A botnet and rootkit removal 101

Stealthy botnet and rootkit attacks on enterprises are on the rise. Mikko Hypponen, F-Secure's chief research officer speaks to SearchSecurity.in about the recent botnet and rootkit attack patterns and ways to secure enterprises from such attacks.

SearchSecurity.in: How are rootkits utilized to attack the corporate?
The rootkit is basically a technology that hides the infection, which started almost five years ago. and has become common and a standard part of malware. Rootkits within malware can hide infected files, registry key and open ports. Even an advanced user may be unable to tell if a machine is infected, as rootkits hide the cause of infection. It can be used to create a 'backdoor' into the system for the hacker's use, alter log files, attack other machines on the network, and alter existing system tools to escape detection.
SearchSecurity.in: Can you give us some rootkit removal tips?
There are two rootkit removal options after you detect them. The first way is to restore a known clean backup. If you encourage regular backups, you don't have to clean anything as such. If you don't have a full backup, then you should remove rootkits by undoing all the system changes performed by these malware. This can be a complicated process.
The most complicated rootkits that we have seen cannot be removed from within Windows. So you should basically reboot to a different operating system (from a CD-ROM or a USB stick), and then perform the cleaning. SearchSecurity.in: How much of a serious threat are botnets and rootkits in Asia, especially in India?
In India, the average internet connection speed is slower as compared to the US or Europe, a primary factor that has a direct impact on activities undertaken through an infected computer. If a machine does not have enough bandwidth, the attackers are not interested. They need machines with fast connections and sufficient bandwidth to send spam and malicious emails, so this works to the advantage of Indian users.
We have observed rootkit-enabled Trojans which are complicated in structure and target online banking transactions. Targeted corporate espionage attacks are also on the rise; however, they are few in number.
SearchSecurity.in: In what ways can organizations detect and mitigate bot attacks within their networks?
Organizations must strengthen individual workstations to block, prevent and detect the infection. With network traffic monitoring, IDS and IPS, companies should be able to locate inhouse infections created by botnets. An administrator who monitors firewall logs can also manually detect bots by keeping an eye on user activity.

More botnet related stories
Botnets, Trojans and phishing 2.0 pose serious online banking threats

Use BotHunter for botnet detection

Best practices to tackle (small) botnets

Virtual Honeypots: From Botnet Tracking to Intrusion Detection

If user PCs connect to servers used by known botnets, they can identify infected machines on the corporate network. After detecting bots, administrators can disconnect the computer and manually clean it to avoid re-infection of other machines.
SearchSecurity.in: Can you provide us with some best practices to avoid bot attacks?
Training, education and a strong user policy are the first best practices. Users should be trained about the infection mechanisms and best practices to avoid such attacks. A good way to avoid infection is to establish a policy where users can use their work computers only for business purposes. Most infections come though the Web, of which most come from work and recreational access. People conducting Google searches end up on pages that often infect their computers.
SearchSecurity.in: What other trends do you see in usage of bots?
Botnets on mobile platforms are on the rise. We have already seen two mobile phone botnets so far, and it can only get worse. We saw a botnet running on a Symbian based mobile device and another on an Apple iPhone. Smart phones have access to the Internet and can be targeted for hacks similar to computer based attacks. The attacker benefits through mobile malware by making money quickly and easily, since he can trace calls, messages and expensive premier numbers straight from the phone.

Read more on Hackers and cybercrime prevention