Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:59 AM
Connect Directly

Researcher Attempts To Dispel Damaging Botnet Myth

Enterprises that assume botnets use a single form of malware are the ones being bitten, researcher says

A common misconception that a botnet uses a single piece of malware to infect its victims has kept many enterprises from properly protecting their client machines. So a researcher is trying to set them straight by shedding light on the actual relationship between the botnet operator and bot malware.

Gunter Ollmann, vice president of research for Damballa, points out that because many enterprises think a single malware type corresponds with a single botnet, they assume that if they are protected from that specific malware, then they are safe. But in actuality, botnets do not necessarily have a one-to-one relationship with one type of malware, he says.

"[Enterprises] see that they have a signature for an updated signature to Zeus, [for example], for cleanup. They roll out that file to all of their hosts and believe they are covered against the Zeus botnet," Ollmann says. "However, two days or a week later, they find they have a new infection of Zeus, and they are left wondering why that file didn't stop the detection and clean it up."

Zeus is an example of a wildly popular family of bot malware that can be built with a commercially available, do-it-yourself malware creation kit. But not every infection of Zeus -- or Conficker -- is under the command and control (C&C) of the same botnet operator, Ollmann says. Botnet operators don't always use one family of malware, either.

"[Enterprises] see a lot of media reports of some 6 million [or so] Conficker hosts...but in reality it's not a single operator [behind those] infections," he says. "There are multiple operators behind multiple Conficker adaptations."

Ollmann says such a misunderstanding about botnets has contributed to the steady rate of bots in large enterprises. "They can be the most sophisticated and elite technical customers, yet when we deploy our detection technologies, we're seeing 3 to 7 percent of hosts in their networks with botnet infestations," Ollmann says -- a number that has remained fairly constant during the past couple of years. "If you look at how big these [organizations] are, with hundreds of thousands of users, 3 to 7 percent is [a lot]."

Another big reason for the corporate botnet problem is that remediation still lags in enterprises. "They are trying to fit botnet detection into their security workflow," Ollmann says. "The botnet threat is so complex today and so multifaceted that no single blocking technique exists...Enterprises haven't yet mastered dynamically applying security controls to multiple defenses at the same time."

Ollmann has published a paper (PDF) that attempts to dispel the myth that one botnet equals one piece of malware. One botnet operator can use multiple variants of the same family of malware, and multiple botnet operators can use the same DIY bot kit to build their own bot agents that report to their own C&Cs. So the same bot software can be used for multiple botnets, for example.

The best overall defense against botnets is protection at the network layer, Ollmann says, especially when it comes to more sophisticated botnets. "More sophisticated botnet operators use multiple kits: Zeus, Sinowal, for example, to infect hosts. But they use the same C&C to the same controlling systems, so your best defense is to detect the C&C," Ollmann says.

That entails deploying firewalls and IPSes to block IP addresses, and URL filtering via a proxy or content filter to catch HTTP-based botnet infections, he says. "Botnet operators are deliberately using multiple types of malware and multiple construction kits so that if any one particular vector is shut down, they still have other bots in the enterprise that are controllable," Ollmann says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-18
In FreeBSD 12.0-RELEASE before 12.0-RELEASE-p13, a missing check in the ipsec packet processor allows reinjection of an old packet to be accepted by the ipsec endpoint. Depending on the higher-level protocol in use over ipsec, this could allow an action to be repeated.
PUBLISHED: 2020-02-18
In FreeBSD 12.1-STABLE before r357213, 12.1-RELEASE before 12.1-RELEASE-p2, 12.0-RELEASE before 12.0-RELEASE-p13, 11.3-STABLE before r357214, and 11.3-RELEASE before 11.3-RELEASE-p6, URL handling in libfetch with URLs containing username and/or password components is vulnerable to a heap buffer over...
PUBLISHED: 2020-02-18
bodymen before 1.1.1 is vulnerable to Prototype Pollution. The handler function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
PUBLISHED: 2020-02-18
dot-object before 2.1.3 is vulnerable to Prototype Pollution. The set function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
PUBLISHED: 2020-02-18
All versions of component-flatten are vulnerable to Prototype Pollution. The a function could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.