Detecting Botnet Infections Requires Novel Tactics, Constant Monitoring

Businesses have to improve their detection skills, minimize attack vectors and enforce Web-filtering rules to quickly find and remove compromised machines communicating with a botnet.

Businesses can defend against botnets by improving their detection skills, training employees to identify infections, and minimizing attack vectors, according to security experts.

Businesses have to improve their detection skills and not rely on preventive techniques to defend against botnets, Andrew Jaquith, the CTO of Perimeter E-security, said in a Web presentation Feb. 24. Businesses can take a number of steps to defend against botnets, such as proactively analyzing logs to find suspicious activity, but the most important is to realize the traditional defensive technologies will fail to prevent an infection, and to plan accordingly, he said.

Previously, there was a sense that if a user was infected with malware, it was the user's fault for going to questionable sites, Jaquith said. That is no longer the case as even mainstream sites can have malicious ads served up by advertising networks. Furthermore, increasingly sophisticated phishing and social-engineering tactics make it difficult to differentiate malicious scams from legitimate messages, he said.

Infections are quick and stealthy, said Richard Westmoreland, lead security analyst at Perimeter E-security. In a recent incident with a banking customer, it took less than 8 seconds for a computer to be compromised, he said. In that incident, the Mebroot Trojan infected the computer, based on the Neosploit kit, which opened backdoors in the system that allowed it to communicate with the Torpig botnet, Westmoreland said. The user was unaware of the infection and continued to access a number of financial sites and other sensitive information, he said.

Traditional defenses, such as firewalls and intrusion prevention/detection systems, aren't effective against the botnet threat because it can't scan or analyze Web traffic, Jaquith said. Firewalls may be able to keep out some malware, but are entirely ineffective once a system on the network is compromised because it doesn't scan or filter outbound traffic, allowing the infected system to communicate with the remote command control server, he said.

Signature-based scanning such as desktop anti-virus and intrusion prevention/detection systems can't stop zero-day attacks, or examine encrypted traffic, he said. Malware authors also test their kits and malware with several anti-virus programs to ensure they avoid detection.

Businesses should try to filter Web traffic to as many unknown URLs as possible, said Jaquith. If the user is trying to access a URL that is not recognized by the network security product as falling into a specific category, such as entertainment, news or finance, then businesses "are better off" blocking it, he said.

"About 90 percent of the traffic goes to the same 100 sites," he said. Anything else should be dealt with on a case-by-case basis, he said.

IT teams should minimize attack vectors, such as keeping browsers updated and removing unnecessary plugins, he said.

Most importantly, senior executives should be held to the same level of security, even if it means having a separate team to ensure the executives are complying, Jaquith said. The security breaches don't just apply to regular employees, and executives actually "need to be safer than most," he said.

Anonymous recently managed to hack into federal security provider HBGary's systems because the CEO and COO had weak passwords, according to Ars Technica.

There are three major types of botnets: spam, attack and financial, according to Jaquith. Spam botnets are responsible for the majority of the world's spam, he said. There are several major spam botnets, including Rustock, Xarvester and Lethic. Symantec's MessageLabs has noted that in the past the Rustock botnet accounted for as much as 47.5 percent of all spam. Joe Stewart, director of malware research for Dell SecureWorks, called Rustock the most prolific botnet at the recent RSA Conference.

Financial botnets are customized to steal bank account and credit card information, Jaquith said. Sold as kits, the botnets in this category include Zeus, SpyEye and Torpig, according to Jaquith. He also noted SpyZeus, the new botnet that resulted from the merger of Zeus and Spy and the Zitmo, the botnet targeting mobile devices. The FBI has estimated a Zeus gang stole more than $70 million in 2010.

The attack botnets are often used in distributed-denial-of-service campaigns, said Jaquith.

There are a number of vendors with products that claim to scan for and detect botnet activity, including Damballa's FailSafe, NetWitness Spectrum and HBGary's Razor appliances. Perimeter E-Security offers information security on its security as a service platform.