If you receive errors when attempting to view this white paper,
please install the latest version of
Adobe
Reader.
"Symantec helps consumers and organizations secure
and manage their information-driven world. Our software and services protect against
more risks at more points, more completely and efficiently, enabling confidence wherever
information is used or stored."
Source: Symantec
How to Defend Against New Botnet Attacks
Botnet Attacks is also known as :
Software Robots,
Malware,
Phishing Schemes,
Bot Owner,
Bot Software,
Worms,
Trojan Horses,
Backdoors,
Botnet Command,
Spreading Peer to Peer,
P2P,
Trojan,
Future State of Botnets,
Distributed Denial of Service Attacks,
Malware Technologies,
Botnet Zombies,
Ddos Attack,
Email Spam,
Norton Antivirus,
Malware Attacks,
Botnet Intrusion,
Anti-Spyware Products,
Internet Security System,
Multigigabit-PER-Second Attacks,
Anti Spam,
Botnet Detection,
Irc Bots,
Application-Layer Attacks,
IT Security Vendors.
Introduction
Botnets are comprised of computers controlled by a malicious server or master, and are the
main distribution technology for spam, malware and phishing schemes. When computers are
knowingly or unknowingly corrupted by software designed to direct their actions, these
computers are unable to prevent or resist the commands of the bot owner. Botnets pose
continued threats to businesses and are among the most harmful when successfully penetrating
a business network or obtaining access to confidential data. Evidence of the how widespread
and profitable botnets are became apparent when Internet Service Provider (ISP), McColo Corporation’s
operations were ordered to cease by law enforcement officials in November 2008.
McColo Disrupted
McColo Corporation, a California based ISP, had their operations taken down when evidence
of criminal activities originating from its network were uncovered by law enforcement
officials. Investigations by security researchers found that McColo Corporation had become
the preferred home of many botnet command and control servers.
McColo Corporation was believed to have provided services to some of the world’s largest
cyber criminal operations by hosting a variety of servers that enable billions of dollars
worth of illegal activities. It is estimated that as much as 75 percent of the world’s
spam originated from McColo Corporation’s operations. Immediately following its closure,
the volume of spam decreased dramatically giving some false security hope that the risks
to businesses from these sources would diminish.
In the weeks following McColo Corporation’s service shutdown, spam volumes began to increase.
The increase in spam stems from the migration of botnets from McColo Corporations hosting
centers to other hosting services. Srizbi, Mega-D and Rustock were among the top three botnets
hosted by McColo Corporation. At least two, Srizbi and Mega-D, resurfaced within weeks of the
closure of McColo Corporation’s operation. Srizbi has relocated its operations to Estonia and
is, once again, distributing spam proving the sophistication and longevity of these converged threats.
The closure of McColo Corporation’s operations did not diminish the risks to business from
botnets. It demonstrated the global scale, sophistication and efficiency of botnet operations.
The rise of spam and the potential threats they represent to businesses will increase despite
closure of McColo Corporation.
The technologies that enable botnets to perpetuate widespread fraud, block IT systems, steal
confidential information, open businesses to potential litigation and damage brand reputation,
are evolving toward a more complex, highly undetectable, and highly dispersed set of structures.
The evolution of botnets and the increasing threats they represent for business requires an
effective approach to the detection of and protection against the harm they can inflict.
In this document, we will define what botnets are, examine the consequences and changes in
botnets since the McColo Corporation shut down, present the future state of botnets, analyze
the risks botnets represent, and lay out a strategy for combating these threats within a managed services environment.
"It is estimated that as much as 75% of the world’s spam originated from McColo Corporation’s operation."
- March 2009 MessageLabs
Intelligence Report.
So what exactly is a Botnet?
Botnets are networks of computers infected with an instruction set, controlled and manipulated
through software that is deliberately or unknowingly installed, directed by a malicious server
or master. Botnets may have legitimate business functions to share program processing, but most
often linked to criminal actions to disseminate spam, malware or phishing schemes. As much as 10
percent of all computers on the Internet are infected by botnets, according to recent studies.
When infected with bot software the computer becomes unable to resist or counter the commands of the bot owner.
The size of the botnet depends on the complexity and sophistication of the bots employed. A large
botnet may be comprised of 10,000 individual computers. Usually, the users of infected computers
are not aware that the computers are being remotely controlled and exploited through Internet Relay Chat (IRC).
