Botnets: The True Protection Is Prevention and Knowledge

Botnet infections have increased in recent years and are one of the most critical problems our national infrastructure is facing in regard to cybersecurity. The FBI recently announced Operation Bot Roast which concluded that over 1 million hosts have been compromised in the United States and are now being controlled by botnets. With a number this large, the infected host count is sure to include enterprise workstations as well as home desktops. Though this operation is a great step in the right direction by the FBI in the fight against cybercrime, this reactionary report does little for true botnet prevention.

Although botnets do pose a serious risk, they are not a “new” threat and can be mitigated with standard best practices. To best understand how to protect from botnets, you have to know what a botnet is and isn’t. The following is a very brief overview of the botnet process as well as some key items to remember:

Infection

Botnets are NOT vulnerabilities. Rather botnet software is delivered to users by exploiting vulnerabilities or sometimes by coaxing uninformed users into opening malicious botnet binaries directly without the need for any vulnerability exploit. This is nothing new, and is the same attack vector that has been seen in virus attacks since their inception.

Connection

Following infection, a host will connect to a botnet command and control (C&C) network, typically in the form of an IRC or chat server.

At the C&C server the infected hosts are gathered and issued commands simultaneously from the IRC admin known as the “bot-herder”. The IRC admin was commonly the same individual or group that carries out the attack to bring the botnets online, but new trends are also showing that the active bot-herder could actually be a “customer” paying for certain timeslots of a C&C server for their own nefarious use without needing to compromise computers themselves.

Execution

Once issued a command, all the botnet-infected hosts will then execute that command in unison and wait for the next command. The most common command for large botnets is to instruct the infected hosts to cause a Denial of Service (DoS) against a specified target. Since this Distributed Denial of Service (DDoS) would come from multiple sources at multiple speeds, it is nearly impossible to predict and protect against. Furthermore, this type of attack wreaks havoc on the target network by overloading switches and routers causing further continuity issues.

DDoS is not the only use of botnets. New trends are showing botnets being used in ID theft, spam, and click-fraud campaigns, making it a much more lucrative and direct monetary compensation endeavor by the attackers.

Now that the general process of botnet infections and attacks has been briefly explained, has anything really changed when it comes to protecting yourself and your networks?

Not really… Botnets, in essence, are just sophisticated payloads for vulnerability exploits or the malicious code inside of an executable downloaded from the internet…nothing new or revolutionary. Just because we are seeing an increase of a certain family of payloads does not change the protection scheme: Regular due diligence is still the best protection.

What type of security product best protects your network from botnet infections?

With the increase in client-side attacks in recent months, the protection point has shifted from neutered network IDS systems to generic host-based protection systems to offer protection for the unknown. This will help protect systems from exploit attempts. However, what happens in situations where uneducated users are clicking malicious executables on their Web 2.0 subscription site? This is where the need for a generic anti-virus solution will help protect the host by generically checking for any malicious code inside an executable before it is run by the user.

This should highlight — yet again — the inadequacy of signature-based IDS/AV vendors. You are guaranteed to always be behind the attacker with these products. On average, it takes a signature-based vendor up to 7 days to release a signature for a newly created piece of malware once they have a sample. Attackers know this, so they have a shelf-life of only 7 days for their exploit until they move on and create a new variant. With this in mind, signature-based vendors are protecting their clients from the most basic of attacks, a percentage not worth risking. If you are using a signature-based AV solution, you can be fairly certain that you are only blocking a small percentage of the possible botnet virus attacks against your network.

Some security vendors have responded to the botnet “crisis” as they normally do: newly created products that are specifically meant to protect hosts from botnets. Buying over-the-counter “botnet protection” is like buying one small portion of a worthwhile IPS product. Any good IPS product should have “botnet protection” built into its day-to-day protection arsenal. As mentioned any good intrusion prevention system should be able to protect you from botnet's and their related attacks without having to buy some extra add-on. eEye is extending its 1 year free trial of Blink Personal for consumer use which will already prevent botnet attacks today. You can download Blink Personal for free.

Installing a host-based IPS product is not enough for large enterprise networking with large amounts of workstations. Companies must take proactive steps to ensure that their security staff truly understands botnet infections to better help them identify botnet compromised hosts.

eEye Research Team monitors botnet activity for all botnets malware identified within the Neighborhood Watch program. eEye Research also has a very intricate honeypot that analyzes over 15000 submitted malwares per day, adding many botnet payloads to our malware database. Using this database, the eEye Research Team is able to analyze live botnet networks to identify infected hosts as well as understand the bot-herder trends to help ascertain the most probable source of infection.

