Six ways to fight back against botnets

1. Hire a Web-filtering service.

Web-filtering services are one of the best ways to fight bots. These services scan for Web sites exhibiting unusual behavior or known malicious activity and block those sites from users.

Websense, Cyveillance and FaceTime Communications are examples. All monitor the Internet in real time to find Web sites engaged in suspicious activity, such as downloading JavaScript and performing screen scrapes and other tricks outside the boundaries of normal Web browsing. Cyveillance and Support Intelligence also offer services that notify Web-site operators and ISPs that malware has been discovered, so hacked servers can be fixed, they say.

2. Switch browsers

Another tactic to prevent bot infections is to standardize on a browser other than Internet Explorer or Mozilla Firefox, the two most popular and hence the browsers for which most malware is written. The same tactic works for operating systems. Macs statistically are safe from botnets, as is desktop Linux, because most bot herders target Windows.

3. Disable scripts

A more extreme measure is to disable browsers from scripts altogether, though this could put a damper on productivity if employees use custom, Web-based applications in their work.

4. Deploy intrusion-detection and intrusion-prevention systems

Another approach is to fine-tune your IDS (intrusion detection system) and IPS (intrusion detection and prevention system) to look for botlike activity. For example, any machine suddenly blasting away on Internet Relay Chat is certainly suspicious. Ditto those connecting to offshore IP addresses or illegitimate DNS addresses. Harder to notice, but another telltale sign, is a sudden uptake in SSL traffic on a machine, particularly in unusual ports. That could indicate a botnet-control channel has been activated. Look for machines routing e-mail to servers other than your own e-mail server. Botnet hunter Gadi Evron further suggests that you learn to watch for Web crawlers that operate at high "fetch levels." Fetch levels activate all links located on a Web page, and a high level could indicate a machine is being sent to a malicious Web site.

An IPS monitors for behavior anomalies that indicate hard-to-spot HTTP-based attacks and those from remote-call-procedure, Telnet- and address-resolution-protocol spoofing, among others. Worth noting, however, is that many IPS sensors use signature-based detection, meaning that attacks are added to a database as they are discovered. The IPS must be updated regularly to recognize them, so after-the-fact detection will require ongoing effort.

5. Protect user-generated content

Your own Web operations must also be protected from becoming unwitting accomplices to malware writers. Unless you are trying to become the next hip, Web 2.0 social network, your company's public blogs and forums should be restricted to text-only entries, advises Michael Krieg, vice president of Web Crossing, maker of social-networking software and hosting services.

"I'm not aware of any one of our thousands of users that allows a JavaScript within text of a message; same thing with embedded code and other HTML tags. We don't let people do it. Our apps by default strip them out," Krieg says.

Dan Hubbard, vice president of security research at Websense, adds, "That is one of the big problems of user-created content sites, the Web 2.0 phenomenon. How do you balance the great functionality of allowing people to upload stuff but not allow them to upload anything bad?"

The answer is to be specific. If your site needs to let members swap files, it should be set to allow only limited and relatively safe file-types, those with .jpeg or .mp3 extensions, for instance. (Malware writers have begun to target the MP3 players themselves with worms, however.)

6. Use a remediation tool

If you do find an infected machine, the jury is out about how best to do remediation. Companies like Symantec assert they can detect and clean even the deepest rootkit infection. In Symantec's case, it points to technology it acquired with Veritas, VxMS (Veritas Mapping Service), which lets the antivirus scanner bypass Windows File System APIs, which are controlled by the operating system and therefore vulnerable to manipulation by a rootkit. VxMS directly accesses raw Windows NT File System files. Other antivirus vendors trying to protect against rootkits include McAfee and FSecure. Their success has varied, given how inventive malware writers can be.

Yet Evron argues that detecting malware after the fact could really be a false scent -- bait intended to make IT professionals believe they've scrubbed the PC while the real bot code remains hidden. "Antivirus is not a solution, because it is naturally reactive. The antivirus would have to recognize [the problem], and therefore the antivirus could have been manipulated," he says.

This is not to say you shouldn't try to implement the best rootkit fighter you can find in your antivirus software, just that you should be aware that doing so is a bit like buying a safe after your valuables have been stolen. Evron believes the only way to be sure that a machine is clean after bot malware is detected is to wipe it and start from scratch.

By not letting your users visit known malicious sites, monitoring your network for strange behaviors and defending your public sites from attacks, you'll be in good shape, security experts unanimously agree.

"I can see where this odd sense of futility and hopelessness can come in if some network guy wakes up and thinks, 'What am I going to do about those millions of botnets?' Let the folks concentrating on fighting botnets on a day-to-day basis worry about that one," says Chris Boyd, FaceTime's director of malware research. "Just concentrate on locking down your network and protecting it against infections -- viruses, Trojans, spyware or adware. . . . Treat it as a rogue file found on a PC. That's all you need to do."

Subscribe to the Security Watch Newsletter

Comments