Because bots blend many malware technologies, describing bots and their sophistication
can be difficult. Attackers overlap technologies in ways that cross traditional boundaries,
making classification difficult. Botnets are the ultimate blended threat delivering a variety of attacks:
"As much as 10% of all computers on the Internet are infected by botnets. When infected with
bot software the computer becomes unable to resist or counter the commands of the bot owner"
Distributed Denial of Service (DDoS) Attacks
With thousands of zombies distributed around the world, a botnet may launch a massive, coordinated
attack to impair or bring down high-profile sites and services by flooding the connection bandwidth
or resources of the targeted system. Multigigabit-per-second attacks are not uncommon. Most common
attack vectors deploy UDP, Internet Control Message Protocol (ICMP), and TCP SYN floods; other
attacks include password "brute forcing" and application-layer attacks.
Targets of attacks may include commercial or government Websites, email services, Domain Name
System (DNS) servers, hosting providers, and critical Internet infrastructure, even anti-spam
and IT security vendors. Attacks may also be directed toward specific political and religious
organizations, as well as gambling, pornography, and online gaming sites. Such attacks are sometimes
accompanied by extortion demands.
Spyware and Malware
Botnets, sometimes referred to as Zombies, monitor and report users’ Web activity for profit,
without the knowledge or consent of the user. They may also install additional software to gather
keystroke data and harvest system vulnerability information for sale to third parties.
Identity Theft
Botnets are often deployed to steal personal identity information, financial data, or passwords
from a user’s PC and then either sell it or use it directly for profit.
Adware
Zombies may automatically download, install, and display popup advertising based on a user’s
surfing habits, or force the user’s browser to periodically visit certain Websites.
Email Spam
Most of today’s email spam is sent by botnet zombies.
Phishing
Zombies can help scan for and identify vulnerable servers that can be hijacked to host phishing
sites, which impersonate legitimate services (e.g., PayPal or banking Websites) in order to steal
passwords and other identity data.
Malicious bots continue to infect the Internet using sophisticated tactics, such as converged email
and web attacks. In 2007, botnets became the dominant technology used to distribute not only spam but,
also, malware and phishing schemes. In 2008, botnets were responsible for about 90 percent of all spam
email according to recent studies. And in 2009, they have morphed to P2P delivery method.
"In 2008, botnets were responsible for 90% of all spam"
Botnet Sophistication
In 2009, major botnets have reasserted themselves on the Internet morphing into even more
sophisticated threats. Botnet operations are hosting service providers in countries such as
Russia, Brazil or China. Adoption of newer technologies is improving the efficacy of botnets
and making it harder for businesses to combat. Legitimate websites have been attacked more
aggressively affecting the core competencies of businesses.
The most sophisticated attack technique will take the form of hypervisor technology. Hypervisor
technology is a program that allows multiple operating systems to share a single hardware host.
The hypervisor controls the host processor and resources for each machine. Each operating system
will appear to have the host’s processor and resources but does not realize it’s controlled by the
commands of malicious server or master.
Another attack technique will be through Fast Flux domains. This technique hides the true location
of spam, malware and phishing sites by concealing them and rapidly changing addresses of Web proxies.
This makes identifying phishing schemes more difficult and leaves the users unaware that they accessed
illegitimate sites. Fast flux can be attached to domains or domain name servers or both. When applied
to both the domain and the domain name server, this technique has been referred to as double flux.
The most notable attack technique has been P2P. For example, the Nugache botnet was spreading
peer-to-peer via a widely used instant messenger service, using encrypted code as the Command
and Control mechanism. This meant it was "headless" and far harder to detect. The botnet appeared
like a P2P file-sharing arrangement without any discernable origin.
Whether it is fast flux, P2P, or hypervisor technology, the way botnets morph to attack your
company is just as complicated as the types of attacks they are delivering. Clearly, Botnet
threats are growing and increasing in technical sophistication which requires a strong security
defense to safeguard businesses against the risks they present from the attacks they deliver.
Botnets have become increasingly flexible in their functionality, simultaneously sharing resources
across many criminal operations.
"Botnets are valuable assets because they enable attackers to control a network of compromised
computers to perform various actions such as launch DoS attacks, scan for vulnerabilities, and
conduct spam or phishing campaigns."
- Symantec Report
on the underground
economy 2008
How Does a Botnet Affect Your Business and
Your Network?
With such botnet dangers lurking and emerging, businesses must identify and implement leading edge
security. To do so, businesses must understand not just how botnets function but, also, the real risks
they pose to their operations.
