Botnet protection and detection for botnet attacks

New contributor Ian Kilpatrick reviews the array of tools that'll help you fight off the bots.

Although there are actually many valid purposes for botnets, particularly for Web indexing, botnets are frequently used for malicious activity.

These networks of compromised computers have revolutionised the spam industry, helping to push the volume of unwanted messages to epidemic proportions, despite the best efforts of law enforcement and the computer security industry. This tip examines how botnets operate and steps you can take to avoid botnet attacks.

Not limited to email, botnet attacks are also a Web-based threat. Employees, for example, may visit an infected website, which can then either deliberately or inadvertently download the botnet's malicious software onto the victim's system, effectively compromising the machine and making it part of the botnet. Many times a site is hijacked in an attack known as drive-by downloading.

Becoming part of a botnet can be quite easy. Those failing to use the right antivirus and failing to rapidly update vulnerability patches make for an easy target certainly. Some phishing emails may also trick users into visiting already infected websites. There are many other possibilities for infection. Employees could bring botnets on laptops or USBs accidentally. They could even catch bots by taking part in MMORPGs (massive multiplayer online role playing games).

Although botnet attacks may easily go unnoticed, even after infection, the attacker can secretly use a compromised machine to penetrate a corporate network and send out large volumes of spam or harvest keystroke information, passwords, online banking credentials or logon details.

The recent Torpig botnet, for example, collected data when banks, PayPal and E-trade Financial Corp. accounts were accessed by users. It also had the ability to deliver a falsified data collection form when a user attempted to conduct online banking, as well as collect user names and passwords from Microsoft Outlook.

The effect of botnet attacks can ultimately hurt your business. A group of infected computers, controlled by a botherder, for instance, can be used to launch a concerted distributed denial-of-service (DDoS) attack on commercial websites to take them out of action.

Significant spam activity could slow down the network and leave systems sluggish. It's also possible that a company could find itself blacklisted by spam filters as a result of its botnet-controlled computers forwarding all the unwanted messages.

There's also the chance that a company website could be hijacked by a bot and used to deliver malicious software to site visitors, including customers – this is not a good idea!

Botnet protection: How to defend against botnet attacks
There are many actions that organisations can take to protect themselves from becoming part of a botherd. Applying security patches to key applications, as soon as is practicable, is a major help. These vulnerabilities, which can be easily exploited by attackers, are high risk until patched. In a 2009 cybersecurity report by Lumension Security Inc., security and forensic analyst Paul Henry said: "Until the underlying patch-management issue is dealt with, botnets will continue their explosive growth on the public Internet."

The best way for botnet protection, is by having the proper security products in place to begin with. For companies, the place to provide primary protection is at the gateway. Gateway security, however, may not be enough when mobile users and visitors are connecting inside the gateway. Proper access control and strong two-factor authentication will help reinforce defenses in this case.

If employees use USB thumb drives, laptops, iPods, etc. inside the gateway, there is the risk that they are bypassing gateway security controls and infecting network-connected devices. A company security policy, therefore, should cover the safe use of mobile equipment.

Other high risk areas inside the network include infections picked up from staff visiting malicious websites. There is a mistaken belief that Web content filtering, based on signatures, will protect against this type of attack. Unfortunately this is not the case. A classic security method to defend against Web malware is to deploy multi-layer protection. Gateway defenses should work in tandem with endpoint protection on users' PCs. These products should ideally be provided by different manufacturers.

There are many endpoint (PC/laptop) products available that will provide protection. Tools from companies such as Check Point Software Technologies Ltd. and Kaspersky Lab Inc. will scan all incoming and outgoing data traffic on machines for malicious content and provide protection against botnet hijacking by protecting against malicious code downloads from infected websites. The products can also safeguard against Trojans from email or mobile devices, including USBs. Endpoint security packages, such as those mentioned above, will protect against malicious code downloading from infected websites, as well as Trojans from email or mobile devices, including USBs.

Web security companies like Marshal8e6 Inc. and Finjan Software Inc. provide Web gateway protection that can identify and defend against malicious code loaded on rogue and genuine websites. If you want to protect your own website from being infected and delivering malicious code to your customers, providers such as Check Point and Barracuda Networks Inc. have Web application firewall capabilities to protect against this increasingly prevalent threat. Other products, such as Barracuda Networks' anti-spam, virus and spyware firewall, can help protect traffic going in and out of a given network. This would include attempts to send spam or return spyware data.

Bots can also be detected using traffic management products as well, such as those from Allot Communication Ltd. They are able to identify traffic patterns, even masked traffic patterns, which could be bot activity. Network intelligence systems, including those from Loglogic Inc. or ArcSight Inc., can also help. The forensics gear can bring together and analyse all log information on a given network, down to a granular/PC level, highlighting any unusual behaviour.

At a corporate level, some of the above products may help disinfect your existing estate. Websites such as Spamhaus.org, too, explain how you can identify and remove botnets if you're worried you may have one. This overall depth of defenses provides a strong layer of protection against botnets and bot attacks.

About the author:
Ian Kilpatrick is chairman of value added distributor Wick Hill Group plc, specialists in secure infrastructure solutions. He has been involved with the group for more than 30 years. Wick Hill is an international organisation supplying SMEs and most of the Times Top 1000 companies through a value-added network of accredited resellers. 

Read more on Endpoint security