CXO

FBI unearths more than one million botnet victims


SecurityThe United States Department of Justice and FBI announced in a press release that ongoing investigations under a national initiative called Operation Bot Roast have identified more than 1 million potential botnet victims.

At the moment, the FBI is working with its industry partners, including the likes of CERT Coordination Center, to notify the victim owners of the computers.

For those new to bots, the following excerpt from the FBI press release sums it up:

A botnet is a collection of compromised computers under the remote command and control of a criminal "botherder." Most owners of the compromised computers are unknowing and unwitting victims. They unintentionally allowed unauthorized access and use of their computers as a vehicle to facilitate other crimes.

Having read of botnets topping more than 10,000 machines in size, it does not surprise me that the FBI managed to identify and put together such a substantial list.

However, the golden question is, what strategy do you folks down in the trenches employ to identify and generally cope with bot infections?

Why not share your expertise with us?

--------------------------------------------------------------------------------

Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

22 comments
tr
tr

I employ a virus scanner/spam detector on my mail servers that is also set to police my senders. That way my customers and my businesses are protected from outside resources and I can detect any unusual activity from them. A flood of email coming from one of my businesses usually means a) they are mail marketing OR b) they are infected with a botnet. I do allow reasonable LEGAL mail marketing, but I can call a customer and get a quick response as to the nature of the mail flood. Major ISP's in the US are helping these botnet herders by not checking any outgoing volumes or content. It makes my job that much harder because I need to be able to accept mail from many of their customers, so therefore have to put up with the burden of coping with their infected one's, while they do nothing about it. As a small business IT systems administrator, I have to tell you that that is gigantically unfair! They have pleny of money and resources compared to my organization! The quality of a business and their IT should be measured by their ability to stay clean.

DanLM
DanLM

[i]Major ISP's in the US are helping these botnet herders by not checking any outgoing volumes or content[/i] It's an invasion of privacy according to them. I already in discussion about this. I was told I was talking out my back end because I advocate the ISP's performing these tasks. It seams the privacy advocates would rather just give up to the zombie bot nets then to allow non intrusive monitoring of trafic over lines owned by ISP's. They feel that even though you are utilizing an ISP's property under terms of agreement, that an individuals rights are far more important then an ISP's right to protect what it owns. Even though I still haven't figured out how monitoring of the volume of outgoing traffic is an invasion of someone's privacy. Hell, I haven't even heard one of them explain that one. What a crock... Damned if the ISP's do monitor, and damn'd if the ISP's don't monitor. For the one million people that have infected, victimized. There only feed back is to educate these people. Another goverment sponsered program in the making. But, it's ok that the people that drive don't have to be educated on the workings of their tool(car(killing machine)). But, people that utilize the internet should be educated on the inner workings of their tool. And they would need to be continually educated because the way these infections that occur are changing on a daily basis. I do agree that some education needs to be done. But I would target this education at the users that are infected. And who have been identified through the ISP monitoring of outgoing trafic. Ie: Higher then normal output over known zombie ports. They could be given the chance to clean their computers, with help if needed. And given an explanation of how they became infected. Again, it doesn't matter. Their privacy(which would never be infringed on) is so much more important then any number of disrupted lives or any amount of loss revenue from others. Those rights do not count. Dan Sorry, I ranted there. Had nothing to do with your post.

alaniane
alaniane

The problem is how do explain to grandma what a bot is in terms that she can understand. I've had users thinking that I was casting some spell on their machine when I would tell them that I am ghosting it.

Freebird54
Freebird54

ALREADY in a herd, then the biggest single thing you can do is access the internet ONLY from a limited user account. If you don't know how to set that up, it is very easy to get the information online - or just try with the GUI to set up another user - it's pretty easy to get going. Of course, even easier for some folks is to not use Windows - that will automatically limit your user access while browsing! Another thought (for those who are in doubt as to their current status) - back up *ALL* your data, and do a bare metal install. Then make an image of your system when completely set up. If any further doubts - you can restore your system to a clean state with ease....

paulmah
paulmah

However the golden question is, what strategies do you folks down in the trenches employ to identify and generally cope with bot infections.