The ability to respond quickly and effectively to a botnet intrusion continues to be the most pressing
challenge to businesses. Unfortunately utilizing signature-based technology alone, to combat these threats,
can leave your business exposed. It can take a few hours (or even a few days) to detect and respond to a
botnet through use of this type of technology. Because botnets are complex and are difficult to combat and
eliminate, businesses remain at risk.
Botnets are attractive to high tech cyber criminals because they can be reconfigured to commit different
crimes, relocated to new hosting services, and reprogrammed in response to new security developments.
Cyber criminals use them to commit offenses on a massive scale.
Owners of these operations use the devastating power of the botnet for deliberated and targeted attacks
against businesses. Beyond distribution of spam, hacking email databases, executing distributed denial
of service (DDOS) attacks or blackmailing businesses with the threat of DDOS, botnet operations are
increasingly being utilized for information theft in the form of financial fraud or corporate espionage.
A chief weapon of botnets, however, is the DDOS attack. A sophisticated DDOS attack can block IT systems
for hours or days and can cause direct financial losses for the affected organization and, indirectly, the
entirely economy can suffer. With great global economic dependencies, the outage of only a few key industry
elements can have catastrophic consequences and can quickly spread to different regions and industries.
Botnets continue to rely on spam as another important part of their arsenal. Botnets allow spammers to send
millions of messages from infected machines within a very short time. These messages can constitute a large
percentage of a company network’s bandwidth and server utilization without precaution in place. If servers
fail from the volume of spam or malware contained in the email is enacted, business operations can be impeded
and result in financial losses.
When botnets gain access to a company’s operating system or network, it can capture and steal customers’
Social Security numbers, bank accounts, credit card information or confidential business intelligence.
Such a theft may place the business in violation of data confidentiality laws such as HIPAA, Graham Bliley
Leach and state privacy acts. Non-compliance fees, potential individual or class action litigation and
remediation costs have the potential to reach into the millions for a single event.
"For businesses that conduct transactions online, brand erosion as a result of online fraud has become a
serious, boardroom-level issue. In fact, a poll conducted by the CMO Council found that 63.9% of marketing
executives surveyed believe security is significantly impacting their brands."
- CMO Council
Fraud and Brand Tarnishing
Businesses that conduct transactions online are often targets for fraud since online transactions require
sensitive personal or business information to be entered into their systems. A well-planned online fraud
by a botnet operation can result in significant financial losses for both the targeted business and its customer.
This can also have indirect brand consequences for the targeted business as consumers question the integrity of
their online transactions.
In February 2009, a leading national bank had its consumer base notified that their accounts were
suspended. The fraud practice used deceptive subject line, forged sender address, genuine looking
content and disguised hyperlinks. Readers were directed to a website that had genuine looking content,
form for collection of information and the incorrect URL not disguised. Not only did the bank suffer
financial and operations losses as consumers flooded call centers and websites but, also, the trust
and reputation of its online transaction was impaired. As a result, it is necessary that the bank
regain consumer trust through costly marketing efforts, increased security investments and other
brand rebuilding actions.
As online fraud continues to increase and evolve, companies must enact strategies and tools to
protect their network, finances, operations compliance standards, customers and brand reputation.
Brand erosion from acts of online fraud has begun to reach the boardrooms of businesses. According
to a recent study, 63.9 percent of marketing executives surveyed believe security breaches are
significantly affecting their brands.
But brand erosion isn’t the only issue that keeps executives awake at night. There are also
these troublesome issues:
- Losses from compensating customers for online fraud incidents
- Risks that online banking exposes confidential and customer data to cyber criminals
- Potential litigation caused by security breaches and online fraud
- Preparedness for the latest cyber threats
A fundamental strategy to protect against fraud and brand tarnishing begins with implementing the
best security solution for your business. Many businesses can no longer afford or are struggling
to maintain the resources, expertise, investments and scale required by self managed security solutions.
Moreover, potential vulnerabilities exist within traditional security solutions that open businesses to
the costly risks and brand tarnishing consequences. Managed services can alleviate these problems and
ensure that your security solutions are ahead of the crime, securing your business’ network, information
and reputation.
Botnets now embody the ultimate blended threat. Botnet code carries almost every conceivable
form of malware, from spyware to downloaders, rootkits, spam engines, and more. To answer like
with like, defenders must employ multiple layers of security. The good news is that there are
techniques and technologies which are surprisingly effective at combating the botnet threat.
