Is the Botnet Battle Already Lost?

An anonymous reader writes "Researchers are finding it practically futile to keep up with evolving botnet attacks. 'We've known about [the threat from] botnets for a few years, but we're only now figuring out how they really work, and I'm afraid we might be two to three years behind in terms of response mechanisms,' said Marcus Sachs, a deputy director in the Computer Science Laboratory of SRI International, in Arlington, Va. There is a general feeling of hopelessness as botnet hunters discover that, after years of mitigating command and controls, the effort has largely gone to waste. 'We've managed to hold back the tide, but, for the most part, it's been useless,' said Gadi Evron, a security evangelist at Beyond Security, in Netanya, Israel, and a leader in the botnet-hunting community. 'When we disable a command-and-control server, the botnet is immediately re-created on another host. We're not hurting them anymore.' There is an interesting image gallery of a botnet in action as discovered by security researcher Sunbelt Software."

Re:How do you know if you've been rooted?

[vandoravp]

Firewalls are useful for monitoring traffic. The best way to detect a zombie computer is to look at the traffic coming in and out, checking for anomalies (such as excessive traffic to places nobody would be going to). Security Now [grc.com] is a great podcast that deals with security issues and locking down your systems. Episodes 3, 8, and 4 are particularly relevant. It can get technical at times but all-in-all it's a great explanation of how things work and what can be done to secure them.

Re:How do you know if you've been rooted?

[guisar]

Useful in theory but how much time does it actually take to monitor this. There is generally so much ARP and other traffic going on that I've found it's extremely difficult in practice to actually discover such a trend. iptraf and some other tools ease the burden by allowing device and port specific analysis but still you really have to pay attention on a real-time basis or do a lot of data-mining. Who's going to spend this time on home network much less a general business environment where system administrators are already overstreached and security administrators are still the CFO's favorite line item veto?

Re:Restrictive Firewall Infection

[Anonymous Coward]

You'd have to do this anonymously, vigilante-style. You'd be thrown in prison just as quickly as the people who create the more malicious exploits, as you would be illegally accessing people's computers, even if you're trying to help.

Re:How do you know if you've been rooted?

[rpbailey1642]

Set up a bridge without an IP address and install Snort on it. On FreeBSD or OpenBSD, this procedure is a snap. Your mileage may vary, query Google for assistance.
Snort identifies traffic by signatures, so instead of you eyeballing suspicious patterns, it can tell you if certain phrases are used, certain protocols, or what-have-you. Writing your own signatures are a piece of cake and the process is well-documented.
The bridge sits at the mouth of your network (behind your firewall) and can be used to identify what is getting past the firewall.
For the crafty -- use Snort2pf to automatically block inappropriate traffic. I used this to discourage eDonkey usage on school system's computer network and it worked like a dream.

Re:A modest proposal

[NightHwk1]

The impression I got from the article is that once infected, the bots will only accept (PGP?)-signed commands, and the original vulnerability is most likely patched to prevent another botnet herder from stealing it. There is no way to order the botnet to self-destruct.

Re:Problem Solved

[ResidntGeek]

The botnets aren't using public IRC servers, they're using servers specifically set up to control botnets.

Know your network.

[khasim]

There is generally so much ARP and other traffic going on that I've found it's extremely difficult in practice to actually discover such a trend.

ARP should not matter on the firewall.

Anyway, the easiest way is to monitor traffic by IP address, at the firewall, during times when no one should be using the computer with that address. If the machine is doing anything that goes through the firewall at 1 am, you should investigate.

Who's going to spend this time on home network much less a general business environment where system administrators are already overstreached and security administrators are still the CFO's favorite line item veto?

On a home network? Probably no one.

On a business's network, that's completely different. If you leave your network open and are cracked and you lose you credit card numbers, that's between you and the bank. If a business leaves its network open and is cracked and loses YOUR credit card number, they can be sued.

The problem is that not many "network administrators" really know anything about their network or security. There are an almost infinite number of things you can that will take time and money but that will not actually increase the security of your systems.

Education is the beginning.

Why use a trojan?

[khasim]

Why hasn't anybody created a "good" trojan that uses as many common exploits as possible to infect these already infected machines with a port-80 restrictive firewall?

There have been attempts at doing so with worms ... but these machines are already pwn3d and reporting into a known channel.

In theory, there is nothing stopping the "researchers" from having the zombies identify their OS's, download any patches, install a personal firewall and automatically updating anti-virus program and then removing the original infection.

Sure, many would be re-created due to the user's ignorance, but this is the only way to "deal" with the zombie problem at the "researcher's" level.

