Also read Part I of this series:The botnet menace – and what you can do about it
In the first part of this feature we described what bots are, the incredible damage they can cause, and why they constitute a growing threat to enterprises and consumers alike.
We discussed the reasons for the diminishing effectiveness of technologies such as intrusion detection in identifying and thwarting bots.
We listed some newer techniques being employed by increasingly tech savvy bot masters (or bot herders) to avoid detection – such as use of encrypted IRC communications, HTTP tunneling, and peer-to-peer networking.
In conclusion we emphasized the need of for effective strategies to beat bot herders at their own game.
In this piece we present seven such strategies you can implement immediately to discover, block or repair a bot infection.
Note: In both parts of this series we use the term "bot" to refer to malicious bots - software agents used by a bot herder to take control of a network of computer systems, which can then be used for nefarious purposes - such as sending spam, denial of service attacks, information theft and more. However, bots can also perform useful tasks. An example is their use by Search Engines for Web spidering, where an automated script fetches, analyses and files information from Web servers many times faster than a human being would be able to.
Step 1 – Secure your systems
A computer system usually gets infected with a malicious bot via many of the same channels it falls prey to other malware, Trojans and viruses.
Related content
These include vulnerabilities at the network layer, on the operating system, pieces of software that listen on the network level, and infiltrate the system, usually through e-mail links that users click on.
That being the case, experts say the first level of defence in battling bots, involves the same basic steps that are effective against viruses and Trojans – keeping your systems patched, using firewalls, spam filtering software and so on.
As another popular route for a bot attack is Web links transmitted through instant messaging (IM), users should also look at anti-virus and filtering software for IM.
Some companies have disabled IM because of inherent risks associated with it.
However, for firms averse to taking such a step, or for whom IM happens to be a business critical capability, there are commercial applications that enable one to proxy those connections through a channel that has the ability to filter out malicious software.
Basic steps such as running a quality anti-virus program and installing apps that prevent loading of spyware and adware on your machine are a must. These apps should also be kept up to date.
Regular – if possible daily – system scans, and enabling the automatic virus detection software that checks every file as it's opened are also fairly fundamental safeguards.
Step 2 – Watch for warning signs
Keeping a watchful eye on the help lines often gives network and IT managers their first hints of a possible botnet infection.
Any significant increase in calls about slow systems or lots of pop ups could be a sign of bot compromised machines on the network.
Likewise, Internet service providers (ISPs) are well positioned to detect suspicious activity. Sometimes these signs are detected by network service providers that have ISPs as customers.
For instance, Florham Park, N.J.–based Global Crossing, a network services provider has a several ISP customers, and constantly monitors their traffic for unconventional or anomalous behaviour.
"We look for unusual traffic flows, [a spurt in] DNS lookups for names known to be used by botnet controllers, or whether lots of their customers [are] suddenly making connections to the same machine," says Jim Lippard, director of information security operations at Global Crossing in a podcast.
When such trends are detected, he said, the ISP is immediately notified.
"They, in turn, can either suspend service to an affected customer, contact the customer; or they can put filters in place to block the activity."
He said an ISP may sometimes put the affected customer into a "walled garden" – a quarantined environment where the person can no longer browse the Web, but is redirected to a Web page that says: You have a problem, here are some characteristics of that problem and here are recommendations to fix it."
Step 3 – Scan the horizon
It's not just individual systems, but traffic on company networks that should be scanned as well.
Outbound e-mail scanning, for example, can help detect a spam virus attack when it's launched from your network. In such cases, locating the compromised PC should not be difficult.
Be very concerned if your IP address becomes part of a black list, as that's a sure sign of trouble emanating from your network.
Several sites on the Web can check a wide array of registered blacklists for you.
One of these is Spamhaus, a volunteer initiative that aims to track e-mail spammers and spam-related activity.
Spamhaus has developed three widely used anti-spam DNS Blocklists:
- The Spamhaus Block List (SBL) is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services). It is supplied as a free service to help e-mail administrators better manage incoming e-mail streams.
- The Exploits Block List (XBL), is a realtime database of IP addresses of illegal third party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/ viruses with built-in spam engines, and other types of trojan-horse exploits.
- The Policy Block List (PBL) is a database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer's use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges.
Many ISPs and other Internet sites use these free services to reduce the amount of spam they take on.
The SBL, XBL and PBL collectively protect over 500 million e-mail users, according to Spamhaus' Web site.
Another option is signing up for e-mail feedback groups maintained by MSN, AOL and Yahoo that notify you if spam traffic arriving at those networks is originating from your IP address.
Intrusion detection software running on your network may be able to recognize the patterns of traffic that botnets generate once their inside.