Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:59 AM
Connect Directly

Researcher Attempts To Dispel Damaging Botnet Myth

Enterprises that assume botnets use a single form of malware are the ones being bitten, researcher says

A common misconception that a botnet uses a single piece of malware to infect its victims has kept many enterprises from properly protecting their client machines. So a researcher is trying to set them straight by shedding light on the actual relationship between the botnet operator and bot malware.

Gunter Ollmann, vice president of research for Damballa, points out that because many enterprises think a single malware type corresponds with a single botnet, they assume that if they are protected from that specific malware, then they are safe. But in actuality, botnets do not necessarily have a one-to-one relationship with one type of malware, he says.

"[Enterprises] see that they have a signature for an updated signature to Zeus, [for example], for cleanup. They roll out that file to all of their hosts and believe they are covered against the Zeus botnet," Ollmann says. "However, two days or a week later, they find they have a new infection of Zeus, and they are left wondering why that file didn't stop the detection and clean it up."

Zeus is an example of a wildly popular family of bot malware that can be built with a commercially available, do-it-yourself malware creation kit. But not every infection of Zeus -- or Conficker -- is under the command and control (C&C) of the same botnet operator, Ollmann says. Botnet operators don't always use one family of malware, either.

"[Enterprises] see a lot of media reports of some 6 million [or so] Conficker hosts...but in reality it's not a single operator [behind those] infections," he says. "There are multiple operators behind multiple Conficker adaptations."

Ollmann says such a misunderstanding about botnets has contributed to the steady rate of bots in large enterprises. "They can be the most sophisticated and elite technical customers, yet when we deploy our detection technologies, we're seeing 3 to 7 percent of hosts in their networks with botnet infestations," Ollmann says -- a number that has remained fairly constant during the past couple of years. "If you look at how big these [organizations] are, with hundreds of thousands of users, 3 to 7 percent is [a lot]."

Another big reason for the corporate botnet problem is that remediation still lags in enterprises. "They are trying to fit botnet detection into their security workflow," Ollmann says. "The botnet threat is so complex today and so multifaceted that no single blocking technique exists...Enterprises haven't yet mastered dynamically applying security controls to multiple defenses at the same time."

Ollmann has published a paper (PDF) that attempts to dispel the myth that one botnet equals one piece of malware. One botnet operator can use multiple variants of the same family of malware, and multiple botnet operators can use the same DIY bot kit to build their own bot agents that report to their own C&Cs. So the same bot software can be used for multiple botnets, for example.

The best overall defense against botnets is protection at the network layer, Ollmann says, especially when it comes to more sophisticated botnets. "More sophisticated botnet operators use multiple kits: Zeus, Sinowal, for example, to infect hosts. But they use the same C&C to the same controlling systems, so your best defense is to detect the C&C," Ollmann says.

That entails deploying firewalls and IPSes to block IP addresses, and URL filtering via a proxy or content filter to catch HTTP-based botnet infections, he says. "Botnet operators are deliberately using multiple types of malware and multiple construction kits so that if any one particular vector is shut down, they still have other bots in the enterprise that are controllable," Ollmann says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...