Gladiator Research and Security

Because more and more users are connecting to the Internet without proper edge security, Botnets are beginning to grow rapidly all around the world, continuously sending mail that wreaks havoc upon our Inboxes.  So what exactly is a Bot or Botnet, and how can you protect your network and your users?

An Internet Bot is basically any type of application designed to perform automated tasks over the Internet.  Botnets are a collection of bots that can be isolated to one area, or found all around the world thanks to the spread of the “infection”.  Bots can be either manually controlled to perform tasks at the request of the bot “commander”, or coded to automatically perform certain tasks.

So, you may ask, how can a bot or botnet affect your network?  Many bots today do things like spread viruses or worms, relay a large amount of spam email, or even initiate or partake in a Distributed Denial of Service attack (DDoS) against the host or other networks.  Bots can also grant the bot “commander” access to the local network where additional software can be installed like keyloggers or applications which can grant access to devices or the Operating System.  None of these are good for the network as these can eat up valuable bandwidth space, bring down servers or user machines, and even get your mailing domain blacklisted if you are relaying mail.

The most prevalent forms of spreading bots require some form of user interaction, whether it is visiting or downloading something from a malicious site or opening an attachment that was not from a trusted sender.  Websites will often host the malicious files attached to seemingly legitimate applications or disguise the file with another application name.  Another popular attack is to create browser pop-ups that claim infection and request the user to download anti-virus software, which is, in fact, a malicious application itself.

The good news is that with the proper security measures in place, you can protect your network from infection.  The best form of protection against these kinds of attacks is user knowledge and awareness.  It is definitely recommended that you make users aware of the risks associated with bots and malicious applications in User Awareness and Training sessions.  Safe Browsing Habits is definitely an important topic as most users are unaware of the variety of attacks, and the ease of which one of these attacks can penetrate a network.

Secondly, the inbound and outbound firewall rules should be kept as specific and hardened as possible.  Source and destination IP addresses should be specified, and this is especially important regarding mail traffic.  If possible, should limit outbound mail traffic to only come from your mail server, and if you have a mail filtering solution, also limit inbound connections to this mail filtering provider.  It is also important to keep some form of Content Filtering system in place.  This will allow you to block access to known malicious sites or even setup a safe browsing group and only allow access to sites that are necessary for operations.  Having a Network Intrusion Prevention System (NIPS) solution, either as hardware or built into the firewall, is also recommended as some of the signatures can analyze mail traffic for malicious headers or attachments.  Network IPS signatures can also detect local machines that are currently infected with known bots.  Machines infected with bots or other malicious software can also be detected by analyzing historical firewall and IPS logs, so it important these logs are reviewed and stored.

Lastly, you should ensure that servers and client machines are kept at current patch levels, and that some form of Anti-virus suite is scheduled to scan all machines on the domain.

The war against the Internet Bad Guys will never be over, so it is important to protect yourself against the known threats, and minimize the possibility of new threats by putting the necessary security in place.  By utilizing the proper security measures and incident response plan, it is possible to avoid most of the severe attacks out in the wild or at least minimize the impact they may have on your network.

More Reading

•    Wired (http://www.wired.com/wired/archive/14.11/botnet.html)
•    USA Today (http://www.usatoday.com/tech/news/computersecurity/2008-03-16-computer-botnets_N.htm)