Is the Botnet Battle Already Lost? 374
An anonymous reader writes "Researchers are finding it practically futile to keep up with evolving botnet attacks. 'We've known about [the threat from] botnets for a few years, but we're only now figuring out how they really work, and I'm afraid we might be two to three years behind in terms of response mechanisms,' said Marcus Sachs, a deputy director in the Computer Science Laboratory of SRI International, in Arlington, Va. There is a general feeling of hopelessness as botnet hunters discover that, after years of mitigating command and controls, the effort has largely gone to waste. 'We've managed to hold back the tide, but, for the most part, it's been useless,' said Gadi Evron, a security evangelist at Beyond Security, in Netanya, Israel, and a leader in the botnet-hunting community. 'When we disable a command-and-control server, the botnet is immediately re-created on another host. We're not hurting them anymore.' There is an interesting image gallery of a botnet in action as discovered by security researcher Sunbelt Software."
Re:How do you know if you've been rooted? (Score:5, Informative)
Re:How do you know if you've been rooted? (Score:4, Informative)
Re:Restrictive Firewall Infection (Score:2, Informative)
Re:How do you know if you've been rooted? (Score:5, Informative)
Snort identifies traffic by signatures, so instead of you eyeballing suspicious patterns, it can tell you if certain phrases are used, certain protocols, or what-have-you. Writing your own signatures are a piece of cake and the process is well-documented.
The bridge sits at the mouth of your network (behind your firewall) and can be used to identify what is getting past the firewall.
For the crafty -- use Snort2pf to automatically block inappropriate traffic. I used this to discourage eDonkey usage on school system's computer network and it worked like a dream.
Re:A modest proposal (Score:3, Informative)
Re:Problem Solved (Score:3, Informative)
Know your network. (Score:4, Informative)
ARP should not matter on the firewall.
Anyway, the easiest way is to monitor traffic by IP address, at the firewall, during times when no one should be using the computer with that address. If the machine is doing anything that goes through the firewall at 1 am, you should investigate.
On a home network? Probably no one.
On a business's network, that's completely different. If you leave your network open and are cracked and you lose you credit card numbers, that's between you and the bank. If a business leaves its network open and is cracked and loses YOUR credit card number, they can be sued.
The problem is that not many "network administrators" really know anything about their network or security. There are an almost infinite number of things you can that will take time and money but that will not actually increase the security of your systems.
Education is the beginning.
Why use a trojan? (Score:3, Informative)
There have been attempts at doing so with worms
In theory, there is nothing stopping the "researchers" from having the zombies identify their OS's, download any patches, install a personal firewall and automatically updating anti-virus program and then removing the original infection.
Sure, many would be re-created due to the user's ignorance, but this is the only way to "deal" with the zombie problem at the "researcher's" level.
No need for a trojan / worm / virus. They should have sufficient control of the zombies that a script could do it.
Re:How do you know if you've been rooted? (Score:3, Informative)
Hire contarctors to evuate your installation. They need not have real access, in fact they should be able to propose possible vulnerabilities without real access, assuming they can ask questions. So you hire them to ask questions, you take note of the questions they ask. Maybe you hire one or two and maybe you hire none. You have just paid people to ask questions about your system. If it were me, in your shoes, and assuming you have power, I would call back the ones that asked really good questions, and explain to them you want more. And then pay those guys.
And then fix your shit. You will end up with some pretty good analysis (first level only) and its on you to decide who you want to invite back. It is OK to initially invite local contractors, but only give out information if they give you a "good vibe".
So back to your original statement "I work at a hospital. Sometimes I wonder whether our computers really are as secure as they should". If you have to ask, then you do not have a qualified team to deal with this. Your second thing is more pointed: "All the computers have AVG installed, but is there something else I can do to check?". I am sorry, if you are really in charge you need to hire someone who can deal with this ASAP. It will take too much time for you to come up to speed. I have many times heard the arguement "but we are small" however you gave the word 'hospital'. Secure your data. If you have lack of funding then get the funding. It seems I cannot stress this enough. You expect the doctors to "do it right", your patients expect your entire facility to "do it right".
On a last note: Bringing someone in who knows more than you does not threaten your position, it only means your a decent manager.
Also, not to be critical, but you mention "AVG" in the hospital [record?] context. I will not say you have no clue, however you have no idea what your dealing with. The world is far more sinister than you know. AVG is a method of turning a 'blind eye'.
If you truelly are involved with IT at a hospital, I would be willing to hook you up with a clinic that has won multiple state and national awards for its handling of IT. They would be willing to help for free, its the way they roll. They do it up right. However, I would have to make sure your for real before I bother them, with you.
I am not sure how we would do that, here on slashdot. Tell you what, you give me an inclination via response and I will figure the mechanics out.
No hospital (or clinic, or eye doctor) should be without real protection.
--dant
Re:How do you know if you've been rooted? (Score:3, Informative)
In the near future - none. Most security "usual suspects" are working on network admission systems and how they fit in a business network. Some ISPs are looking to roll them out on public networks as well.
The general idea is that you do deep packet inspection on anything going in and out and any PC that suddenly exhibits abnormal behaviour is removed from the network proper and is put on the "naughty step" until it is fixed. Similarly, you can move any PC on your network to and from a naughty step area automatically based on a set of conditions.
Most elements to do that are already there so it is only a matter of time until this becomes the de-facto network design standard for LANs and access networks.
Re:Arikle is Botnet FUD (Score:3, Informative)
The incident described in CSO magazine is the exception that proves the rule. How did the online casino "defeat" the botnet attack? By spending a million dollars on bandwidth and equipment; they outscaled the attack. That sort of approach may (or may not) work for companies with millions of dollars in web revenue, but it is simply not a feasible way for most online entities to deal with an attack. There are hundreds of thousands of online businesses that, if faced by even a small botnet attack, would have to either pay the exortion money or go out of business.
The outscaling approach is doomed to failure, too. Botnets will increase in size faster than server hardware will improve. It's like throwing an O(n) algorithm against an O(log n) algorithm -- the O(n) may win a few battles early on, but past a certain point the O(log n) algorithm will win every time. Given a large enough botnet, even Google or Yahoo or Microsoft could be taken down.
Re:How do you know if you've been rooted? (Score:1, Informative)
Re:How do you know if you've been rooted? (Score:3, Informative)
On the shelf right above my monitor is my printer shelf with the LAN switch and router. If something starts spewing, it gets noticed. Client/server traffic is easy to spot as only two ports have a burst of high traffic. Something port scanning tends to light up the switch between the bot and the WAN. If I get slow net response to loading pages, I make it a point to check the switch first and the router second. From there I walk over to the busy computer to see if it's a user download of media, patches, VOIP, or something else.
If an idle computer is spewing, it gets unplugged to free up bandwidth and left unplugged from the net until it is analyzed and fixed.
Re:How do you know if you've been rooted? (Score:3, Informative)