January 2006

Botnets Could Be Invading Your Network

An increasing number of organizations fall victim to botnets without their knowledge. Understanding how botnets work and taking proactive steps to protect corporate networks and computers can go a long way toward thwarting these external attacks.

Raquel Filipek
Editor

As long as computers exist, online thieves will find more surreptitious ways to break into corporate networks. A recent example is the use of bots — software robots that invade computers, enabling an attacker to control the machine remotely. Many information security experts around the world consider bots to be the number one security concern due to their wide proliferation, sophistication, and ongoing use for illegal activities.

As part of their work, internal auditors review the effectiveness of existing internal controls and employee compliance with security policies and procedures. In addition, auditors provide recommendations to enhance the security of an organization's IT infrastructure. Although many companies install the latest patches and antivirus programs, protecting networks against bots requires the use of more proactive security measures. Therefore, auditors need to work with IT departments to understand the threats posed by bots, how they work, and ways to help organizations counteract them.

HOW BOTNETS WORK

A botnet — short for robot network — "is a loosely organized system of computers that responds to commands issued by an attacker from a central location, often an Internet-relay chat (IRC) channel," says Kirby Kuehl, network intrusion detection system developer for Cisco Systems Inc. "Common methods for spreading bots include Trojans or worms that take advantage of unpatched operating system vulnerabilities and Web browsers, as well as other malicious code delivered via mass e-mails and spam or by visiting hostile Web sites." Initially, bots were used to control IRC channels from other hackers, adds Peter Tippett, chief technology officer with Cybertrust, a global company specializing in information security services. "Now, botnets are the single largest source of e-mail spam, phishing attacks, worms, viruses, and similar schemes to raise money for a perpetrator, as well as the most common launching point for worms, many of which lead to more bot infections."

Botnets infiltrate companies by searching for vulnerable points of entry in a network or stand-alone computer connected to the Internet. Once a bot infects a computer, the machine becomes a zombie and can become part of a larger network of infected computers. The new zombie communicates to a controller, known as a botnet herder, and waits for instructions. "The most common mode of entry stems from employees operating outside their company's network with a computer that is poorly protected against direct, hacking-style attacks," Tippett explains. "When the computer is connected to the corporate network, the bot component is then controlled and managed by its owner." Employees also may infect computer networks by double-clicking on malicious e-mail attachments that contain primitive bots or a worm that carries a bot that can be activated later.

Tasks performed by the bot include scanning computer networks to find additional machines that are not fully patched and stealing usernames and passwords. "Most hackers use exploit libraries for vulnerabilities with existing patches that people haven't used to update their system or software weaknesses," says Allysa Myers, virus research engineer with McAfee. "As long as a machine is connected to a network and it is not properly patched, a bot can get into the computer without the network administrator's knowledge."

Because most botnet communications take place through IRC channels, many companies are starting to block commonly used IRC ports in their corporate firewalls. As a result, attackers are using modified IRC server programs to hide their identities, protect their zombie computers, and evade firewall access control rules. "Hackers are getting much more clever about keeping things under people's radars," Myers notes. For example, botnet controllers are starting to use Web-based control channels to conduct their attacks. "Web traffic is more difficult to filter, since traffic connections used by bots get mixed in with the other connections from people going about their daily work."

Other bots are using encryption techniques, really simple syndication (RSS) hijacking, and polymorphic shellcode exploit attacks (see "How Shellcode Exploit Attacks Work" sidebar) to burrow deep inside a computer. For instance, some companies update their Web news content as soon as new information is available via an RSS-feed client. Bot herders take advantage of RSS technology by reconfiguring feed clients to download new copies of worms and other threats from malicious Web sites. The feed system then helps to spread the malware by downloading the worm or virus to a vulnerable computer connected to the RSS.

Finally, botnet controllers can be linked together to form even larger networks, replace controllers that are taken offline, and control tens of thousands of compromised machines. For example, recently, three suspected Dutch cybercriminals were arrested in The Netherlands on suspicion of hacking more than 1.5 million computers worldwide — the largest botnet to date.

SECURITY THREATS

Organizations should take botnet threats seriously. "Unlike viruses, botnets require control by an individual. That means someone is sitting down and purposefully entering your network to control the botnet," says Michael A. Davis, chief executive officer of Savid Technologies Inc., a software engineering and consulting firm. "Bots are not random worms created for pure destruction; they are a criminally driven and sophisticated attack against a network." Tippett agrees: "Bots allow criminals and other malicious people to gain access to computers on the inside of the organization and have been used to steal proprietary data, cause Internet connectivity disruptions, and even blackmail individuals."

To prevent bots from entering a corporate network, IT departments and internal auditors need to familiarize themselves with their most common uses. This will also enable organizations to protect their IT systems more effectively. Common bot uses include:

