“What’s more worrying is that it’s not unusual for PCs on private networks to get infected too, and once one PC in an organisation has it, it starts recruiting its colleagues too.
The risk isn’t just spam or DoS attacks – zombie packages can have a range of features in them, including remote control, and the first targeted malware attacks have now been reported, such as one which aimed to steal data from the UK parliament.”
We all know that botnets are bad, they do the evil bidding of attackers all across the globe. Criminals rent botnets (why buy when you can rent?), spammers use them to send the latest emails that claim to enlarge mail body parts, and I swear there must be a permanent botnet aimed at grc.com ready to take it down upon command. If you don’t know what I am talking about, you should check out this great article about botnets. If you want to know what you can do to prevent botnets, here are a few tips:
- Proxy all outbound connections from your network – When I helped manage the security for a large corporate network we had a bank of proxy servers. No one could get out to the Internet unless they went through one of these bad boys. We used Squid running on FreeBSD which is an excellent combination. You get the added bonus of caching, which means the proxy server can store images for a limited amount of time and serve them up to save bandwidth and make web browsing a little quicker.
- Don’t just rely on Anti-Virus and Anti-Spyware – I see so many machines that have the latest anti-virus definitions and anti-spyware software/definitions become part of a botnet. Why? Because as the article says, botnet herders are getting smarter and evading our defenses. Take a look at Cisco CSA, and give the new Core Force a try (Its still in beta, but may be a good thing to start looking at in the lab). These are behavior based host-intrusion prevention systems that can prevent you from the zero-day effect and help avoid those pesky bots.
- Use your IDS wisely Grasshopper – Your IDS can be used to detect botnet activity before and after infection. The Bleeding-Rules project has many good rules for detecting IRC bots, and I’ve got a few homegrown sigs that have proven useful (drop me an email and I will send them along).
- Review your outgoing traffic daily – In addition to your IDS, using tools such as IPAudit, Argus, Flow-tools, and the like you should be able to get a good idea of what normal means on your network. Then you can start to look for anomalies, such as number of outgoing sessions, most outgoing bandwidth, and other factors. Also, once you find one host that has become part of a botnet you can study its traffic, then see what other hosts exibit the same traffic. This helps you be certain you remove all the botnet participants from your network.