Zombies (Bot and Botnets)
Bot :
A
‘bot’ is a type of malicious code that allows an attacker to take
complete control over the affected computer – turning the computer
into a “robot” that
the criminal can remotely control. Once infected, these machines may
also be referred to as ‘zombies’.
While
taking over one computer is useful, the real value comes from
collecting huge numbers of computers and networking these so they can
all be controlled at once (a botnet). There are between 100-150
million computers worldwide (out of 600 million PCs on the Internet)
infected with bots and under the control of hackers.
Botnet :
A
botnet is a group of computers connected in a coordinated fashion for
malicious purposes. Each computer in a botnet is called a bot. These
bots form a network of compromised computers, which is controlled by
a third party and used to transmit malware or spam, or to launch
attacks.
A
botnet may also be known as a zombie army.
Originally,
botnets were created as a tool with valid purposes in Internet relay
chat (IRC) channels. Eventually, hackers exploited the
vulnerabilities in IRC networks and developed bots to perform
malicious activities such as password theft, keystroke logging, etc.
An attacker will often target computers not safeguarded with firewalls and or anti-virus software. A botnet manipulator can get control of a computer in a variety of ways, but most frequently does so via viruses or worms. Botnets are significant because they have become tools that both hackers and organized crime use to perform illegal activities online. For example, hackers use botnets to launch coordinated denial-of-service attacks, while organized crime uses botnets as ways to spam, or send a phishing attack that is then used for identify theft.
Even
more concerning is the industry that has sprung up around botnets in
which bot herders build botnets specifically to "rent" to
the highest bidder. Whether they send spam, adware spyware,
viruses/worms, etc., botnets can be used to perpetrate just about any
type of digital attack.
Example: Zeus Botnets
Zeus
is a Trojan horse for Windows that was created to steal
bank information using botnets. First discovered in 2007, Zeus spread
through email, downloads, and online messaging to users across the
globe. Zeus botnets used millions of zombie computers to execute
keystroke logging and form grabbing attacks that targeted bank data,
account logins, and private user data. The information gathered by
Zeus botnets has been used in thousands of cases of online identity
theft, credit card theft, and more.
Botnet
Detection and Prevention
Botnet
detection can be difficult, as bots are designed to operate without
users’ knowledge. However, there are some common signs that a
computer may be infected with a botnet virus . While these symptoms
are often indicative of bot infections, some can also be symptoms of
malware infections or network issues and should not be taken
as a sure sign that a computer is infected with a bot.
- Problems with Internet access.
- IRC traffic (botnets and bot masters use IRC for communications).
- Connection attempts with known C&C servers.
- High outgoing SMTP traffic (as a result of sending spam).
- Multiple machines on a network making identical DNS requests.
- Slow computing/high CPU usage.
- Unexpected popups (as a result of clickfraud activity).
- Outbound messages (email, social media, instant messages, etc) that weren’t sent by the user.
- Spikes in traffic, especially Port 6667 (used for IRC), Port 25 (used in email spamming), and Port 1080 (used by proxy servers).
There
are several measures that users can take to prevent botnet virus
infection.Since bot infections usually spread via malware, many
of these measures actually focus on preventing malware infections.
Recommended practices for botnet prevention include:
- Network baselining: Network performance and activity should be monitored so that irregular network behavior is apparent.
- Vigilance:Users should be trained to refrain from activity that puts them at risk of bot infections or other malware. This includes opening emails or messages, downloading attachments, or clicking links from untrusted or unfamiliar sources.
- Anti-Botnet tools: Anti-botnet tools provide botnet detection to augment preventative efforts by finding and blocking bot viruses before infection occurs. Most programs also offer features such as scanning for bot infections and botnet removal as well. Firewalls and antivirus software typically include basic tools for botnet detection, prevention, and removal. Tools like Network Intrusion Detection Systems (NIDS), rootkit detection packages, network sniffers, and specialized anti-bot programs can be used to provide more sophisticated botnet detection/prevention/removal.
- Software patches: All software should be kept up-to-date with security patches.
Comments
Post a Comment