1. Distributed denial of service attacks. These attacks cause loss of network connectivity by consuming network bandwidth and target any service available on the Internet. For example, botnets may use recursive hypertext transfer protocol (HTTP) floods on the victim's Web site. Also known as spidering, this technique entails visiting a Web site from a given HTTP link and then visiting all links provided on the Web site repetitively.
2. Spamming. With the help of botnets, online thieves are able to send massive amounts of spam and phishing e-mails from an unsuspecting person's computer to harvest e-mail addresses. "Botnets that use spam as their main distribution and infection mechanism, can cause organizations administrative nightmares, especially if the organization has a locally hosted e-mail server," Davis explains. "Therefore, when the network administrator detects a computer is sending spam, he or she will shut down the mail server until the problem is fixed."
3. Sniffing traffic. Zombies can use a packet "sniffer" to identify clear-text data traffic through a compromised machine, such as usernames and passwords. However, packet sniffers also can gather key information from other botnets, especially if the zombie is a member of more than one botnet.
4. Keylogging. A keylogger is a type of surveillance software that records every keystroke to a log file. Keyloggers can record instant messaging content, e-mails, and any information typed using a keyboard and are used to obtain information from compromised machines that use encrypted communication channels. All logged information is sent to a specific receiver such as a botnet herder.
5. Spreading new malware. Botnets can be used to acquire new bots, which are used to spread new viruses or worms.
6. Installing advertisement add-ons and browser helper objects. Thieves may construct fake Web sites with advertisements and negotiate a deal with hosting companies that pay for clicks on ads. The botnet is then used to click on all pop-up ads each time a user visits the fake Web site.
7. Attacking IRC networks. Botnets also can be used to attack IRC networks. Clone attacks are a common method in which a controller orders each bot computer to connect a large number of zombies to the victim's IRC network. The compromised computer is then flooded by service requests from thousands of bots, bringing down the system's IRC network.
8. Mass identify theft. Many of these illegal activities can be used for large-scale identity theft. For instance, bogus e-mails pretending to be from legitimate companies can be used to obtain private consumer information. The e-mails are generated and distributed by botnets through a spamming mechanism. Also, botnets can be used to host fake Web sites and obtain personal information.

The risks posed by botnets don't end here. Because botnets may be sold or traded to other thieves, once a computer is compromised, any private information obtained may be used by additional people, thus increasing the severity of the problem. In addition, as technology evolves, thieves will find new ways to compromise computers and take advantage of unsuspecting victims and vulnerable networks. "Many hackers often upgrade their software to target different systems," Kuehl explains. "This way, the zombie computer can search for vulnerabilities found in newer systems and software programs, as well as mutate to avoid older detection methods."

FIGHTING BOTNETS

The important issue IT departments and auditors need to keep in mind is that uncontrolled access to a computer's hard drive poses a serious security risk to an organization. According to Davis, the best way to prevent bot attacks is to implement tight security procedures based on best practices. "If the user can't install unauthorized software from the Internet, for example, the viruses and malware used as deployment mechanisms can be foiled," he says. To protect computer networks from bot intrusions, auditors can recommend that organizations implement a defense strategy that includes the following measures:

1. Implement a security strategy that allows computers to be patched with the latest antivirus and anti-spyware definitions as soon as they become available.
2. Use firewalls and intrusion detection systems at the network level and on all computers and laptops, especially those connecting remotely to the corporate network.
3. Isolate and update computers that have been out of the office for any period of time.
4. Restrict employee access to the corporate network when away from the office, especially to internal network resources.
5. Configure desktops appropriately, especially those used by telecommuters working from home or another remote location. Tippett recommends encouraging employees to use home routers.
6. Implement a security process that allows system administrators to isolate network segments. This will enable companies to help contain infections.
7. Apply a layered defense strategy at network choke points, such as gateways, servers, desktops, and personal digital assistants.
8. Enforce employee use of strong usernames and passwords. According to Myers, hackers compile lists of weak usernames and passwords, knowing many employees use simple passwords that are easy to guess. This is how many bots are able to infiltrate computers, even when they are password-protected.
9. Use an authentication methodology, such as public key certificates, for all employees.
10. Monitor Internet traffic and allow needed services only at the firewall level, such as:

• Reviewing inbound and outbound service requests and only allowing services with a business need. "It is important for organizations to monitor all Internet traffic," Myers explains. "If a network administrator notices a computer on the network is generating an unusually high amount of traffic, the machine may be infected."
• Blocking outbound and inbound services on ports 135 – 139, 445 (the port used for Windows Server message block traffic), and 6666 and 6667 (the default IRC ports). These ports provide access to botnet services. "Companies should treat firewalls like solid wood punching holes," Myers says. "Therefore, rather than leaving the firewall open and closing bad ports, organizations need to block all ports and only open the ones they need."

Auditors also need to ensure organizations have an established security protocol to deal with infected computers. Procedures for dealing with compromised computers should include the following simple steps:

• Disconnect infected computers from the network.
• Apply the appropriate patches to the infected computer.
• Clean the computer with current antivirus signatures.
• Change network-share passwords on all infected computers.
• Change passwords for all employees who have used the infected computer.
• Monitor the computer once it is reconnected to the network to verify it was cleaned successfully and does not become re-infected.

Finally, Davis recommends a companywide computer-use policy that enforces disciplinary actions, such as suspension or termination, for installing malware and spyware. "When employees know they will be punished for installing an unknown software product, they are less likely to attempt this behavior," he says.

THE FUTURE OF BOTNETS

Davis and other security experts believe there's no indication botnet attacks will subside in the future. For example, research conducted by global security firm Symantec Corp. shows that an average of 10,352 bots became active each day during the first half of 2005, representing a 140 percent increase from the previous semi-annual count. "Gone are the days of worms being spread for pure destructive purposes," notes Davis. "As more and more criminal minds see the revenue potential of botnets, their use will rise." Following the recommendations above can prevent organizations from falling prey to bots, safeguard critical assets, and decrease the growing number of bots circulating each year.

ADDITIONAL RESOURCES

For more information on botnets, the Honeynet Project and Research Alliance — a nonprofit organization dedicated to conducting research to improve the security of the Internet — has published a report on the different kinds of bots in circulation. To read the report, visit http://www.honeynet.org/papers/bots/. In addition, the Honeynet Project has created a free software application to help organizations monitor botnet intrusions, which is available at http://mwcollect.org/.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

---

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

---