subscribe: Daily Newsletter


Botnets – a threat in South Africa


Spam has worked its way up to the number one spot on every security and network managers' hit list, writes Lester van der Westhuizen, Marshal Software  roduct Specialist at distributor Drive Control Corporation (DCC).

While content filtering devices provide some relief, it's the more devious methods used by spammers that are setting off alarms at present. In particular, the use of Botnets (networks of enslaved or compromised PCs) to quickly and broadly distribute spam has become a primary threat – one that needs to be taken note of in South Africa.
Botnets, a growing problem on the Internet since at least 2002, form the foundation of increasingly innovative attacks.
A Botnet is a collection of bots, compromised hosts connected to the Internet that have been infected with malicious code installed by a hacker or a self-propagating worm. Each 'Bot' is connected to a command and control (C and C) channel that runs autonomously. These Botnets are operated by "Bot herders" who enslave computing resources in order to profit from phishing, relaying spam (some estimate over 70% of Internet spam is due to bots), click fraud, hosting warez and malware.
And Botnets are growing at an alarming rate. Existing Botnets make use of remote exploits to compromise 'un-patched' computers through the Internet. Once the machine has been exploited, it is ordered to download binary executables from a second server, which may be situated anywhere in the world. These binaries, once downloaded, are run on the host, turning the host into a Bot.
Frequently, the Bot opens a channel to port 6667 using Internet Relay Chat (IRC) on the Bot controller, which is the device used by the Bot herder to issue commands to bots. Many of these bots are programmable and may download custom modules that increase their lethality.
The major problem with Botnets occurs when they are used for attack purposes. A Botnet of 1 million bots, with a conservative 128 Kbps broadband upload speed per infected Bot, can wield a powerful 128 gigabits of traffic. This is enough to take most of the Fortune 500 companies (and several countries) offline using DDoS attacks. If several large botnets are allowed to join together, they could threaten the national infrastructure of most countries.
Bots have gained their current status as a result of several factors. Perhaps the most important is that Bots leverage the work of others. Several Bot families are considered open source projects, developed collaboratively and refined by many. But even more important, Bot developers piggyback on the work done by well-intentioned security researchers.
Most cyber criminals do not have the skills to discover and exploit software vulnerabilities. But when such vulnerabilities are made public in an effort to raise awareness, Bot authors incorporate the work into new versions of their threats. The vast majority of bots target Microsoft Windows and propagate via classic buffer overflow attacks.
While taking a bot controller offline may kill a Botnet, many survive such an event by using a Dynamic Domain Name System (DDNS) or having a list of backup IP addresses. The key to stopping DDoS attacks is the adoption of anti-Botnet strategies. This is especially important for telcos and ISPs who have numerous vulnerable clients linked to their infrastructure.
Intrusion prevention systems (IPS) offer a preemptive approach to network security and can identify, alert and block (prevent) attacks against networked devices. IPS devices can block remote exploits, worms, viruses, and Botnets all on one device and are becoming faster, more reliable, and more affordable.
The IPS detects Botnet control traffic and identifies both the Botnet controllers and the number of devices under their control. This empowers the user to take remediative action. Such action may include Bot controller removal via cooperation with law enforcement or dropping traffic destined for Bot controllers at Layer 4, where permissible.
The biggest advantage of IPS devices is that they can stop the initial attack on the end node. Deploying an IPS at boundaries will thus stop the initial spread of Botnets. McAfee, for example, has released a Botnet signature suite (then covering the 60 most common Botnets) for IPS devices.
Many of these signatures are specific to well-known Botnets while others focus on the commands commonly shared by Botnets. The signatures are focused on the command and control (C and C) channels used by Botnets. By disrupting these channels and cutting communication, the bots can no longer be controlled by the Bot herder.
The IPS approach to Botnets also allows attacks to be separated according to source and destination IP address. This enables investigators to quantify the number and size of Botnets passing through a telco, ISP or enterprise. If the Bot controller uses a particular organisation as its connection to the Internet, that organization will be able to see all of the bots, including their geographical location, and monitor their commands. Alternatively, the organisation will be able to quantify its current Botnet risk exposure and investigate appropriate defensive countermeasures.
Installation of a quality IPS should enable an organization to determine:
* The number of Bots traversing its network;
* Where these Bots are located (derived from the IP address);
* The number of Bot controllers;
* The physical location of these Bot controllers (derived from the IP address) and the Bot controller's ISP;
* The number of victims per Bot controller;
* Which controllers are causing the most damage;
* Which machines are launching exploits that allow machines to be converted into Botnets.
The user organisation will also be able to capture and inspect all traffic emanating from, or destined for, the bot controller or infected machine. By merely modifying a policy, the enterprise, telco or ISP can shut down Bot activity on its network, which will result in:
* Better use of available bandwidth, which lowers costs;
* A better Internet experience for customers (less clutter on network);
* Enhanced customer security (less likely to be attacked by Bot and/or exploit code);
* Protection of national infrastructure and high-profile customers (eg, government departments, military);
* Increased availability of the network; and
* Lower network latencies.
Because the IPS protected organisation is capable of destroying current C and C structures, it can potentially destroy existing Botnets. Since the IPS device is capable of stopping most exploit code, it will slow the growth of future Botnets as well as the spread of worms and other malicious code.