AV Botnet Detection PDF
AV Botnet Detection PDF
Attackers infiltrate systems with malware in a variety of ways (phishing, watering holes, etc) to
build their botnet. Once infiltrated, these compromised systems (“bots”) typically link back to a
command and control (C&C) server and wait for instructions. The botnet can then be used for
tasks ranging from distributed denial of service (DDoS) and DDoS-as-a-Service attacks, to spam-
marketing on a mass scale, to collecting sensitive credit card/financial data… leading in short
order to identity theft and fraud.
Want an example? The Gameover ZeuS botnet malware package that runs on Microsoft OS,
originally discovered in 2007, operated for over three years in just this fashion, eventually leading
to an estimated $70 million in stolen funds and the arrest of over a hundred individuals by the
FBI in 2010. And it wasn’t until March 2012 that Microsoft announced it had succeeded in shutting
down the “majority” of C&C servers.
As you might guess from the length of Gameover ZeuS’ tenure — still ongoing! — organizations
that own compromised workstations often aren’t even aware this is happening until considerable
damage has been done. And of course over time the number of botnets has grown significantly in
number and value while becoming more sophisticated in their targets, infiltration, anti-detection,
and attack techniques. So today, it’s increasingly important for IT professionals to be well-versed
in botnet detection techniques and tools.
Botnet
Detection:
Ferreting out one or
more bots on your network
Initial signs and symptoms
There are several symptoms that often manifest shortly after botnet infiltration
as the compromised machine begins executing its instructions. Awareness of
these symptoms can aid in early botnet detection. They include:
• Linking to established C&C servers for instructions
• Generating Internet Relay Chat (IRC) traffic via a specific range of ports
• Generating simultaneous identical domain name system (DNS) requests
• Generating Simple Mail Transfer Protocol (SMTP) traffic/e-mails
• Reducing workstation performance/Internet access to the point it’s
• obvious to end users
As you can see, these issues manifest both at the level of individual,
compromised workstations and the network as a whole. For network
managers, that means there are different botnet detection tactics that can be
used at both of these levels.
Botnet detection at the endpoint
Host-based botnet detection begins with client-side anti-viral
solutions, since the infiltration itself nearly always happens via
malware. Unfortunately, antiviral technology often simply fails
to spot an infection, so administrators should also be on the
lookout for additional issues.
That list above looks simple, right? Well, today, botnet commands most often emerge from multiple
servers, and take many forms — some, remarkably subtle. This of course makes command and
control server detection remarkably difficult. Command and control malware activity routinely takes
hidden forms such as:
• Tor network traffic. The Tor browser utilizes a special network of worldwide servers to deliver
exceptionally private browsing that’s very hard to trace to its original source. Unfortunately, that same
design makes botnet commands hard to trace.
• Peer to peer (P2P) services. Thanks to the distributed nature of P2P, commands are distributed globally,
in unpredictable ways, by an ever-changing network.
• Social media. A public Facebook page or Twitter feed can be used to issue botnet commands —
and that kind of traffic can be very hard to distinguish from genuine traffic.
• Domain generation algorithms. Today, herders use specialized algorithms to distribute botnet traffic
so that it’s coming from random domains, effectively disguising the source.
• Multi-level command and control servers. Sometimes herders issue commands to server A,
which issues them to server B, which issues them to the botnet. Even if server B is somehow blocked,
A will keep working and can send them to a new server, C – mimicking the way scalable, highly stable
enterprise software is architected.
• DNS responses. Because DNS traffic is not inspected by most IDS, it can easily move across the network.
COMBINE YOUR TACTICS
For command and control server detection
What to do? There’s no single best way to perform command and control server detection and
handle botnets, but a combination of tactics can prove effective.
Among others, here are some recommendations:
• Track suspicious network activity with NetFlow, network and behavioral monitoring as well as web
filtering. Beyond simply blocking IRC, admins can look for dubious outbound connection attempts in
a much broader sense, and create/update service blacklists to deal with suspicious cases.
Example: If a thousand users are all suddenly following a particular Twitter feed, and that feed’s
content obviously isn’t meant for a human audience, that’s a clear sign of botnet activity.
• Tweak firewalls and intrusion prevention/detection (IPS/IDS) systems in context-specific ways.
Many times, it’s possible to mitigate the problem for a given class of endpoint by limiting network
access to the tasks/ports that are directly relevant to that endpoint.
For instance, given a DNS server, you might consider blocking everything except UDP and TCP port
53. Also, for certain freeware IDS solutions such as Snort, there are downloadable rules that can
help you automatically detect and block dubious activity on IRC and other ports, no matter where it
originates on the network.
COMBINE YOUR TACTICS
For command and control server detection
• Harden workstations against the initial malware infection that creates a bot.
In addition to maintaining and upgrading basic antivirus solutions, administrators can run regular
system integrity checks, vulnerability scans, minimize root privileges, and install client-side
firewalls (especially effective if they support outbound packet rules, not just inbound). The fewer
compromised machines you have, the less you need to worry about command and control server
detection itself.
• Try to break down the malware code to see how it works. Not all IT professionals can do this, but
even knowing and applying the basics can yield good results.
For instance, it’s sometimes possible to find command and control server detection information
by disassembling the compiled code or even just by using a sector analysis tool that converts
hexadecimal to ASCII. (However, since herders are increasingly turning to integrated encryption,
don’t expect this to work in every case.)
The idea should be to treat each of these approaches as a tool, and combine the tools as needed
to yield a customized strategy that matches your local context and security requirements.
HOW TO TAKE DOWN
Command & Control server networks
This, of course, is the best possible fix, but it’s no easy feat. Actually bringing down command and
control networks, wherever they exist, will almost always require collaborating with law enforcement
professionals, and many times inter-country cooperation, to take action on a case-by-case basis.
And it is extremely difficult to take down an entire command and control server list.
Examples include:
The bottom line is that while command and control server detection is hard and getting harder by
the day, there are many steps IT professionals can take to mitigate and even eliminate the problem
— up to and including getting law enforcement involved, if sufficient forensic evidence is provided.
The idea should be to treat each of these approaches as a tool, and combine the tools as needed
to yield a customized strategy that matches your local context and security requirements.
Summary
Focus on your network activity,
not command & control server detection
The AlienVault Labs team regularly delivers threat intelligence as a coordinated set of updates to the USM platform,
which accelerates and simplifies threat detection, prioritization, and response:
AlienVault OTX enables collaborative defense with actionable, community-powered threat data to provide global
insight into attack trends and bad actors. OTX pulses provide users with a summary of the threat, a view into the
software targeted, and the related indicators of compromise (IoC) that they can use to detect the threats.
OTX pulses are integrated with AlienVault USM so that threat detection capabilities stay up to date with the latest
threats reported by the community, and vetted by the AlienVault Labs team.
Next Steps: Play, share, enjoy!