By Toby Weir-Jones, Vice President of Product Development, BT
More than any other contemporary cyber threat, botnets allow massive benefits of scale by harnessing the computing power and network connectivity of thousands — or even millions — of individual computers.
As a study in efficient distributed computing the more sophisticated designs are quite effective but, in commercial terms, that just means that you probably have active nodes if you own and operate a large corporate network.
Recently, the Grum botnet was disabled, but to understand what happened requires a certain familiarity with how botnets generally work.
Understanding botnet attacks
The ‘bot’ — the malicious software which infects your PC via a browser exploit or other means of compromise — sits in the background and reaches out to a Command and Control (CnC) server, waiting for instructions. Those instructions might be to send spam email, or participate in a distributed denial-of-service (DDoS) attack, or to search your local network for sensitive files and keywords.
Botnets-for-hire is a known phenomenon in the cybercrime world.
Counterattacking the botnet weak point
It’s possible to behead the monster if you can disable those CnC servers.
This doesn’t magically remove the bot from your PC, but it does generally prevent it from doing anything, since it can no longer receive any instructions. The botnet owners employ various tactics to build in fail-safes for their bots in case the primary servers are disabled but, ultimately, if you have a copy of the bot you can watch what it does when the various servers are unavailable.
Bringing the Grum botnet down
And that, in essence, is what researchers from FireEye recently did with Grum. By making use of contacts everywhere from Panama to the Ukraine, they were able to have all the various servers (Grum actually used two separate CnC types, so there were a number of distinct targets) taken offline, and the bots finally went idle with nowhere else to go in their list of contingencies.
As of 18 July 2012, the botnet was offline. At that time, it was responsible for 18 per cent of worldwide spam traffic, down from a previous high of 26 per cent, when it sent almost 40 billion spam emails during March 2010 alone. Estimates vary, but Grum probably had roughly 750,000 computers infected with its malware.
Spotting botnets on your network
Detecting botnet activity on your network is difficult, since the bots themselves tend to tunnel over allowed ports and protocols through your firewall and out to the internet.
BT uses a technique of examining the IP addresses of those harmless-looking connections to see if they appear on known lists of malicious server IPs. The chances of a PC connecting to those IPs when it’s not infected with the bot are pretty low, so this is a reliable primary indicator of suspect traffic. We frequently advise customers about infected nodes on their networks and, fortunately, remediation is fairly straightforward once you know which machine to clean.
Do we really need to be bothered about bots?
There’s a latent belief that a single bot — amongst 750,000, or more — isn’t that big a deal.
This is dangerous comfort to take because it only needs one bot, with the right trusted network access, to exfiltrate all sorts of sensitive documents and records from behind your security perimeter out to the internet.
This is a numbers game; the bot controller may not have targeted you and your PC directly but, as a crime of opportunity, they are quite likely to take advantage if you’re caught up in the botnet by chance.
Your botnet prevention kit
It’s important to ensure you have countermeasures in place, both on your network’s edge and on the PCs themselves.
Make sure you use advanced antivirus which can detect these sorts of activities, and is also resistant to attempts to disable the detection itself (a technique which has been used by bots in the past).
Examine your perimeter network activity and look for those dangerous IPs — and take swift action when you find them.
Don’t become yet another statistic because you underappreciated the magnitude of the threat.
