Cybercriminals are turning to the use of peer-to-peer network technology in order to control their botnets, says FBI agent J. Keith Mularski. Mularski should know, having spent two years as an undercover agent in order to infiltrate an underground Internet forum. The stint culminated in September 2008 with the arrest of 60 criminals around the globe involved in cybercrimes that ranged from hacking to trading of credit card data and manufacturing of fake credit cards.
Peer-to-peer technologies, especially when employed with protocol obfuscation and/or encryption, make it extraordinarily difficult to detect a botnet infestation. Unlike a security vendor, the overriding concern for a network or system administrator is to correctly identify infected hosts within the corporate network. Remediation would probably start from taking it offline, determining the point of infection, and rebuilding the affected system.
What is clear is that most malware and all botnet-client attacks involve the compromised host making an outbound connection at some point or other. Stopping, or at least detecting, suspicious activities on this front would certainly make for a more secure environment. Yet how could a network administrator, without access to special tools or annual, company-wide hard-disk formatting exercises, hope to detect the presence of a botnet infestation in the first place?
While not solutions per se, below are a couple of ideas that could help you reduce your exposure.
Allow only Web traffic; filter and log all URLs
The most draconian step possible would be to allow only for the passage of Web traffic through the corporate firewall. Obviously, this will do no good to protect against phishing attacks or applications that attempt to tunnel outgoing data via SSL or obfuscated as legitimate HTTP requests.
As such, it makes sense to filter outgoing connections according to blacklists maintained by sites such as URLBlacklist.com. You can find additional lists at Spam Links. In addition, all URLs should be logged and regularly sieved through for suspicious activity and connections. Ditto to non-HTTP connections, since they could contain clues to the presence of infected hosts within the network.
Assuming this is a viable option for your organization, such a move would stop a large swath of threats in its steps.
Allow only selective ports
Alas, we live in an imperfect world. A typical business might classify applications such as Skype and MSN as being crucial to business operations. In such cases, it would be unavoidable to open selective ports for legitimate applications. The restriction here would be to open only ports that are necessary and continue to filter and log outgoing connections where it is possible.
While not a 100-percent guarantee, the availability of a protocol-aware firewall can also help filter out malware attempts to make outgoing connections via well-known ports.
Modern computer security is a complex, multifaceted affair with no single or convenient solution. Actively configuring and monitoring one’s network is just another way to defend it from being hijacked. For today, I am assuming the availability of a firewall where it is at least possible to make fine-grained port configurations.
For more information on the ways botnets operate, see IT Security blogger Michael Kassner’s in-depth reports: