Businesses have to improve their detection skills, minimize attack vectors and enforce Web-filtering rules to quickly find and remove compromised machines communicating with a botnet.
Businesses can defend
against botnets by improving their detection skills, training employees to
identify infections, and minimizing attack vectors, according to security
Businesses have to improve
their detection skills and not rely on preventive techniques to defend against
botnets, Andrew Jaquith, the CTO of Perimeter E-security, said in a Web
presentation Feb. 24. Businesses can take a number of steps to defend against
botnets, such as proactively analyzing logs to find suspicious activity, but
the most important is to realize the traditional defensive technologies will
fail to prevent an infection, and to plan accordingly, he said.
Previously, there was a sense
that if a user was infected with malware, it was the user's fault for going to
questionable sites, Jaquith said. That is no longer the case as even mainstream
sites can have malicious ads served up by advertising networks. Furthermore,
increasingly sophisticated phishing and social-engineering tactics make it
difficult to differentiate malicious scams from legitimate messages, he said.
Infections are quick and
stealthy, said Richard Westmoreland, lead security analyst at Perimeter
E-security. In a recent incident with a banking customer, it took less than 8
seconds for a computer to be compromised, he said. In that incident, the
Mebroot Trojan infected the computer, based on the Neosploit kit, which opened
backdoors in the system that allowed it to communicate with the Torpig botnet,
Westmoreland said. The user was unaware of the infection and continued to
access a number of financial sites and other sensitive information, he said.
Traditional defenses, such
as firewalls and intrusion prevention/detection systems, aren't effective
against the botnet threat because it can't scan or analyze Web traffic, Jaquith
said. Firewalls may be able to keep out some malware, but are entirely
ineffective once a system on the network is compromised because it doesn't scan
or filter outbound traffic, allowing the infected system to communicate with
the remote command control server, he said.
such as desktop anti-virus and intrusion prevention/detection systems can't
stop zero-day attacks, or examine encrypted traffic, he said. Malware authors
also test their kits and malware with several anti-virus programs to ensure
they avoid detection.
Businesses should try to
filter Web traffic to as many unknown URLs as possible, said Jaquith. If the
user is trying to access a URL that is not recognized by the network
security product as falling into a specific category, such as entertainment,
news or finance, then businesses "are better off" blocking it, he said.
"About 90 percent of the
traffic goes to the same 100 sites," he said. Anything else should be dealt
with on a case-by-case basis, he said.
IT teams should minimize
attack vectors, such as keeping browsers updated and removing unnecessary
plugins, he said.
Most importantly, senior
executives should be held to the same level of security, even if it means
having a separate team to ensure the executives are complying, Jaquith said.
The security breaches don't just apply to regular employees, and executives
actually "need to be safer than most," he said.
Anonymous recently managed
to hack into federal security provider HBGary's systems because the CEO and COO
had weak passwords, according to Ars Technica.
There are three major types
of botnets: spam, attack and financial, according to Jaquith. Spam botnets are
responsible for the majority of the world's spam, he said. There are several
major spam botnets, including Rustock, Xarvester and Lethic. Symantec's
MessageLabs has noted that in the past the Rustock
accounted for as much as 47.5 percent of all spam. Joe Stewart,
director of malware research for Dell SecureWorks, called Rustock the most
prolific botnet at the recent RSA
Financial botnets are
customized to steal bank account and credit card information, Jaquith said.
Sold as kits, the botnets in this category include Zeus, SpyEye and Torpig,
according to Jaquith. He also noted SpyZeus, the new botnet that resulted from
the merger of Zeus and Spy and the Zitmo, the botnet targeting mobile devices.
The FBI has estimated a Zeus gang stole more than $70 million in 2010.
The attack botnets are often
used in distributed-denial-of-service campaigns, said Jaquith.
There are a number of
vendors with products that claim to scan for and detect botnet activity,
and HBGary's Razor appliances. Perimeter E-Security offers information
security on its security as a service platform.