No need for a trojan / worm / virus. They should have sufficient control of the zombies that a script could do it.

Re:How do you know if you've been rooted?

[dilvish_the_damned]

Given where you work, I would suggest security is a state of mind. Do not trust what people put forth as "secure". However it is almost certainly not your problem. If it is your problem, then no matter how small or large your instalation is, I have this to say:
Hire contarctors to evuate your installation. They need not have real access, in fact they should be able to propose possible vulnerabilities without real access, assuming they can ask questions. So you hire them to ask questions, you take note of the questions they ask. Maybe you hire one or two and maybe you hire none. You have just paid people to ask questions about your system. If it were me, in your shoes, and assuming you have power, I would call back the ones that asked really good questions, and explain to them you want more. And then pay those guys.
And then fix your shit. You will end up with some pretty good analysis (first level only) and its on you to decide who you want to invite back. It is OK to initially invite local contractors, but only give out information if they give you a "good vibe".

So back to your original statement "I work at a hospital. Sometimes I wonder whether our computers really are as secure as they should". If you have to ask, then you do not have a qualified team to deal with this. Your second thing is more pointed: "All the computers have AVG installed, but is there something else I can do to check?". I am sorry, if you are really in charge you need to hire someone who can deal with this ASAP. It will take too much time for you to come up to speed. I have many times heard the arguement "but we are small" however you gave the word 'hospital'. Secure your data. If you have lack of funding then get the funding. It seems I cannot stress this enough. You expect the doctors to "do it right", your patients expect your entire facility to "do it right".
On a last note: Bringing someone in who knows more than you does not threaten your position, it only means your a decent manager.
Also, not to be critical, but you mention "AVG" in the hospital [record?] context. I will not say you have no clue, however you have no idea what your dealing with. The world is far more sinister than you know. AVG is a method of turning a 'blind eye'.
If you truelly are involved with IT at a hospital, I would be willing to hook you up with a clinic that has won multiple state and national awards for its handling of IT. They would be willing to help for free, its the way they roll. They do it up right. However, I would have to make sure your for real before I bother them, with you.
I am not sure how we would do that, here on slashdot. Tell you what, you give me an inclination via response and I will figure the mechanics out.
No hospital (or clinic, or eye doctor) should be without real protection.

--dant

Re:How do you know if you've been rooted?

[arivanov]

Nowdays - a lot as it is mostly manual.

In the near future - none. Most security "usual suspects" are working on network admission systems and how they fit in a business network. Some ISPs are looking to roll them out on public networks as well.

The general idea is that you do deep packet inspection on anything going in and out and any PC that suddenly exhibits abnormal behaviour is removed from the network proper and is put on the "naughty step" until it is fixed. Similarly, you can move any PC on your network to and from a naughty step area automatically based on a set of conditions.

Most elements to do that are already there so it is only a matter of time until this becomes the de-facto network design standard for LANs and access networks.

Re:Arikle is Botnet FUD

[Percy_Blakeney]

The incident described in CSO magazine is the exception that proves the rule. How did the online casino "defeat" the botnet attack? By spending a million dollars on bandwidth and equipment; they outscaled the attack. That sort of approach may (or may not) work for companies with millions of dollars in web revenue, but it is simply not a feasible way for most online entities to deal with an attack. There are hundreds of thousands of online businesses that, if faced by even a small botnet attack, would have to either pay the exortion money or go out of business.

The outscaling approach is doomed to failure, too. Botnets will increase in size faster than server hardware will improve. It's like throwing an O(n) algorithm against an O(log n) algorithm -- the O(n) may win a few battles early on, but past a certain point the O(log n) algorithm will win every time. Given a large enough botnet, even Google or Yahoo or Microsoft could be taken down.

Re:How do you know if you've been rooted?

[Anonymous Coward]

parent links to a shock-site...

Re:How do you know if you've been rooted?

[Technician]

BANG!" goes the ClueHammer

On the shelf right above my monitor is my printer shelf with the LAN switch and router. If something starts spewing, it gets noticed. Client/server traffic is easy to spot as only two ports have a burst of high traffic. Something port scanning tends to light up the switch between the bot and the WAN. If I get slow net response to loading pages, I make it a point to check the switch first and the router second. From there I walk over to the busy computer to see if it's a user download of media, patches, VOIP, or something else.

If an idle computer is spewing, it gets unplugged to free up bandwidth and left unplugged from the net until it is analyzed and fixed.

Re:How do you know if you've been rooted?

[GMC-jimmy]

If you can spare any keyboard LEDs. This little tool [freshmeat.net] might help.