The results of this monitoring are used by eEye Research and Preview customers to gain a better grasp on what the actual common elements of botnet activity as well as identifying the tell-tale signs of a botnet infection. eEye Research takes this trend analysis further by alerting Preview customers if any infected IPs fall within the customers IP ranges. This helps Preview customers immensely by identifying botnet hosts that might not be identified.

So, with all of the recent hand-waving occurring with regard to botnets, here are a few points to bring up in the next security staff meeting:

- How long does your operating systems and core applications require to be fully patched after a patch is released?

- Are you using non-signature-based host-based security solutions for vulnerabilities and malware to protect from unknown vulnerabilities and botnet’d executables?

- Is your security staff knowledgeable on botnet prevention and identification to keep your network safe?

Positive answers to these questions will yield the greatest success when fighting botnet infections in your network.

Source: Andre Protas, Research Engineer, eEye Digital Security

CRN Tech Review: Eye-Opening End-Point Security
"For solution providers and MSPs looking for a new way to make money and differentiate their offering in a "me-too" market, here is a new technology that can help your bottom line. If you are looking for a competitive edge as a VAR selling security solutions, Blink offers significant differentiation from the other solutions out there. Alvaka Networks has found that whether you are a VAR or an MSP, eEye's Blink is a compelling new product to sell." Full Article

An Eye on Endpoint Protection Software
"Review: Blink Professional 3.0 provides strong vulnerability assessment tools." Full Article

With iPhone Launch, a Hacker's To-do List
"Three things for the hacking community to focus on in looking for flaws in the new product's software." Full Article

Researchers Report 10 Critical Bugs In CA's Backup Software
"Researchers at eEye Digital Security say they discovered the 10 buffer overflow vulnerabilities that can each enable remote code execution." Full Article

Q: How would you recommend testing a patch after installation?

A: The best way to test a patch is by rolling it out to your network. Of course, this is not the safest way and can cause some serious business disruptions if there are any issues with the patch, so we generally suggest that nobody test the patch by rolling it out. Also, considering the somewhat likely possibility for a patch to be re-released, in effect doubling the administration workload, it's generally a good idea to wait to roll out the patch for a week or two following patch Tuesday. Of course, you still need to be protected, so you should rely on a strong non-signature based endpoint security solution to protect your assets during this period. Keep an eye on the security mailing lists to identify any potential problems users are having with the patch. When all seems well, run the patch through a battery of day-to-day use cases in your test lab while also rolling out the patch to a few select workstations for a few days. If everything is looking good, chances are this patch will not cause any business disruption to your network when it's rolled out network-wide. If you're seeing issues, help the community and make some mailing list posts yourself describing your problems to help others with this process. While although this seems pretty stressful, if you can fully trust your endpoint protection to protect your assets from any exploits against the patched vulnerabilities, you can deal with this process stress-free.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

Multiple critical McAfee ePO Vulnerabilities - Free Scanner
Recently there were multiple vulnerabilities discovered within the standardized framework that McAfee uses for their various products client/server communications. These vulnerabilities are critical in that an attacker can remotely compromise most deployments of McAfee software within a corporate environment. The affected products include, McAfee ePolicy Orchestrator, ProtectionPilot and Common Management Agent (CMA). Most IT organizations are typically less focused on keeping their third party agent software up to date than say Microsoft or Linux patches. We have decided to release a free scanning tool which companies can use to identify any vulnerable McAfee installations within their network and patch them accordingly. You can learn more and download the tool here: Full Article

eEye Blink Personal Edition Wins VB100 Award
Product complies with 100% detection of ‘in-the-wild’ viruses with zero false positives Full Article

eEye Unveils Advanced Intelligence Service for Proactive Vulnerability and Security Management
eEye Digital Security announces its offering of eEye Preview Service, a three-tiered security intelligence program comprised of multiple and comprehensive security services designed to empower organizations with immediate intelligence and remediation information on vulnerabilities and exploits, and direct hotline access to the security research team. Full Article

eEye Digital Security Vulnerability Expert Forum
The VEF provides valuable insight regarding new vulnerabilities that are discovered and the actions that need to be taken as a result. By making this information available, eEye reduces the workload faced by security administrators by clearly presenting all required information for informed decision-making allowing for improved patching prioritization. Full Article

eEye Receives a Facelift
Be sure to visit our new website at www.eeye.com! More

Stay Up-to-Date with eEye Research
eEye Research has seen some staggering results from the recent influx in Blink Personal/Neighborhood Watch users. This data is offering eEye Research a distinct insight into host-based vulnerability and attack trends to offer enhanced protection into Blink. Keep an eye on the eEye Research Portal http://research.eeye.com/ for future projects that have arisen because of the mass use of Blink personal including Neighborhood Watch reports and attack trends. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.