A botnet (also known as a zombie army) is a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet. Any such computer is referred to as a zombie - in effect, a computer "robot" or "bot" that serves the wishes of some master spam or virus originator. Most computers compromised in this way are home-based. According to a report from Russian-based Kaspersky Labs, botnets -- not spam, viruses, or worms -- currently pose the biggest threat to the Internet. A report from Symantec came to a similar conclusion.
Computers that are coopted to serve in a zombie army are often those whose owners fail to provide effective firewalls and other safeguards. An increasing number of home users have high speed connections for computers that may be inadequately protected. A zombie or bot is often created through an Internet port that has been left open and through which a small Trojan horse program can be left for future activation. At a certain time, the zombie army "controller" can unleash the effects of the army by sending a single command, possibly from an Internet Relay Channel (IRC) site.
The computers that form a botnet can be programmed to redirect transmissions to a specific computer, such as a Web site that can be closed down by having to handle too much traffic - a distributed denial-of-service (DDoS) attack - or, in the case of spam distribution, to many computers. The motivation for a zombie master who creates a DDoS attack may be to cripple a competitor. The motivation for a zombie master sending spam is in the money to be made. Both of them rely on unprotected computers that can be turned into zombies.
Ways to Combat Botnets, the Invisible Threat.
- Install a Windows Firewall. Though sometimes tempting for end users to disable, a properly configured Windows firewall can block many network-based exploits. This measure is especially appropriate for large agencies with many similarly configured machines.
- Disable AutoRun. The autorun feature, which automatically installs software, should be disabled to prevent operating systems from blindly launching commands from foreign sources.
- Break Password Trusts. Judicious control over local accounts, especially the local administrator account, is critical to isolating and eliminating threats. Disabling computers’ capability to automatically connect to each other closes the path that botnets take to spread to the internal network. This is particularly critical in environments where machines store highly confidential data.
- Consider Network Compartmentalization. In most computing environments, workstations do not need to communicate with each other across departments. Shutting down this capability goes a long way toward preventing the spread of botnets. IT managers should establish private virtual local area networks (VLANs), or access control lists (ACLs) between subnetworks to limit exposure. This strategy is not a good fit, however, in environments that mix voice and data communications, as it tends to break the ability to negotiate virtual circuits on the fly.
- Provide Least Privilege. When users are not administrators of their own workstations, it is much harder for malware to propagate via drive-by download or for AutoRun methods to take hold on a system. Preventing users from being administrators also makes it more difficult for their user account credentials to spread malware, should the computer become infected.
- Install Host-Based Intrusion Prevention To keep botnets from taking root in a system, IT managers should concentrate additional protections on specific network layers based on vulnerability, such as at points of contact between specific hardware and software. This approach does not fix technical flaws or holes in operating systems or application software, but it can reduce the chances that exploits will be successful. These tools are highly effective, but they are expensive and challenging to deploy.
- Enhance Monitoring The more that is known about how end users and the network operate in normal activity, the easier it will be to determine in real-time when a botnet infestation causes slight anomalies. Around-the clock monitoring is ideal, using products that collect data on network traffic, train devices to monitor abnormalities, and detect and prevent intrusions. However, even with remote managed security services filling the gap, enhanced monitoring might be beyond the capabilities of many government agencies.
- Filter Data Leaving the Network. Botnets typically establish communication with one or more remote servers that hackers use to retrieve private information. To stop these communications, and the threats associated with them, agencies can prohibit unwanted traffic from leaving the network, a tool known as egress filtering. Agencies should force Internet traffic through proxies or content filters (see below), or deploy a data loss prevention (DLP) solution.
- Use a Proxy Server. While it is impractical to block all potentially hostile outbound traffic, forcing outbound traffic through a proxy server gives agencies a secondary choke point for monitoring and controlling Web access and for defeating some attempts to tunnel around security measures. Content filtering is appropriate for almost any agency.
- Install Reputation-Based Filtering. Tools like IronPort and WebSense can help block e-mail from, and requests to, addresses that have reputations as potential malware sources.
- Monitor DNS Queries The way that a workstation responds to domain name system (DNS) queries is often an early warning sign that the workstation may be infected. Specifically, responses from workstations that contain very low time-to-live (TTL) values should be monitored, as low TTL can indicate infection. Monitoring allows system administrators to act before the infection spreads too far
No comments:
Write comments