Deliverance from Botnets

Created: November 6, 2011:

Who should eliminate botnets? End users don’t feel responsible or even recognize that there is a problem. They are completely unaware of the security problem until a service provider or a security company comes along and informs them that they are infected with a virus.(O’Donnell, 2007).

Botnets running IRC-based C&C (Command and Control) servers may be shut down soon after discovery if the responsible domain registrar deactivates the domain registration for the domain hosting the C&C servers. This technique of botnet termination requires the cooperation of domain registrars and some Domain Authorities are simply unwilling to cooperate; especially those registrars responsible for the Eastern-block and third-world nations.

When a C&C server domain has been successfully shut down the site operators can often quickly obtain a new domain name to continue the botnet’s activities, unless the bot-herder has been removed from circulation. The task of shutting down botnets has traditionally fallen upon security organizations and researchers who play a sort of cat-and-mouse game with the bot-herders.

The development of fast flux domain names has made locating the C&C servers of botnets that much harder. A researcher discovered a poisoning technique that appears to bring down portions of the Storm botnet. "’Our experiments show that by polluting all those hashes that we identified to be storm hashes, we can disrupt the communication of the botnet,’ the researchers wrote” (Broersma, 2008).

However, researchers are reluctant to take direct action against the bots because those machines typically belong to individuals who are unaware of the botnet activity and there may be serious legal consequences for researchers, according to Broersma (2008).

Newer systems use Peer-to-Peer (P2P)-style Command and Control (C&C) protocols adapted from guerilla file-sharing systems that are notoriously difficult to control and can cause massive collateral damage if improperly re-mediated. Other than macro-scale traffic and content mitigation techniques like outbound spam filtering, which several organizations have proven to be extremely effective, the solution is to take down botnets node-by-node. (O’Donnell, 2007).

End users do not normally discover that their computers have joined or are participating in botnets without some outside influence. Users do, however, notice when their systems begin to perform below acceptable standards. The most obvious tip-offs are when their computers respond slowly or erratically, or they notice much more hard-drive activity than previously seen. They may decide at this time to run anti-virus software and that software may discover and clean Trojans from the systems only to have those Trojans miraculously reappear.

One manual method of locating rootkits is to check the names, signatures, and check-sums of processes and services running on the machine. Processes with no names are definite candidates and merit further investigation. RootkitRevealer, a software package written to run on Microsoft platforms will, according to Cogswell and Russinovich (2006), detect the presence of many rootkits. This tool is aimed toward IT professionals who have the background and experience to interpret the results but the tool can be quite effective at locating these pesky bits of code. Once the files containing the rootkits are identified they may be deleted, however, registry entries must also be tracked down and cleaned.

Many anti-virus publishers develop tools to locate and remove rootkits. However, these tools achieve limited success when loaded after a rootkit infection occurs. Usually, the most effective method to eliminate infection when removal tools do not succeed is to re-install the operating system. This often requires using a recovery disk supplied by the manufacturer. Using this procedure also requires restoring any data files and add on applications because they are erased when the new operating system is installed.

There are no legislative acts that expressly cover victims of rootkits and botnets. However, victims may be afforded some protection under the CAN-SPAM Act of 2003 or the National Information Infrastructure Protection Act (NIIPA) of 1996. The CAN-SPAM Act regulates the use of SPAM to some degree and includes provisions for civil-suits and fines for violators.

The CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send commercial email, spells out penalties for spammers and companies whose products are advertised in spam if they violate the law, and gives consumers the right to ask emailers to stop spamming them. (Federal Trade Commission, 2004)

The NIIPA criminalizes certain acts of infiltrating computers and distinguishes between misdemeanor and felony occurrences. “The Committee believes it is important to distinguish clearly between acts of fraud under (a)(4), punishable as felonies, and acts of simple trespass, punishable in the first instance as misdemeanors” (United States Department of Justice, 1997).

Meanwhile, law enforcement is negligible, and security protections for consumers and businesses remain, at best, patchwork and haphazardly deployed, says Somesh Jha, computer science professor at the University of Wisconsin-Madison. "The botnet landscape is shifting, and the worst hasn't happened yet," says Jha, who is also chief scientist at security software firm NovaShield. (Acohido and Swartz, 2008)

Preventing a computer from joining and participating in a botnet is best accomplished by eliminating the possibility of falling prey to the Trojans that download the rootkits necessary for developing the bots. Pay due diligence to recognize and avoid the social-engineering tactics that have become the most prevalent means of delivering these Trojans. Some other preventative measures as presented by McDowell (2006) include the following:

• Install, use, and maintain anti-virus software – Some publishers of anti-virus software now include rootkit detection strategies with their products. These packages should be installed on new systems before they are deployed to enable them to detect a rootkit before the rootkit infects the computer.
• Install and properly configure firewalls – Properly configured firewalls serve two purposes in combating rootkits and botnets: First, they limit the traffic that passes to and from the target network, and second, they help prevent newly infected hosts from rallying to join a botnet.
• Implement a strong password policy – Do not assign easy to guess passwords for applications and services. If a hacker compromises a host, the hacker may still need to gain access to applications or services; strong passwords can help make the initial infiltration a dead-end street.
• Maintain software updates – New vulnerabilities are discovered daily and exploits that target those vulnerabilities show up almost as fast. Install all security updates as they are released to prevent systems from becoming targets of specific exploits.
• Follow good security practices – Visit only trusted web-sites and open e-mail with caution. As stated earlier, most rootkits are now delivered using social-engineering techniques. A hacker does not need to seek out a system when offered an invitation.

The preceding steps are absolutely critical for all computer users to adhere to. Rootkit infection and the possible participation in botnets are very serious threats to all computer users and very difficult to remediate after the fact.

What are your thoughts?

The author appreciates all comments.