What can you do about it?
Stay vigilant
This recommendation seems too obvious to mention, almost like "Try not to get infected!" Yet
we keep meeting IT administrators who spend so much time putting out fires and maintaining an
understaffed help desk, they never look at their system logs. They never monitor bandwidth usage.
They can’t tell you who is connecting to what from their network. They have devices connected to
their network that they don’t even know about.
If this describes you, all we can say is, you are begging for trouble. You might even have bots
on your network as you read this. If you are an administrator who rarely checks your logs, you
must start reading them. Today. Once you learn what "normal" looks like on your network, 30
minutes a day is all you need for a spot check.
If this describes you, the odds are you are not lazy - you are constrained by lack of personnel
and resources. Explain the threat to your bosses and see whether they’ll support you in blocking
out a half hour each morning for checking the status of your network. This time segment should
be defended against meeting requests, conference calls, and other typical interruptions. This
form of insurance is dirt cheap compared to the cost of a network compromise.
"Most of the action now is web-based. Malicious emails that would have contained an attachment
two years ago now contain a link to a malicious site instead."
Increase user awareness training
Some bots perform mass scans of the Internet, find vulnerable machines, and infect them. A more
prevalent tactic used by bots is to "social engineer" their way onto your network by enticing a
victim to click a link or open a file. These bots have the same restrictions as certain legendary
vampires: they can’t cross your threshold unless you invite them in.
This "luring" approach has gradually constricted itself even further. In the past, attackers
sent malicious executable code as an attachment to an email. This practice has also fallen into
the minority. Most of the action now is web-based. Malicious emails that would have contained
an attachment two years ago now contain a link to a malicious site instead.
That’s your cue to explain to users, in terms they can understand, why they should never
invite the vampire in. Tell them not to open attachments that arrive unsolicited and unexpected;
why they shouldn’t click links in email; and why they must think twice about any unusual links
they click. If you need a starting point, try circulating our video that shows how drive-by
downloads work, described for a non-technical audience:
http://video.google.com/videoplay?docid=-4094518401580008932
While showing this video in training classes, we have literally seen users’ jaws drop and eyes
bulge in shock at how rapidly malicious scripts work - and those users then changed their behavior.
Diligently applying controls such as those we have cited above have allowed networks to run free
of bots for years.
Watch Those Ports
This is a two-part recommendation.
1) Even though the latest bots can communicate over ports every administrator must leave open,
the vast majority of bots still communicate using IRC (port 6667) and other odd, high-numbered
ports (such as 31337 and 54321). All ports above 1024 should be set to block both inbound and
outbound unless your organization has a custom application or special need to open a given port.
Even then, you can open a port carefully, implementing policies such as "open only during business
hours" or "deny all, except traffic from the following list of trusted IP addresses." This simple
measure prevents the garden variety and slow-adopter bots from reaching their C&C for instructions
and updates, essentially killing such bots on arrival.
2) Botnet 2.0 traffic that travels over needed ports such as 80 or 7 often gives itself away by
generating traffic when there should be none. Commonly, botmasters update their zombies between
1:00 a.m. and 5:00 a.m., when they assume no one is watching. Make a habit of checking your server
logs in the morning. If you see web browsing activity when no one was there to do the browsing,
that’s your cue to investigate.
Administrators using WatchGuard Firebox® models will be pleased to know that the Firebox’s proxies
stop non-standard traffic attempting to run on standard ports. For example, the spamming botnet
Mega-D runs non-standard, homebrew traffic over HTTP port 80. The Firebox’s HTTP Proxy would spot
and block such traffic instantly, by default.
Block JavaScript
When a bot leveraging web-based exploits attacks a victim computer, it invariably does so by
executing JavaScript. Setting browsers to prompt before executing JavaScripts will eliminate
a huge swath of bot infection vectors. We highly recommend having users rely on Firefox as
their primary browser, using the NoScript plug-in39 to prompt whenever a script tries to execute.
Layer Your Defenses
As Fred Avolio pointed out in a LiveSecurity article,
"Defense in depth is powerful. If I have a single security control that is only 50% effective,
that sets the stage for disaster down the road. But if I line up two different controls in series,
each only 50% effective, I get to 75% effectiveness (the first control catches half the bad stuff,
leaving 50%; the second control catches half of that half, leaving only 25% of the bad stuff). If I
line up five controls, each just 50% effective, I get to nearly 97% efficiency. To get over 99% we
need 4 controls, each 70% effective."