digitalpimp2153
digitalpimp2153

Bots were implimented by the FBI in Carnivor a search utility to mark certain keywords to be flagged, it is attached to all the major reference sources like libraries and goverment data bases, book stores,... Unfortunately the technology got loose and spammers like (the King recently busted) and other blackhat hackers got their hands on the source code, and channeled it to rouge nodes to flood your E-mails in whisper mode so that it is hard to trace back to the bomb loader, using several hops to eliminate any traces of the originator of the threat.TRACE ROOT can detect who ,where and what in the header ,and authentication software can eliminate it all together unfortunately the bomber has a key-logger installed in the code structure so that it records your strokes and sends it back to the perp or the government. So be careful there is no such thing as an innocuous bit of info

fatsavage
fatsavage

I notice that when a machine is infected with military strength Trojans, they will go after every OS behind the firewall whether its Windows or Linux. When it happens, check the individual computers for group activities and turn off those not needed. Check the firewall and examine all activity that bypasses the firewall on 0.0.0.0 When you go where you are not wanted, there is no protection. I got slammed behind a hardwired Symantec Firewall, and Norton Personal Firewall, AdAware and Spybot Search and Destroy which were all updated. There was collateral damage to every computer behind the firewall.

orders
orders

Dear I.T. World, In the physical security industry - i.e. card access, video cameras, etc., the key to security is the "Layered Approach". The same was and is the recommended approach for the I.T. industry also (many sources). What devices and tools to purhcase at each level is one own company's choice, but some examples are: 1. Spybot S&D at the PC level, with resident blockers (SDHelper & TeaTimer), plus a comprehensive AV and firewall package, 2. LAN/WAN Firewall, plus Spam filtering at the WAN interface (Cisco's is good), 3. Exchange/Mail Server Spam and AV filtering, 4. A program of training, education, and common-sense diligence for the users. This means training the employees how to, what to, and not to do in their useage. This 4th item is actually the most important, because the other tools can't work if the people aren't watchful to make sure the tools are being used. The same is true in the physcial security realm. The cameras and locks can only do so much. Alerting someone to a suspicious person or event, calling for help, asking questions, standing up to something strange, are all things that only people can do. Regards, B.W.

DanLM
DanLM

I've argued that education is not the final solution. Just because you would be mass educating and not necessarily targeting it to the people that need it most. But if business's were proactive and educated their IT user community, then that would be a solid start. Unfortunately, that still does not identify or educate the home user that has no interaction with any computers at work. How would they be targeted for this education? Dan

alaniane
alaniane

It would be next to impossible to target all the home users. Perhaps, free or low-price courses could be offered at community centers. Corporations could sponsor programs for all their employees regardless of whether they directly work with computers or not. The problem is how to sell such training courses. You would have to convince corporations and communities that they have more to gain from such courses than the expense of conducting them. Its hard to sell something in which the value cannot be directly measured.

jakesty
jakesty

Spyware Doctor is for Spyware, Antivirus software is for virus', and not until just recently, there are not any Botnet detectors (I think Panda just announced one, but Symantec doesn't have one). I'm going to try using one of the programs from Mark Russinovich that detects Rootkits from the command line, but my thoughts are that anything new that comes out could be a different kind of implementation. I'm at Symantec Vision 2007 now, 1 million Botnets is not the first time. They mentioned here that there were upwards of 1.4 million Botnets in one ring detected in the recent past. Keeping patched will help, and like was mentioned earlier, block unnecessary web sites from browsing will also help. Jake

trafficjon
trafficjon

Well, as IT manager of a small company, I have a few routine steps: 1. Of course, keep Anti-virus updated. 2. We use Firefox, because it reduces (not eliminates) the chance of an unintentional or drive by download and install of malware. 3. I use the Windows Defender, Ad Aware, and Spy-Bot programs. 4. For Spy-Bot, I set up their constant monitoring. It's a pain, but my users WILL contact me immediately if they get any warnings. ;-) 5. Finally, but very important, all users work under limited, restricted rights. Using this combination, I have kept us malware free (to the best of my knowledge) for 2+ years now. Sincerely, Jon Williamson

Mond0
Mond0

Pretty good, so far, Jon. But I have to say that relying on Spybot and Ad-Aware is a weak defense. I can't begin to count the infections (spyware, root kits and viruses) that I've removed from systems with only these two applications for spyware protection. There are simply way too many things that they can't (or won't) find. Some people know, but don't say, that there's a practice called "de-listing" in the anti-malware community. This entails receipt of Cease and Desist letters from the bad guys lawyers and the company's spineless response. Only the biggest players have the wherewithal to put up a fight against such tactics. Do yourself a favor and download a trial version of CounterSpy or something. I'm fairly certain that you'll be (unpleasantly) surprised by what it finds on your "clean" system!

