. But your laptop is still sporadically slow, and you're getting a little nervous that your machine has been captured as a bot. (See Untying the Bot Knot and Botnets Don Invisibility Cloaks.)

The mere fact that you diligently investigate the performance anomaly is good. Security experts say AV scanning is one way to keep bot infection at bay. But a clean AV report doesn't equal a bot-free machine. Joe Stewart, a senior security researcher for SecureWorks and a botnet expert, says AV software only finds 80 percent of new malware. "AV isn't useless, but you can't rely on it [alone] anymore."

Stewart says botnet operators are using malware that is expert at taking over a machine and making sure that rogue code stays there, with secret backdoors that help repel deletion. The only sure-fire way to beat the bot is to -- sit down, this isn't pleasant -- wipe your hard drive and re-install your OS and apps.

Say what?

"In some cases, AV might have a signature for it [the botnet's malware], so it might clean it up and be done with it," Stewart says. "But sometimes it gets to be a situation where it's more time- and cost-effective to reformat and start all over again."

That's what Mark Loveless, security architect for Vernier Networks, does. Loveless, a.k.a. "simple nomad," wipes the slate clean by reloading his system every six months or so, often to coincide with a new major Linux release. "I reload my system from scratch," he says. "I backup my data, wipe, and reload."

If the thought of a re-installation gives you heartburn, you could always just wait for your ISP to alert you that your machine is zombified. Yeah, right. Most ISPs just don't have the resources (or some cases, the incentive) to bash bots, Stewart and other researchers say. "If it's not affecting them, the ISP is happy to let [bots] continue," he says. "They are not going to seek them out."

And those ISPs that do try to kill bots can take a long time to do so. Trend Micro recently gave a large ISP in France a list of a half-million infected bot machines, and the ISP, which Trend Micro won't name, has been remediating only five machines a day, says Paul Moriarty, director of product development for Trend Micro. "The challenge for the security industry is to provide ISPs the tools do this in an automated way, or to give users the tools to clean themselves up."

So for now, you're mostly on your own, which is exactly what the botnet operators are hoping. Many home users don't even bother updating their AV software, much less scan regularly for malware. Vernier Networks' Loveless believes that at some point, botnet operators will run out of machines to zombify, so they will start going more aggressively after one another's armies of bots: They already do try to take over one another's machines today.

"That's why you started seeing some use of zero-days," Loveless claims, and if that gets them a few thousand more machines, it's worth it. "The aggressive ones are going to win at this," he says. "They have to think of new and innovative ways to get their crap on people's computers."

Better start reloading.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • SecureWorks Inc.
  • Trend Micro Inc.
  • Vernier Networks Inc.
  • Recommended Reading:
    Editors' Choice
    Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
    Joshua Goldfarb, Director of Product Management at F5