Researcher Attempts To Dispel Damaging Botnet Myth

Enterprises that assume botnets use a single form of malware are the ones being bitten, researcher says
A common misconception that a botnet uses a single piece of malware to infect its victims has kept many enterprises from properly protecting their client machines. So a researcher is trying to set them straight by shedding light on the actual relationship between the botnet operator and bot malware.

Gunter Ollmann, vice president of research for Damballa, points out that because many enterprises think a single malware type corresponds with a single botnet, they assume that if they are protected from that specific malware, then they are safe. But in actuality, botnets do not necessarily have a one-to-one relationship with one type of malware, he says.

"[Enterprises] see that they have a signature for an updated signature to Zeus, [for example], for cleanup. They roll out that file to all of their hosts and believe they are covered against the Zeus botnet," Ollmann says. "However, two days or a week later, they find they have a new infection of Zeus, and they are left wondering why that file didn't stop the detection and clean it up."

Zeus is an example of a wildly popular family of bot malware that can be built with a commercially available, do-it-yourself malware creation kit. But not every infection of Zeus -- or Conficker -- is under the command and control (C&C) of the same botnet operator, Ollmann says. Botnet operators don't always use one family of malware, either.

"[Enterprises] see a lot of media reports of some 6 million [or so] Conficker hosts...but in reality it's not a single operator [behind those] infections," he says. "There are multiple operators behind multiple Conficker adaptations."

Ollmann says such a misunderstanding about botnets has contributed to the steady rate of bots in large enterprises. "They can be the most sophisticated and elite technical customers, yet when we deploy our detection technologies, we're seeing 3 to 7 percent of hosts in their networks with botnet infestations," Ollmann says -- a number that has remained fairly constant during the past couple of years. "If you look at how big these [organizations] are, with hundreds of thousands of users, 3 to 7 percent is [a lot]."

Another big reason for the corporate botnet problem is that remediation still lags in enterprises. "They are trying to fit botnet detection into their security workflow," Ollmann says. "The botnet threat is so complex today and so multifaceted that no single blocking technique exists...Enterprises haven't yet mastered dynamically applying security controls to multiple defenses at the same time."

Ollmann has published a paper (PDF) that attempts to dispel the myth that one botnet equals one piece of malware. One botnet operator can use multiple variants of the same family of malware, and multiple botnet operators can use the same DIY bot kit to build their own bot agents that report to their own C&Cs. So the same bot software can be used for multiple botnets, for example.

The best overall defense against botnets is protection at the network layer, Ollmann says, especially when it comes to more sophisticated botnets. "More sophisticated botnet operators use multiple kits: Zeus, Sinowal, for example, to infect hosts. But they use the same C&C to the same controlling systems, so your best defense is to detect the C&C," Ollmann says.

That entails deploying firewalls and IPSes to block IP addresses, and URL filtering via a proxy or content filter to catch HTTP-based botnet infections, he says. "Botnet operators are deliberately using multiple types of malware and multiple construction kits so that if any one particular vector is shut down, they still have other bots in the enterprise that are controllable," Ollmann says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: