Dawn of the undead, Attack of the bots – What to do!

“What’s more worrying is that it’s not unusual for PCs on private networks to get infected too, and once one PC in an organisation has it, it starts recruiting its colleagues too.
The risk isn’t just spam or DoS attacks – zombie packages can have a range of features in them, including remote control, and the first targeted malware attacks have now been reported, such as one which aimed to steal data from the UK parliament.”

We all know that botnets are bad, they do the evil bidding of attackers all across the globe. Criminals rent botnets (why buy when you can rent?), spammers use them to send the latest emails that claim to enlarge mail body parts, and I swear there must be a permanent botnet aimed at ready to take it down upon command. If you don’t know what I am talking about, you should check out this great article about botnets. If you want to know what you can do to prevent botnets, here are a few tips:

  • Proxy all outbound connections from your network – When I helped manage the security for a large corporate network we had a bank of proxy servers. No one could get out to the Internet unless they went through one of these bad boys. We used Squid running on FreeBSD which is an excellent combination. You get the added bonus of caching, which means the proxy server can store images for a limited amount of time and serve them up to save bandwidth and make web browsing a little quicker.
  • Don’t just rely on Anti-Virus and Anti-Spyware – I see so many machines that have the latest anti-virus definitions and anti-spyware software/definitions become part of a botnet. Why? Because as the article says, botnet herders are getting smarter and evading our defenses. Take a look at Cisco CSA, and give the new Core Force a try (Its still in beta, but may be a good thing to start looking at in the lab). These are behavior based host-intrusion prevention systems that can prevent you from the zero-day effect and help avoid those pesky bots.
  • Use your IDS wisely Grasshopper – Your IDS can be used to detect botnet activity before and after infection. The Bleeding-Rules project has many good rules for detecting IRC bots, and I’ve got a few homegrown sigs that have proven useful (drop me an email and I will send them along).
  • Review your outgoing traffic daily – In addition to your IDS, using tools such as IPAudit, Argus, Flow-tools, and the like you should be able to get a good idea of what normal means on your network. Then you can start to look for anomalies, such as number of outgoing sessions, most outgoing bandwidth, and other factors. Also, once you find one host that has become part of a botnet you can study its traffic, then see what other hosts exibit the same traffic. This helps you be certain you remove all the botnet participants from your network.

Full Article


Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.