Incident Response, Malware, TDR

The zombie’s bite: Avoiding a botnet

Unlike, the ghastly creatures of film, botnet zombies may look and act like normal, uncompromised machines. The two key challenges are preventing a machine from being compromised in the first place, and detecting and thwarting botnets or their components if they get past defenses. 

“The majority of the botnet instances I encountered over a six-year period as a security engineer for a mid-sized hospital were based on poor user decisions,” says Andy Hubbard, senior security consultant for Neohapsis, a provider of mobile and cloud security services. Hubbard explains that the trouble often starts while the user is outside of the corporate network – for example, using their laptop at home. However, some of the users who caused problems managed to become infected even with the defenses the hospital had in place – for example, by directly interacting with malware while running as “admin.”

“With use of internet access control (IAC) and threat-monitoring tools, we could detect a botnet before the device managed to synch with a command-and-control (C&C) system,” he says. “Our threat monitoring and IAC solutions detected and blocked outbound communication attempts allowing us to identify the infected host and clean it.”

Hubbard's experience underscores the nature of the threat. “It isn't a sexy answer but the truth is that a lot of malware and botnets just go after the low-hanging fruit,” says Rick Holland (left), principal analyst, security and risk management at Forrester Research. He says that when he has asked audiences at his talks questions such as, “How many of your end-users are also local administrators on machines,” invariably at least half the hands go up. Even at a SANS event, where people are focused on security, the results are similar. 

He says he has also observed that many organizations have little or no visibility other than at the perimeter. “This wasn't a scientific study, but it seems like most of these companies within their networks have no Layer 7 visibility – or even Layer 3 and 4,” he says. The point, he emphasizes, is that organizations need to start with basics. “Failing to do these basics allows botnet herders to compromise more machines,” he says. “In one of our recent reports we pointed out that there's no need to fire a cruise missile when the screen door is wide open.”

While botnet herders are more “commodity oriented,” Holland says advanced attackers can take advantage of the same low-hanging fruit. “Using Slash or Acrobat they can leverage the same vulnerabilities, so when organizations don't do the basic ‘hygeine,' it puts them at risk for mass malware

Taking a similar tack, Tom Gorup, security operations center manager at Rook Security, a provider of IT security solutions and services, says that the big culprit that allows botnets in is poor configuration and patch management. “That is the root cause of a lot of these botnets,” he says. “Web and server admins, unfortunately, do a poor job of ensuring their content management system and services being used by that system are properly updated. Your website is the glass door to your iron-clad network.”

For example, he says, improper configuration of an Apache server could allow remote code execution to the Apache configuration file, consequently leading to a backdoor. The attacker then has two options, usually based on the location and/or owner of the server: Either the attacker uses this server as their C&C server to carry out the remainder of the attack or attempts to pivot deeper into the network. 

Once the attacker has established their C&C server, it's time for them to build their network. Gorup says this is usually done through a phishing campaign. Users can easily be coerced into clicking on a link, and thereby download a file leading to their unwilling participation in the attacker's botnet. Weak user passwords and poor password policies can also lead to exploitation.

The current state of the art in botnets use man-in-the-browser malware, according to Michael Tiffany, CEO and co-founder of WhiteOps, an IT security company. The man-in-the browser attacks were originally developed as online banking trojans, but they can be applied to much more, he says. “Look at distributed denial-of-service (DDoS), for instance, and its rentable botnet variation, DDoS-as-a-service,” he notes. The old model of DDoS created overwhelming volumes of packets, usually through some kind of amplification mechanism, he explains. In contrast, the new model, sometimes called resource-based DDoS, uses browsers compromised by this kind of malware, as well as automated browser “bots,” to send real browser-based http traffic with special application requests crafted to overwhelm a site's application layer.

But all these crafty attacks can be avoided. Botnet prevention can be simple – through proper configuration and patch management processes, says Gorup. At a minimum, monthly update cycles should be put in place, while also allowing for emergency change windows for critical vulnerabilities. Follow hardening guides issued by the Open Web Application Security Project (OWASP) when standing up your servers with regular quarterly reviews, he advises. User education should not be overlooked, either. Ensuring that users are educated in proper password management and policies is critical to the security of a network. Holding regular security awareness training or webinars on new attack vectors can also help to ensure users understand the inherent risks in unsafe internet usage.

For his part, Tiffany says he is now seeing a shift away from focusing on just infection-prevention and moving toward rapid detection and remediation. “The number one rule of botnets is: ‘Don't lose control of the botnet.'” 

In fact, says Tiffany, many attacks can be deterred if the criminals can't tell if they'll be detected. Quoting his company co-founder, Dan Kaminsky, he says, “Prevention technologies tend to live entirely on the client,” while detection can be “smeared” across the entire network. 

Holland also comes down on the side of prevention plus detection. Prevention is important, but organizations also fall down afterward “because there is no instrumentation in place to detect botnets or any other kind of malware,” he says. He recommends implementing Layer 3 or 4 visibility and developing the ability to detect botnet C&C activities, even when they are just starting to communicate.

However, he admits companies are struggling to find the right technology solution and the right staff. “At a minimum, all companies should have Layer 7 visibility for internet ingress and egress – that is one of the most important things” he says. “Then they should focus on Layer 3 and 4.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.