June 2008 / June 2008 - Botnets, A Current Internet Threat
The Internet is an ever evolving and changing place. New threats are emerging almost daily that may compromise your businesses. In this month’s Tech Brief we’ll take a look at botnets, an Internet threat which many people have never heard of – but which may be affecting one out of every four computers.
What is a Botnet?
A bot (short for robot) is a computer that has been compromised by a remote attacker, typically without the owner’s knowledge, and is used to forward transmissions (such as spam or viruses) to other computers over the Internet. Botnets are what created when multiple computers are compromised and working together as a sort of zombie network. According to a report from the security firm Kaspersky Labs, botnets - not spam, viruses, or worms - currently pose the biggest threat to the Internet.
How Does it Work?
Once you understand how they work, botnets almost sound like the plot of a science fiction movie. A bot is often created through an Internet port that has been left open on a computer or network and through which a small Trojan horse program can be left for future activation. Sometimes, the malicious program can be transmitted via email or over peer-to-peer file sharing networks. The program will sit dormant on your computer until a certain time when the remote attacker sends a single command which activates all the bots and unleashes the full effects of a botnet – which may number in the tens of thousands of compromised computers. It has been estimated that up to one quarter of all personal computers connected to the Internet may become part of a botnet at some time.
What Are Botnets Used For?
There are a variety of malicious uses for botnets. Some of the most prevalent include:
- Denial-of-service attacks – this occurs when multiple computers that form a botnet visit an Internet website or access an online service with such frequency and at such large numbers that the site or service becomes overwhelmed and temporarily shuts down.
- Spam- spammers use the individual bot computers as junk email servers, sending out massive amounts of bulk email. Some bots are even used to scour the Internet and harvest email addresses. According to anti-spam company Postini, botnet-generated spam comprises 20% of all email spam traffic.
- Spreading malware – in most cases botnets are used to spread new bots and grow the network of infected computers, but they can also be used to spread viruses, keyloggers, adware, and other malicious objects.
- Click fraud – many websites place advertisements on their pages and make money every time an ad is clicked. An attacker can abuse this by programming a botnet to automatically click on the advertisements and artificially increase the website’s click through count.
How Can You Tell if You're Infected?
An infection that turns your computer into a bot might cause your machine to slow down, display mysterious messages, or work in an unexpected manner. This usually doesn’t disable your computer, because bots must be plugged in and connected to the Internet in order for the botnet to work.
How Can Botnets Be Prevented?
For starters, all servers and end user machines should have a quality and up to date anti-virus software installed and operating system patches should be up to date. Unpatched or noncompliant computers put every network user at risk. Since users can introduce vulnerabilities into a network, devices such as USB flash drives should be closely controlled and only job-essential programs should be installed on a machine. A secure network must also include computers used by remote users. Network access control (NAC) technology should be used to ensure that only machines that comply with corporate security policies can access the network.
Even with these preventative measures in place, administrators must review logs from firewalls, intrusion detection systems, DNS servers, and proxy servers. Signs of abnormal behavior can be a sign of an infection. Bots can choose any port that they want to communicate over, so look for outbound SMTP connection attempts or abnormal traffic loads on non-standard ports. Administrators should introduce strict inbound and outbound filters. Restricting outbound connections will prevent any bots from connecting to their home network. That way even if a bot program finds its way in, it is relatively harmless if it can't communicate with the remote attacker who controls it.
It is also possible to use more sophisticated techniques to study and detect botnet threats. One of these techniques is know as honey potting or honey netting. Honey pots are machines built to become an easy target for attacks. Their role is to purposely become infected and allow the administrator to pinpoint the source of the problem and study the attack method, thereby giving them insight into how to prevent the botnet from affecting their secured network, or eliminating it if it is already present.
What Can Thrive Do To Help?
Internet threats like botnets are constantly evolving as attackers modify them to try to stay ahead of the security companies. Following best practices, staying informed, and making sure your network administrators are aware of the nature of the threat and how to prevent it will offer you the best protection. Thrive is constantly monitoring Internet threats and developing best practices for enterprise-level prevention. If you have any questions about botnets or other Internet threats, please feel free to contact us.