Contact Information

  • Mickler & Associates
  • Vancouver, WA
  • Voice: 360.601.0818
  • Fax: 360.397.0468

The Threat of Bots and Botnets

Written on January 27, 2008  |  by RP Mickler  |  Leave a Comment Leave a Comment  |  Bookmark and Share

Twelve cyber security veterans, with significant knowledge about emerging attack patterns, worked together to compile a list of the attacks most likely to cause substantial damage during 2008. Participants included Stephen Northcutt, Ed Skoudis, Marc Sachs, Johannes Ullrich, Tom Liston, Eric Cole, Eugene Schultz, Rohit Dhamankar, Amit Yoran, Howard Schmidt, Will Pelgrin, and Alan Paller. The SANS Institute recently published their consensus list; I’ll be discussing each of these issues as they relate to small business.

2. Increasing Sophistication And Effectiveness In Botnets

First of all, I probably have to begin with a couple of definitions. A bot (a shortening of “robot”) is software written to exploit a specific vulnerability found in an application or operating system of a microcomputer, and typically a Microsoft Windows station. A bot is similar to a virus in that we would say that a machine is infected with a bot, and once infected, the bot will listen for instructions from the Internet for activities to perform on the infected computer. These activities may further compromise the stability of the computer, it’s ability to maintain confidentiality, or, introduce additional trojan viruses or worms to the PC. Meanwhile, a botnet is a network of bots that are interrelated and intercommunicate in a peer/peer basis or on a master/slave basis. Bots can perform automated tasks through interrelating instructions to each other, or, can receive instructions from a “bot master” who then orchestrates activities against infected computers.

In September 2007, Symantec reported over 2,000 botnet-related security incidents in 81 of the Fortune 500 companies. Symantec reported that up to 30 percent of its customers experinced a bot-related incident in September (http://www.darkreading.com/document.asp?doc_id=137602).
Trend Micro, in October 2006, announced that many thousands of computers in the US government were suspected of being infected by bots and botnets (http://www.informationweek.com/news/showArticle.jhtml?articleID=193104896). And in 2007, the Storm Worm (a bot) accounted for one out of every 12 infections on the Internet.

Bots can be used to launch DDOS and DOS attacks (Distributed/Denial of Service Attacks), launch additional viruses and worms, download software (often pirated) as a file transfer repository for peer-to-peer file sharing networks, serve as website tools to capture information from websites illegally, gobble up concert tickets when they become available for sale on the web, or channel spam.

Obviously, bots and botnets have been very successful and will continue to be a direct threat. What is of concern to many security professionals:

Existing bots and botnets may go undetected and could become platforms for deploying more sophisticated and harmful malware.

Bots are becoming increasingly sophisticated and automated, self-directed, even artificially intelligent, using fuzzy logic to make decisions.

Bots may sometimes be perceived as beneficial programs and are thus not targeted by anti-malware solutions.

What is of concern to the small business is that their computers may (unwittingly) be compromised and used as a botnet. Users will gladly download tools from websites that give additional features to their computing experience without realizing the danger here. The additional traffic load from their activity may bog down Internet bandwidth and slow the Internet to a crawl for a small business, or, steal processor time away from legitimate applications on their PC’s, causing PC performance to also slow or lag. Further, there is the criminal aspect to this problem: unknowingly, assets of the small business may be used to conduct illegal activity, store illegal or pirated content, or channel illegal traffic.

A couple of strategies for the small business:

1. Install practical safeguards. Install and maintain a commercial anti-virus/anti-spyware solution on all microcomputers and servers. Avoid freeware solutions like Panda and AVG – they’re not comprehensive and may lend a false sense of security. Once installed, set them to auto-update.

2. Update your Internet browser. Update to the latest version of Internet browser and implement its anti-phishing and spyware tools.

3. Set a management policy and educate your staff. Using policies, prohibit the downloading of unauthorized software from the Internet and incorporate that understanding into your Acceptable Use Policies. Use technical controls to reinforce this restriction.

4. Quarterly scans. Perform quarterly scans on your network servers and workstations. If you can’t afford a comprehensive protection suite like McAfee or Norton, Microsoft offers a one-time free scan (http://www.microsoft.com/protect/products/computer/safetyscanner.mspx). Norton has a watered-down feature from 360 called AntiBot that is less expensive and provides protection and detection (http://www.symantec.com/norton/theme.jsp?themeid=botnet).

5. Patch your firewall. Have a competent technician tune and patch your firewall to detect and block bot traffic; ask for recommendations on replacing your firewall hardware.

As for technical strategies, bots tend to use blended threats and will open FTP, HTTP, DNS, IRC, and transmit a lot of bogus AUTH protocol responses. Frequencies, target and receipt IP’s should make sense to the local administrator. They will open backdoors on workstations and potentially SAP their infected status to other infected machines, potentially generating more excess traffic. Specific ports can be filtered by the firewall, shielded by a NAT mapping, or prevented by restrictive ACL settings. IDS solutions like Snort or a localized sniffer like HijackThis! could be used to spot malicious transmissions or suspect TSR’s hanging around in memory.

R