Get a Security Assessment
Top vendors offer free security assessments and free trials of industry leading security products.
Often at the end of the assessment and trial they can offer reporting about your company on a variety
of threats, traffic and security weaknesses. This can help you determine whether your current security
solutions work and what next steps need to be taken.
How Security Managed Services Can Help
Using a managed service, a customer simply points their MX record to the third-party provider
without having to deploy any on-premise hardware or software. The provider then processes mail,
Web traffic, etc. and passes the filtered content to the customer. The advantages of this approach are that
there is virtually no up-front cost, very little IT time is required to manage the service,
and costs are more predictable because the spikes in malware volume that might necessitate the
purchase of more hardware, storage or bandwidth with an on-premise approach are borne by the provider.
Further, leading managed service providers typically operate very robust, multi-layered defenses that
are updated continually.
Managed services help companies protect their networks in two major ways: layered security service
and "in the cloud" protection.
The multi-layered defense approach to information security refers to the deployment and use of
multiple types of security tools, rather than relying on a single tool or vendor to protect
against threats. Layered security approaches are not limited to information security technology,
as some organizations use physical security mechanisms, internal employee training and other security
measure as part of the total company layered security approach. The benefits of implementing a layered
security strategy are clear. Security vulnerabilities are many, and they vary greatly in terms of the
systems and applications they can affect and the potential damage they can inflict.
"In the cloud" means at the Internet level. Security in the cloud protects a company’s infrastructure
and network as a first line of defense at the Internet level. By harnessing and adding a layer of
security "in the cloud", businesses realize improved security, increased operational performance and
can shift resources to more vital functions of the business.
A managed service is quickly and easily implemented with minimal resource time extending customer
visibility and control over administrative and reporting functions through a secure Internet interface.
It also utilizes various layers of defense to give businesses the highest level of protection from external threats.
Beyond reducing the risks to business networks from threats such as botnets, managed service security
solutions can offload server CPU and bandwidth utilization. By detecting and capturing potential
malware or spam "in the cloud", business servers and bandwidth will have less intensive traffic
volumes to manage and carry. This means operating costs can be reduced.
Another advantage of managed services includes the cost of ownership. There are low upfront
implementation costs, minimal implementation time, and very little maintenance, making budgeting
more predictable. Predictability in budgeting expenses is possible regardless of spikes in malware
and spam volumes; a privilege over traditional approaches which may require additional hardware,
software, bandwidth and storage. Many organizations also realize an improvement in their overall
opportunity costs - the cost of deploying scarce IT resources to other tasks that might provide
more value for the business.
Advantages of Managed Security Service
Lower IT Costs
A typical software implementation involves purchasing and maintaining servers. When subscribing to
a managed service solution, the overhead associated with implementing and managing conventional
software or hardware is avoided.
Economies of Scale
Subscription costs for managed service solutions reflect economies of scale. This makes the overall
system scalable at a far lower cost and enables predictable budget planning.
Pay As You Go
When subscribed to a managed service security solution, payment is on a monthly or annual subscription
fee. The subscription payment structure works to a businesses advantage compared to software or appliance
investment costs.
Save Time
Many typical implementation tasks associated with licensed software are eliminated, deployment time
is much shorter and easier than an appliance or software based project implementation, typically one
to three days for a managed service versus an average of 18 months for a licensed application.
Focus IT Budgets On Competitive Advantage Rather Than Infrastructure
With a managed service, a business frees it’s IT organization from high-cost, time-consuming IT functions including:
- Purchasing and supporting the server infrastructure to install and maintain the software in house
- Providing equipment redundancy and housing necessary to ensure security, reliability, and scalability
- The more time IT employees spend maintaining equipment, downloading and installing patches, and supporting
software upgrades, the less time they can spend achieving strategically critical objectives
Gain Immediate Access to the Latest Innovations
With traditional licensed software, businesses usually have to wait for the next release to benefit from the
latest innovations. With a managed service, as soon as a new or improved feature appears, a business can begin
using it.
Conclusion
The technologies that enable botnets to perpetuate widespread fraud, block IT systems, steal confidential
information, open businesses to potential litigation and damage brand reputation are evolving toward a more
complex, highly undetectable, and highly dispersed set of structures. The evolution of botnets and the
increasing threats they represent for business requires an effective approach to the detection of and protection
against the harm they can inflict. Managed services can provide an effective layered-defense at the Internet
level protecting businesses from attacks and realize other business advantages.