When we visit websites, unknowingly our computers can be a victims of a botnet. There should be a way to identify whether we are victims or not. What is the way to identify it and how to recover from it?
-
1why does visiting a website make you a victim of a botnet? – schroeder May 29 '15 at 18:03
-
In terms of recovery, see http://security.stackexchange.com/questions/24195/how-do-you-explain-the-necessity-of-nuke-it-from-orbit-to-management-and-users – user2320464 May 29 '15 at 22:59
4 Answers
You can detect if your clients have been become a part of a botnet in three ways.
- Detect the botnet code using anti-virus software on clients.
- Detect the traffic from the client to the command-and-control server using an IDS sensor.
- Additionally, you can also detect if your client download malicious software containing botnet code using a web proxy. Here you also should block such download attempts - so this does not really answer your question.
But back to your question on how to detect if your clients already are part of a botnet. The most effective way (in my opinion), is to detect communication between botnet clients and botnet servers by installing an Intrusion Detection System (IDS) sensor in your network.
You configure this IDS sensor with a list of known C&C traffic, and traffic patterns that indicate that there is a botnet client.
When the IDS see traffic to the C&C servers, it can be configured to warn you about such traffic.
A common used IDS product is snort, and a common used ruleset for detecting C&C traffic is emerging-botcc.rules
- 5,769
- 1
- 27
- 46
-
1Another avenue is monitoring DNS requests. OpenDNS is the best option in this space or have a network monitoring device (IDS/IPS) monitor this traffic. – user2320464 May 29 '15 at 21:20
-
3OpenDNS would "only" detect botnets that use hostnames for communication. Most does, so definitely a good approach. But some might slip past you if you rely on blocking using DNS alone. – Dog eat cat world May 29 '15 at 22:44
There is no single way to do this - that is part of the reason botnets are such a problem. If there was a single solution, it would be implemented by most ISPs and organisations already.
Most of the time, the best we can do is apply a number of heuristics, rules of thumb, which will give an indication of possible botnet issues, but are not guaranteed to be correct - you can get false positives.
As pointed out in other responses, in general, the general solution is focused around identifying unusual traffic patterns as the botnet tries to communicate with its C&C. This could involve monitoring DNS requests or monitoring traffic through your firewall. There are also commercial services who will perform this type of monitoring for a network. You provide them with a list of your IP addresses and they monitor known botnet C&C for traffic from your network.
Of course, the best solution is to just avoid becoming part of a botnet in the first place. In the majority of cases, malicious software needs action from the user in order for the computer to become part of the botnet. Avoid all the standard vectors - opening unsolicited emails from people you don't know, don't install software from sites you don't trust, when a page pops up telling you to upgrade flash, don't just agree, go to the adobe site and see if there is a flash upgrade and get it and install it from there, be suspicious of anything which sounds too good to be true, it probably isn't etc.
The other important step to take is don't give your normal user account administrator rights. Use a separate account for administration, sucha s installing software, updates and making system changes. It is a little less convenient because sometimes you will need to log out of your normal account and then log into a different account with admin privileges and then when your done, log out and log back into your normal account and open up everything again etc, but the level of protection this buys is worth it. Run a good anti-virus/anti-malware solution and ensure it and your OS are updated regularly. When your anti-virus or anti-malware warns you, take notice. Don't put convenience first.
A real-world example. Last week, we had a user with computer problems. We picked this up due to unusually high traffic from her computer to a specific remote IP address. We suggested she bring her computer in so that we could look at it. It was full of viruses and malware. We noticed she was not running the anti-virus/anti-malware solution we provide to all our clients for free. Asked her why she wasn't running it
"Oh, I removed it. The silly thing kept popping up all these silly windows whenever I was trying to watch TV and Movies from this site I use."
"OK, do you remember what the popups said?"
"No, not really, something about a warning - I didn't bother reading them, would just click OK and then a few minutes later, another one would pop up, so I removed the software, that fixed the problem".
"You probably shouldn't do that. The software is trying to warn you about virus and malware trying to infect your computer."
"but it was stopping me from watching my TV shows. You guys really need to fix your network, it isn't right that it keep infecting my computer. You need to do your job better".
- 3,252
- 14
- 13
This is like asking, "How can I tell if someone is taking medication?" It's too broad to answer. Different botnets use different programs on a victim's computer to achieve control. The best steps to follow, without knowing if you are even compromised (nevermind by which botnet), are to follow standard best practices:
a) employ a good perimeter firewall that has traffic filtering and packet inspection capabilities, ideally something newer (newer firewalls mean newer protection techniques)
b) Instal anti-virus/anti-malware on your computers, and KEEP THEM UPDATED. Schedule regular nightly scans.
c) Keep all your software, not just your operating system, patched and updated on a nightly basis.
d) Either employ a security savvy IT individual or use a managed security services provider to watch the firewall and host logs - logging problems that get ignored is about as helpful as not logging them at all. If something does get through, have someone watching your logs will be a big help in addressing the problem quickly.
e) Train users. Explain to anyone on your network that they need to avoid going to websites they are not familiar with, and be very cautious about clicking links in emails, from search engines, etc. Preventing people from visiting the malicious websites in the first place is a great way of avoiding bot exploits altogether (the new firewall will also help with this; a good UTM or smart perimeter device with web content filtering can prevent users who forget their training)
f) Quarantine and analyze computers that you suspect to be infected. If you stick your head in the sand, your devices may be actively exploiting others, used in very serious attacks, and exposing you to further damages and liability. Negligence is not innocence.
Hope that helps!
- 1
-
"can prevent users who forget their training" ... from hitting malicious websites. :) They haven't yet figured out how to prevent forgetful users. – envelope May 29 '15 at 18:25
-
-
Sometimes the exploits are hosted on legit pages (eg. the official Mozilla ftp server) – Ángel May 29 '15 at 18:37
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. It enables attackers to inject client-side script into Web pages viewed by other users.
Lets say you are accessing innocent.com and it has a advertisement frame which connects to attacker.com. Attacker.com has the control of that frame so the code inside it.
That code may have a part that just send "ping" packages to the victim computer using your computer.
Detection is very hard in this situation because distinguishing a normal request running in that frame from a normal request is almost impossible. Considering the fact that the behavior model of botnets are generally more aimed to consume the resources (availability), packages used for botnet and packages used for normal advertisement may not differ.
Prevention is easier than detection. Connect websites with SSL (hhtps) and never connect websites which are signed as dangerous in the virus program.