How to avoid botnet attacks

These networks of compromised computers have revolutionised the spam industry, helping to push the volume of unwanted messages to epidemic proportions, despite the best efforts of law enforcement and the computer security industry. This tip examines how botnets operate and steps you can take to avoid attacks.

RELATED CONTENT Threats and security advisories Preventing phishing attacks: Enterprise best practices The value of booting from a VHD in Windows 7 What to do with network penetration test results How to prevent memory dump attacks How to prevent phishing attacks with social engineering tests Cyberwarfare and the enterprise: Is the threat real? How to ensure the validity of Microsoft Windows updates How to defend against rogue DHCP server malware Mac OS memory flaws pose challenges for enterprise endpoint protection How to prevent a cross-site tracing vulnerability exploit Endpoint and NAC Protection Considering two-factor authentication? Do cost, risk analysis Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Voice data security risks on the rise, say experts The value of booting from a VHD in Windows 7 Thin-client technologies surge thanks to easier security, says Deloitte A closer look at Internet Explorer 8 security features USB drive security best practices and processes First step in forensics: Create a bootable Windows environment CD Protecting enterprise networks from new mobile application downloads Four things to remember about server virtualization security concerns Threat and Vulnerability Management Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7 What to do with network penetration test results

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Centre for the Protection of National Infrastructure  (SearchSecurityUK.com) Computer Misuse Act 1990  (SearchSecurityUK.com) Regulation of Investigatory Powers Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Not limited to email, botnet attacks are also a Web-based threat. Employees, for example, may visit an infected website, which can then either deliberately or inadvertently download the botnet's malicious software onto the victim's system, effectively compromising the machine and making it part of the botnet. Many times a site is hijacked in an attack known as drive-by downloading.

Becoming part of a botnet can be quite easy. Those failing to use the right antivirus and failing to rapidly update vulnerability patches make for an easy target certainly. Some phishing emails may also trick users into visiting already infected websites. There are many other possibilities for infection. Employees could bring botnets on laptops or USBs accidentally. They could even catch bots by taking part in MMORPGs (massive multiplayer online role playing games).

Although botnet attacks may easily go unnoticed, even after infection, the attacker can secretly use a compromised machine to penetrate a corporate network and send out large volumes of spam or harvest keystroke information, passwords, online banking credentials or logon details.

The recent Torpig botnet, for example, collected data when banks, PayPal and E-trade Financial Corp. accounts were accessed by users. It also had the ability to deliver a falsified data collection form when a user attempted to conduct online banking, as well as collect user names and passwords from Microsoft Outlook.

The effect of botnet attacks can ultimately hurt your business. A group of infected computers, controlled by a botherder, for instance, can be used to launch a concerted distributed denial-of-service (DDoS) attack on commercial websites to take them out of action.

Significant spam activity could slow down the network and leave systems sluggish. It's also possible that a company could find itself blacklisted by spam filters as a result of its botnet-controlled computers forwarding all the unwanted messages.

There's also the chance that a company website could be hijacked by a bot and used to deliver malicious software to site visitors, including customers – this is not a good idea!

How to defend against botnet attacks
There are many actions that organisations can take to protect themselves from becoming part of a botherd. Applying security patches to key applications, as soon as is practicable, is a major help. These vulnerabilities, which can be easily exploited by attackers, are high risk until patched. In a 2009 cybersecurity report by Lumension Security Inc., security and forensic analyst Paul Henry said: "Until the underlying patch-management issue is dealt with, botnets will continue their explosive growth on the public Internet."

The best way to prevent botnets, though, is by having the proper security products in place to begin with. For companies, the place to provide primary protection is at the gateway. Gateway security, however, may not be enough when mobile users and visitors are connecting inside the gateway. Proper access control and strong two-factor authentication will help reinforce defenses in this case.

If employees use USB thumb drives, laptops, iPods, etc. inside the gateway, there is the risk that they are bypassing gateway security controls and infecting network-connected devices. A company security policy, therefore, should cover the safe use of mobile equipment.

Other high risk areas inside the network include infections picked up from staff visiting malicious websites. There is a mistaken belief that Web content filtering, based on signatures, will protect against this type of attack. Unfortunately this is not the case. A classic security method to defend against Web malware is to deploy multi-layer protection. Gateway defenses should work in tandem with endpoint protection on users' PCs. These products should ideally be provided by different manufacturers.

There are many endpoint (PC/laptop) products available that will provide protection. Tools from companies such as Check Point Software Technologies Ltd. and Kaspersky Lab Inc. will scan all incoming and outgoing data traffic on machines for malicious content and provide protection against botnet hijacking by protecting against malicious code downloads from infected websites. The products can also safeguard against Trojans from email or mobile devices, including USBs. Endpoint security packages, such as those mentioned above, will protect against malicious code downloading from infected websites, as well as Trojans from email or mobile devices, including USBs.

Web security companies like Marshal8e6 Inc. and Finjan Software Inc. provide Web gateway protection that can identify and defend against malicious code loaded on rogue and genuine websites. If you want to protect your own website from being infected and delivering malicious code to your customers, providers such as Check Point and Barracuda Networks Inc. have Web application firewall capabilities to protect against this increasingly prevalent threat. Other products, such as Barracuda Networks' anti-spam, virus and spyware firewall, can help protect traffic going in and out of a given network. This would include attempts to send spam or return spyware data.

Bots can also be detected using traffic management products as well, such as those from Allot Communication Ltd. They are able to identify traffic patterns, even masked traffic patterns, which could be bot activity. Network intelligence systems, including those from Loglogic Inc. or ArcSight Inc., can also help. The forensics gear can bring together and analyse all log information on a given network, down to a granular/PC level, highlighting any unusual behaviour.

At a corporate level, some of the above products may help disinfect your existing estate. Websites such as Spamhaus.org, too, explain how you can identify and remove botnets if you're worried you may have one. This overall depth of defenses provides a strong layer of protection against botnets and bot attacks.

About the author:
Ian Kilpatrick is chairman of value added distributor Wick Hill Group plc, specialists in secure infrastructure solutions. He has been involved with the group for more than 30 years. Wick Hill is an international organisation supplying SMEs and most of the Times Top 1000 companies through a value-added network of accredited resellers.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.