Six ways to fight back against botnets

By Julie Bort, Network World July 06, 2007 12:02 AM ET

Botnets are a growing threat, but there are six steps that security professionals can take to fight back.
1. Hire a Web-filtering service.
Web-filtering services are one of the best ways to fight bots. These services scan for Web sites exhibiting unusual behavior or known malicious activity and block those sites from users. Websense, Cyveillance and FaceTime Communications are examples. All monitor the Internet in real time to find Web sites engaged in suspicious activity, such as downloading JavaScript and performing screen scrapes and other tricks outside the boundaries of normal Web browsing. Cyveillance and Support Intelligence also offer services that notify Web-site operators and ISPs that malware has been discovered, so hacked servers can be fixed, they say.

2. Switch browsers
Another tactic to prevent bot infections is to standardize on a browser other than Internet Explorer or Mozilla Firefox, the two most popular and hence the browsers for which most malware is written. The same tactic works for operating systems. Macs statistically are safe from botnets, as is desktop Linux, because most bot herders target Windows.

3. Disable scripts
A more extreme measure is to disable browsers from scripts altogether, though this could put a damper on productivity if employees use custom, Web-based applications in their work.

4. Deploy intrusion-detection and intrusion-prevention systems
Another approach is to fine-tune your IDSs and IPSs to look for botlike activity. For example, any machine suddenly blasting away on Internet Relay Chat is certainly suspicious. Ditto those connecting to offshore IP addresses or illegitimate DNS addresses. Harder to notice, but another telltale sign, is a sudden uptake in SSL traffic on a machine, particularly in unusual ports. That could indicate a botnet-control channel has been activated. Look for machines routing e-mail to servers other than your own e-mail server. Botnet hunter Gadi Evron further suggests that you learn to watch for Web crawlers that operate at high “fetch levels.” Fetch levels activate all links located on a Web page, and a high level could indicate a machine is being sent to a malicious Web site. An IPS monitors for behavior anomalies that indicate hard-to-spot HTTP-based attacks and those from remote-call-procedure, Telnet- and address-resolution-protocol spoofing, among others. Worth noting, however, is that many IPS sensors use signature-based detection, meaning that attacks are added to a database as they are discovered. The IPS must be updated regularly to recognize them, so after-the-fact detection will require ongoing effort.

5. Protect user-generated content
Your own Web operations must also be protected from becoming unwitting accomplices to malware writers. Unless you are trying to become the next hip, Web 2.0 social network, your company’s public blogs and forums should be restricted to text-only entries, advises Michael Krieg, vice president of Web Crossing, maker of social-networking software and hosting services.

6. Use a remediation tool
If you do find an infected machine, the jury is out about how best to do remediation. Companies like Symantec assert they can detect and clean even the deepest rootkit infection. In Symantec’s case, it points to technology it acquired with Veritas, VxMS (Veritas Mapping Service), which lets the antivirus scanner bypass Windows File System APIs, which are controlled by the operating system and therefore vulnerable to manipulation by a rootkit. VxMS directly accesses raw Windows NT File System files. Other antivirus vendors trying to protect against rootkits include McAfee and FSecure. Their success has varied, given how inventive malware writers can be.
Yet Evron argues that detecting malware after the fact could really be a false scent — bait intended to make IT professionals believe they’ve scrubbed the PC while the real bot code remains hidden. “Antivirus is not a solution, because it is naturally reactive. The antivirus would have to recognize [the problem], and therefore the antivirus could have been manipulated,” he says.
This is not to say you shouldn’t try to implement the best rootkit fighter you can find in your antivirus software, just that you should be aware that doing so is a bit like buying a safe after your valuables have been stolen. Evron believes the only way to be sure that a machine is clean after bot malware is detected is to wipe it and start from scratch.
By not letting your users visit known malicious sites, monitoring your network for strange behaviors and defending your public sites from attacks, you’ll be in good shape, security experts unanimously agree.
“I can see where this odd sense of futility and hopelessness can come in if some network guy wakes up and thinks, ‘What am I going to do about those millions of botnets?’ Let the folks concentrating on fighting botnets on a day-to-day basis worry about that one,” says Chris Boyd, FaceTime’s director of malware research. “Just concentrate on locking down your network and protecting it against infections — viruses, Trojans, spyware or adware. . . . Treat it as a rogue file found on a PC. That’s all you need to do.”


About naziza

work in the dark to serve the light
This entry was posted in botnet, network. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s