Security Experts:

Beating Back the Botnets

Why Organizations Should be Utilizing Security Information and Event Management (SIEM) Systems to Ferret Out Botnet Infections.

Botnets are insidious. They spread like digital weeds and infect thousands to tens of thousands of machines at a time. Their only purpose is to enrich and empower the botnet owners as they infiltrate endpoints on consumer systems, colleges, and enterprises around the world. These botnets are used to send spam, launch denial of service attacks, and – increasingly – to snoop on corporate systems.

Discovering Botnet Infections in Corporate NetworksThese botnets, vast networks of infected systems under the control and command of criminals, are everyone's problem – and it's time we all did more to eliminate them from the Internet and our networks. One of the challenges in combating botnets, however, is the ease of infecting endpoints. Within the time it takes to view a web page, open an attachment, or load a picture, a user can get infected. Attackers are using vulnerabilities in web browsers and traditional client systems to infect users – who don't even know they've been infected.

When it comes to infection and botnets, what does that mean? It means that the attacker managed to turn the endpoint into a zombie. These zombies are called such because they don't do anything until they are so ordered by their remote commander. Once an attacker has infected enough systems, it then will use those zombies to send spam or kill the availability of unsuspecting web servers. Many botnets also are designed to steal end user authentication data, such as those used to log onto financial services and web sites.

Some of the more infamous botnets are BredoLab, which is estimated to have 30 million infected hosts, Mariposa (12 million), Conficker (10.5 million), and Zeus (3.6 million). Each of these botnets is capable of sending billions of spam messages every day. Many believe these botnets are a consumer security problem. That's a bad assumption.

Increasingly, according to a 2009 DarkReading story, botnet operators have been crafting smaller botnets designed to target specific businesses and people.

That's troubling news for enterprises that don't have the right defenses in place. For instance, botnets easily can be designed to avoid anti-virus, spyware, intrusion detection systems, and many other anti-malware technologies. The good news is that there are ways to spot zombie-infected systems on enterprise networks if you know how to look. For instance, botnets often try to obfuscate the data they're collecting as well as their connections to the controlling hosts. But by using the appropriate monitoring software and integrating that with a security event monitor, it's possible to spot this malicious traffic and identify infected systems.

What's needed is a way to see the patterns of infected systems spewing spam, collecting information, and/or trying to relay information or accept commands from its master. Some of the data you need may lie within e-mail servers, system server logs, server and endpoint firewalls, and even domain name server requests to countries where your business may not be engaged.

Clues to botnet infection can reside in any of these places. Finding the clues and putting together the picture they make is the challenge. In fact, it can be almost impossible to do manually. There is just too much information to have to sort through. That's where a Security Information and Event Management (SIEM) system can help to ferret out botnet infections.

When SIEMs scour logs, they don’t get bored or distracted. They help organizations to make sense of the volumes of data that all of their systems generate. SIEMs can perform highly sophisticated analysis so IT teams quickly can recognize new trends and attacks – and this is exactly what is needed to find clandestine botnets communicating on busy networks.

One way they can work is by correlating user identities with the actions of the systems they’re using. For example, an endpoint used by an executive assistant shouldn't (typically) be sending e-mail all day that appears to be coming from some Eastern bloc nation. It also would be unusual for someone in accounting to be sending thousands of requests to the same web server all day.

Those are two good examples of how botnets act. And, by having the ability to spot anomalous behavior provided by a SIEM, enterprises will be leveraging one of the most powerful tools in their information security toolbox to stomp out botnet infections.

view counter
Terry Cutler is a co-founder of Digital Locksmiths, an IT security and data defense firm based in Montreal and serves as the company's Chief Technology Officer and Certified Ethical Hacker. Prior to joining Digital Locksmiths, he was a Premium Support Engineer for Novell in Canada where he analyzed network vulnerabilities and transitioned security technologies into production. In addition to being a licensed private investigator in Canada, Terry is an internationally known author, trainer, speaker, and security consultant, Terry has appeared in numerous national television and radio programs and is very active on the conference circuit. Follow Terry on Twitter at @TerryPCutler