paulmah
paulmah

The problem with bots is that if a PC is infected, you no longer have any assurance that the rest of your security software is not already subverted by a rootkit or if the bot client is busy downloading 10 other malware. For myself, I have just implemented an IPCop firewall (www.ipcop.org) as a second edge firewall/gateway. By enforcing extremely strict rules, locked down by MAC address (kind of over-kill, but there are other reasons for it), I can observe the logs for suspicious activities by non-Internet PC.

jayflex
jayflex

I have added more boarder security on our network such as a Cisco ASA and a Content Filter. Preventing users from leisure web browsing has helped a lot with preventing infections but not without a lot of complaining. Plus all the users have basic rights with no local Administrators. I also use Spyware Doctor on the pc?s which does an excellent job of removing malware/spyware if a user does something stupid. I find the hardest part of overall security is educating the end users. They are definitely the weakest link in a layered security approach.

Mond0
Mond0

I've been using OpenDNS for a while now and it seems to be working well. I combine this with a special, locked HOST file and router blocking those infamous bandwidth hogging, social network sites (MySpace, MetaCafe, etc.) Also, I help my users to make better decisions by loading McAfee SiteAdvisor into their browsers (IE and Firefox).

Scottieoo
Scottieoo

It is true that user negligence is hard to overcome, if at all possible. The fact is that in a company everyone plays their part, which is why everyone doesn't know everything about everything. The fact is that companies work in deparments so people specialise in their expertise and every department needs to work together. The problem of botnet is the responsibility of the IT department and the best way to make sure your network is secure is to restrict users from remote sites that THEY DON'T NEED. It is hard to make individual policies for everyone and yes you will get alot of complaints about restrictions. However I found that a security clearance approach is best for this type of thing. Depending on an employee's job role and responsibilities determins the level of internet access they are allowed. Most users will get the basic level of access (email etc). Then the more job responsibility that each department needs allow access to internet sites based on only what they need. This will lessen the threat of a mass botnet infection and normally isolate problems to only the few machines in your organisation that have higher levels of access (hence giving you less computers to monitor on a regular basis).

kelley.coleman
kelley.coleman

Paul, I'm definitely down 'in the trenches', but I just don't even know where to start looking. Is it enough, as a system manager, to rely so much on my virus vendor? I look at system logs, I watch for 'unusual' activity, I 'google' things I am unsure about, and still I think that there are things lurking about that I'm totally unaware of. I've been told that to find hacks and hackers, you have to think like one. My brain just doesn't work that way. Are there any concrete, documented steps I should do every single day on each system that will help me feel more comfortable that my systems are as secure as possible? What are your thoughts?

ronald
ronald

Use Linux, lets say ubuntu... by the time u'r no longer addicted to MS-Windows you also learned to block bots. OpOnzeZolder.nl

Scottieoo
Scottieoo

The only way anyone can use your equipment is from physical access or remote access. I would assume everone has the physical access secure ;) but the best way to protect from outside communications threats is to implement a restrictive firewall strategy. The best way is to leave it on a "need to use" basis. If your users only need email, then restrict their computers to use only the internal mail servers, if they only need certain programs or websites then only allow thoes sites specific to your user's needs.

paulmah
paulmah

Kelley, looks like a lot of the other folks have posted loads of tips and advice. See if some of what they suggest is of use in your organization. But you are right. How can you be sure that your network has not already been compromised by bots or malware. The fact is, its almost impossible to be 100% certain. However, if it would help you sleep better at night, the bottom line in a bot-controlled box is that there must be some kind of communication (i.e. outgoing traffic) with the compromised box and an external source. It is with this idea that I lock down my network as tightly as I can. Only staff who needs Internet access are given that. And even then, are filtered through a firewall that will disallow them from opening other ports. All HTTP traffic is forcibly fed through a transparent proxy AND logged. As a lot of applications, from your MSN to your next-generation (perhaps) botnet are all using HTTP. Whilst it is not possible to filter 'bad' traffic from 'normal' ones, at least I am able to monitor the log files periodically to look out for suspicious entries. So there you go: bots == outgoing traffic NO outgoing taffic == USELESS bots (at least) Hope I managed to help you somehwat. :)

Editor's Picks