ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Deliverance from Botnets

Updated on December 4, 2011

Created: November 6, 2011:

Terminating Botnets

Who should eliminate botnets? End users don’t feel responsible or even recognize that there is a problem. They are completely unaware of the security problem until a service provider or a security company comes along and informs them that they are infected with a virus.(O’Donnell, 2007).

Botnets running IRC-based C&C (Command and Control) servers may be shut down soon after discovery if the responsible domain registrar deactivates the domain registration for the domain hosting the C&C servers. This technique of botnet termination requires the cooperation of domain registrars and some Domain Authorities are simply unwilling to cooperate; especially those registrars responsible for the Eastern-block and third-world nations.

When a C&C server domain has been successfully shut down the site operators can often quickly obtain a new domain name to continue the botnet’s activities, unless the bot-herder has been removed from circulation. The task of shutting down botnets has traditionally fallen upon security organizations and researchers who play a sort of cat-and-mouse game with the bot-herders.

The development of fast flux domain names has made locating the C&C servers of botnets that much harder. A researcher discovered a poisoning technique that appears to bring down portions of the Storm botnet. "’Our experiments show that by polluting all those hashes that we identified to be storm hashes, we can disrupt the communication of the botnet,’ the researchers wrote” (Broersma, 2008).

However, researchers are reluctant to take direct action against the bots because those machines typically belong to individuals who are unaware of the botnet activity and there may be serious legal consequences for researchers, according to Broersma (2008).

Newer systems use Peer-to-Peer (P2P)-style Command and Control (C&C) protocols adapted from guerilla file-sharing systems that are notoriously difficult to control and can cause massive collateral damage if improperly re-mediated. Other than macro-scale traffic and content mitigation techniques like outbound spam filtering, which several organizations have proven to be extremely effective, the solution is to take down botnets node-by-node. (O’Donnell, 2007).

Detection and Removal

End users do not normally discover that their computers have joined or are participating in botnets without some outside influence. Users do, however, notice when their systems begin to perform below acceptable standards. The most obvious tip-offs are when their computers respond slowly or erratically, or they notice much more hard-drive activity than previously seen. They may decide at this time to run anti-virus software and that software may discover and clean Trojans from the systems only to have those Trojans miraculously reappear.

One manual method of locating rootkits is to check the names, signatures, and check-sums of processes and services running on the machine. Processes with no names are definite candidates and merit further investigation. RootkitRevealer, a software package written to run on Microsoft platforms will, according to Cogswell and Russinovich (2006), detect the presence of many rootkits. This tool is aimed toward IT professionals who have the background and experience to interpret the results but the tool can be quite effective at locating these pesky bits of code. Once the files containing the rootkits are identified they may be deleted, however, registry entries must also be tracked down and cleaned.

Many anti-virus publishers develop tools to locate and remove rootkits. However, these tools achieve limited success when loaded after a rootkit infection occurs. Usually, the most effective method to eliminate infection when removal tools do not succeed is to re-install the operating system. This often requires using a recovery disk supplied by the manufacturer. Using this procedure also requires restoring any data files and add on applications because they are erased when the new operating system is installed.

Microsoft Takes Down a Botnet

Legislative Protections

There are no legislative acts that expressly cover victims of rootkits and botnets. However, victims may be afforded some protection under the CAN-SPAM Act of 2003 or the National Information Infrastructure Protection Act (NIIPA) of 1996. The CAN-SPAM Act regulates the use of SPAM to some degree and includes provisions for civil-suits and fines for violators.

The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask emailers to stop spamming them. (Federal Trade Commission, 2004)

The NIIPA criminalizes certain acts of infiltrating computers and distinguishes between misdemeanor and felony occurrences. “The Committee believes it is important to distinguish clearly between acts of fraud under (a)(4), punishable as felonies, and acts of simple trespass, punishable in the first instance as misdemeanors” (United States Department of Justice, 1997).

Rootkit Prevention

Meanwhile, law enforcement is negligible, and security protections for consumers and businesses remain, at best, patchwork and haphazardly deployed, says Somesh Jha, computer science professor at the University of Wisconsin-Madison. "The botnet landscape is shifting, and the worst hasn't happened yet," says Jha, who is also chief scientist at security software firm NovaShield. (Acohido and Swartz, 2008)

Preventing a computer from joining and participating in a botnet is best accomplished by eliminating the possibility of falling prey to the Trojans that download the rootkits necessary for developing the bots. Pay due diligence to recognize and avoid the social-engineering tactics that have become the most prevalent means of delivering these Trojans. Some other preventative measures as presented by McDowell (2006) include the following:

  • Install, use, and maintain anti-virus software – Some publishers of anti-virus software now include rootkit detection strategies with their products. These packages should be installed on new systems before they are deployed to enable them to detect a rootkit before the rootkit infects the computer.
  • Install and properly configure firewalls – Properly configured firewalls serve two purposes in combating rootkits and botnets: First, they limit the traffic that passes to and from the target network, and second, they help prevent newly infected hosts from rallying to join a botnet.
  • Implement a strong password policy – Do not assign easy to guess passwords for applications and services. If a hacker compromises a host, the hacker may still need to gain access to applications or services; strong passwords can help make the initial infiltration a dead-end street.
  • Maintain software updates – New vulnerabilities are discovered daily and exploits that target those vulnerabilities show up almost as fast. Install all security updates as they are released to prevent systems from becoming targets of specific exploits.
  • Follow good security practices – Visit only trusted web-sites and open e-mail with caution. As stated earlier, most rootkits are now delivered using social-engineering techniques. A hacker does not need to seek out a system when offered an invitation.

The preceding steps are absolutely critical for all computer users to adhere to. Rootkit infection and the possible participation in botnets are very serious threats to all computer users and very difficult to remediate after the fact.

What are your thoughts?

The author appreciates all comments.


    0 of 8192 characters used
    Post Comment

    No comments yet.


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)