CERT'S PODCASTS: SECURITY FOR BUSINESS LEADERS: SHOW NOTES

Tackling the Growing Botnet Threat

Key Message: Business leaders need to understand the risks to their organizations caused by the proliferation of botnets.

Executive Summary

Botnets are collections of computers infected with malicious code that can be controlled remotely by an attacker. Botnets are being increasingly used to gain access to valuable information, user actions (such as keystrokes), and system resources without a user's knowledge [1]. Botnets and the information they collect are often for sale to the highest bidder.

In this podcast, Nick Ianelli, a member of the CERT Coordination Center, discusses the growing botnet threat, how to recognize if botnets are present on your computers and networks, and what business leaders can do about them.

PART 1: THE THREAT

What Are Botnets?

The term is short for "robot networks." A botnet is made up of large numbers of compromised host computers that can be easily managed and remotely controlled by an attacker. The attacker installs a bot software package on each computer, generally without the user's knowledge.

The most popular botnet command and control method is Internet Relay Chat (IRC), a text-based chatting program that has been around for some time. An attacker:

logs into an IRC server
goes into a specific channel
issues a command to see all of the users within the channel

All compromised computers respond and perform the action the intruder requests.

Command and control structures such as IRC can be used to command thousands of compromised computers to do the same exact thing at the same exact time.

It's Easy to Find Vulnerable Host Computers

Lists of compromised hosts are often for sale in the attacker "underground economy." Attackers will sometimes infect their own computers with bot software, causing it to scan for other vulnerable computers on the Internet. The process is repeated for every new computer that is infected.

There is widespread information sharing in the intruder community. All someone has to do is ask a question in the appropriate forum and the answer, information, and even code are made available, often for free.

Impacts of a Successful Botnet Attack

Botnet attacks can be high impact, producing some of the following results:

Data theft and data exfiltration
Being able to access all user actions and data on the infected computer
Having access to all of the resources on an infected system
Installing key loggers to capture user ids and passwords. For example, if a key logger has been installed on your bank's website and you log in, your user name and password are now public knowledge.
Finding files of interest and uploading these to a central location for sale or other uses
Having access to any other resources that your computer accesses such as network shares where other users may share common files or back them up.
Access to email contacts and address books, and being able to send email from your machine so it appears to be coming from you.

PART 2: HOW DO I KNOW IF THERE'S A BOTNET ON MY COMPUTER?

Why Botnet Infiltration Is So Hard To Control

It seems that firewalls, anti-virus software, and intrusion detection systems should be able to detect and eradicate botnets. In most cases this works, if targeted computers are properly configured, secured, hardened, and have up-to-date patches installed.

Botnets tend to propagate in two ways:

By exploiting known vulnerabilities, with known solutions: Patches to address these, some going back to 2003, are available but often not installed.
By social engineering: for example, by using your address book to send email. The recipient thinks the email is from you and they open an infected attachment that installs malicious code.

Attackers are in an arms race with the anti-virus community. They have ready access to anti-virus engine evaluation results, so they can learn how to construct their code to remain undetected by the most popular engines.

If a new piece of malware emerges, there is a significant time delay while the anti-virus community:

obtains it
analyzes it
determines how to block it
distributes the signature update out to their users

The malicious code is free to propagate during this time window.

How Do I Find Out If My Computers Are Infected?

Enable logging on all critical systems such as logging net flow data from routers.

Work to correlate logging data from multiple computers such as routers, mail servers, and DNS (domain name system) servers. Infected computers attempt to scan for other vulnerable computers, creating an unexpected increase in the number and types of messages on the network.

If your network is configured so computers ask your DNS server first when trying to resolve DNS or host names (known as an authoritative DNS server), these DNS logs are another good place to look. Bot code tends to produce anomalous or odd domain names that can be easily detected.

PART 3: AND WHAT CAN I DO ABOUT IT?

Getting Rid of Botnet Code

Locate all critical files on your system, scan them to ensure they aren't infected, and back them up.
Clear the machine and rebuild it from scratch.
Rebuild the operating system and reinstall the applications from trusted sources.
Reload necessary files after you ensure that they are clean.

This is really the only way to be sure a machine is no longer infected.

Getting In Front of the Issue as a Preventive Measure

Keep patches up to date.
Raise user awareness about botnets through education and training. Make sure to include senior managers.
Filter both inbound and outbound requests for popular services, over frequently used ports (IRC, HTTP, TCP port 80). peer-to-peer clients and be aware of peer-to-peer malware such as the Storm worm, and what it can do.

Intruders are likely to look elsewhere if your computers are well-patched, up-to-date, and securely configured.

Be Prepared/

Make sure you have contact information and a relationship with your Internet Service Provider (ISP), so you know who to call when you get in trouble.

If one of your machines is being used to launch a distributed denial-of-service (DDoS) attack, or if one is being launched against you, your ISP can help you shut this down.

It is useful to know where to submit malicious code that you may find on your systems. This could be your in-house security shop or an outside vendor that is monitoring your networks.

Know what you are going to do in advance of an attack. Have a coordinated game plan with your incident response team.

Resources

CERT, US-CERT, and The Honeynet Project® (search on the term "botnet")

The Honeynet Project "Know Your Enemy" Whitepapers

Websense® and Sunbelt blogs

Arbor ATLAS (Active Threat Level Analysis System) dashboard

SANS Diary

Ianelli, Nicholas; Kinder, Ross; Roylo, Christian. "The Use of Malware Analysis in Support of Law Enforcement." CERT Coordination Center, Carnegie Mellon University, July 11, 2007.

[1] Ianelli, Nicholas & Hackworth, Alan. "Botnets as a Vehicle for Online Crime." CERT Coordination Center, Carnegie Mellon University, December 1, 2005.

Zhuge, Jianwei; Holz, Thorsten; Han, Xinhui; Guo, Jinpeng; Zou, Wei. "Characterizing the IRC-based Botnet Phenomenon." Peking University Institute of Computer Science and Technology, Beijing, China; University of Mannheim Laboratory for Dependable Distributed Systems, Mannheim, Germany, December 3, 2007

Malicious programs hit new high, BBC News, 8 February 2008