December 18, 2013

3.1.9 Botnets


What is a botnet? The word botnet is a portmanteau of robot and network.

A “bot” is a type of malicious software (malware) residing on a computer and it allows an attacker to take control and direct the actions of the infected computer. These bot-infected computers are also referred to as victim computers or “zombies”.

A “botnet” is an assembly of multiple bot-infected computers that can be conscribed to undertake a specific mission. Botnets can consist anywhere from a few hundred to millions of infected computers. In 2010, the creator of the Mariposa botnet which reportedly consisted of over 12 million computers was arrested.

The purpose of a botnet is to undertake activities that could take advantage of the ability to marshal large-scale computing resources and apply it to a particular task. Botnets have typically been used to send out spam email messages, spread viruses, steal sensitive information including license keys and financial data on individual computers systems, and overwhelm web sites using distributed denial of service (DDoS) attacks.

A bot can infect your system via a malware such as viruses, worms and Trojan horses. Once deployed on your system the bot opens your system to the commands of the botnet controller, also referred to as a “bot herder” or “bot master”, using standard network protocols such as HTTP, IRC, Twitter, etc.

Countermeasures Against Botnets

Prevention against infection by a bot via malware is preferred. Beyond that, all the normal best security practices are encouraged, including: keeping your security resources such as firewalls, anti-virus programs up-to-date, patch operating systems, avoid anonymous file-sharing sites, vigilance opening email attachments, etc.

The distributed nature of a botnet makes it challenging to take down, however success against an already formed botnet starts with an understanding of how the botnet works. How does it communicate with the bot controller? Is there a specific port or IP address that can be tracked and/or blocked? Does it deploy proprietary payloads that can be identified and removed? If a botnet controller detects a takedown attempt it may react by using the botnet to attack the investigators.

No comments:

Post a Comment