|
| Top
Security News |
MySpace Zero Day Shows XSS Vulnerability
A cross-site scripting (XSS) issue demonstrated with MySpace as a guinea pig should be noted by security administrators due to its potential for evading XSS filters...
CWSandbox Automates Malware Analysis
The manual demands of analyzing a piece of malware and developing a signature to defend against it have been sped up dramatically with Sunbelt's latest product...
Schneier's Counterpane Sells To BT
BT Group, the formerly-called British Telecom, has acquired the Counterpane Internet Security firm, which lists well-known cryptography and security expert Bruce Schneier as its CTO...
n3td3v - Security Trolls
N3td3v is/was a security troll that plagued the full disclosure list for quite a while, claiming to be a yahoo security engineer, with his own mailing list at yahoo groups, yahoo personal page and a host of other places that you could find him...
Losing The Botnet War
The sophisticated SpamThru Trojan delivers a client that performs AV scans to get rid of rivals on a victim's computer and communicates through peer to peer technology...
Less Than Zero
The security industry and trade press have directed a lot of attention toward the "Zero-day attack," promoting it as THE threat to guard against...
|
|
|
| Recent
WebProNews Articles |
Wikipedia, YouTube Driven By Heavy Traffic
The comScore numbers for top global web properties saw Wikipedia and YouTube pick up 12 percent gains in their unique visitors age 15 and up from around the world.
Vlogger Slams Rocketboom, Nerd Fight Ensues
If you haven't heard of him yet, that's because he hadn't verbally accosted the darling of the vlogging world yet. Ze Frank, host of "The Show," Rocketboomed himself into an authentic charts-and-graphs nerd fight with Andrew Baron. There, now you've heard of him.
Microsoft Offers Holiday Gifts
The company's delayed release of the Vista operating system and the Office 2007 productivity suite likely lost OEM PC makers some considerable holiday sales, so Microsoft is trying to salvage the season for them by offering discounted upgrades for their two forthcoming products.
More Schools To Make Friends With Google?
Google is poised to gain yet another (small) foothold in the American educational system - Georgetown University may adopt the company's Apps for Education. The college hopes to have a new e-mail system in place by next fall, so the change could take place relatively soon.
Imagining Google As Government
In the latest edition of speculation and hyperbole over the search advertising company and its impact on society, we consider the prospect of one nation, under a big G, with information and access for all.
Pirates, The Dark Side, Rule Halloween Searches
Expect the ghoulish staples this year: streets filled
with ghosts, mummies, vampires, and werewolves. This Halloween
also promises more contemporary characters as well, as
trick-or-treaters reveal with...
Time Warner To AOL: See Ya?
AOL may be ready to be sold or otherwise separated from
the Time Warner corporate apparatus, and one potential
purchaser springs to mind immediately...
An Alternative to Wikipedia
In a Tuesday press relese, Wikipedia founder Larry Sanger
announced plans to launch a rival site to the online encyclopedia.
The new wiki project, Citizendium, will draw upon community
experts to offer greater ...
|
|
|
 |
|
Botnets are back in the news. Leading experts have recently
gone on record stating we are losing the war on botnets.
Then Tuesday, McAfee released a whitepaper showing startling
success in Central America against botnets. This has ignited
a debate in both the IPS and botnet sub-cultures of the
Information Security World.
Botnets are problematic for a number of reasons:
1) We have no idea how many botnets are out there. Most
of our results come from honeynets (http://www.honeynet.org/papers/honeynet/)
which are globally distributed. However, honeynets are
binary, they are either infected by a particular botnet
or they are not. It is quite possible to have a huge botnet
army in the wild that misses the honeynet traps.
2) We have no idea how big the active botnets are. Botnet
armies have been reported which are smaller than 1,000
and others larger than a million. Bot herders will exaggerate
their size, until they get caught, in which case they
will lower their size attempting to get a lower sentence.
3) Size is not correlated directly to lethality. A small
botnet which infects a computer in a sensitive network
can do untold damage. The botnet may download keyloggers
and password sniffers leading to confidential data leakage.
The compromised bot may even be used as a launchpad for
attacking other machines in the internal network.
4) Many botnets are programmable. When a 0-day exploit
becomes available, a bot herder can push the code to the
bots and get them to attack other machines, attempting
to recruit them.
5) Bots create a lot of ‘network noise' as they scan and
attack other hosts. This extra traffic can disrupt the
internal networks of enterprises, leading to slower application
response and causing servers to crash.
Botnets have a complex life cycle. The life cycle below,
however, is typical:
Figure 1: Anatomy of a typical botnet attack
Step 1: Bot herder loads remote exploit code on an ‘attack machine', which may be dedicated for this purpose or an already compromised bot. Many bots use file-sharing and RPC ports to spread. Initial infection vectors ensure victim machines have sufficient configuration information to contact bot controller when compromised.
Step 2: Attack machines scan for unpatched targets and launch attacks. An unpatched machine becomes a victim to the exploit.
Steps 3 & 4: The victim machine is ordered to download binaries from another server (frequently a compromised web or FTP server).
Step 5: These binaries are run on the victim machine and convert it to a bot. The victim connects to the bot controller and ‘reports for duty'.
Step 6: The bot controller issues commands to the victim. These instructions may include commands to download new modules, steal account details, install spyware, attack other machines and relay spam.
Step 7: The Bot herder controls all bots by issuing commands via the bot controller(s).
Just as in the Biological Sciences, by interrupting a pest's life cycle we can stop them. Almost all quality IPS devices can stop Step 2 (see figure 1). There are many IPS devices deployed globally, but often there is a detection-only mindset held by some who call themselves information security professionals. This indifference allows botnets to spread deep inside networks.
Steps 5 & 6 can be stopped by Next-Generation IPS devices (that have up-to-date and comprehensive signatures, and can truly decode the protocols). These are not common and the successful deployment of these forms the basis of the McAfee case study (Case Study). Those with legacy IPS devices can only slow the growth of botnets only at step 2, and should be encouraged to do so. To destroy established botnets requires Next-Generation IPS devices.
Next-Generation IPS devices bring a number of extra benefits, and solve many of the botnet problems. When deployed at the network edge, IPS devices can see all traffic entering and exciting the network. This brings a number of advantages, we can:
i) see how many bots are on our network,
ii) see where their bot controllers are,
iii) estimate the size of each botnet army
iv) see which botnet variant the infected machines are using,
v) see deeply into the command and control structures including the commands being sent to individual bots.
vi) capture traffic from the small but lethal botnets and give visibility into their mission.
vii) capture traffic which may be used to secure bot herder convictions.
Is the botnet war over then?
Next-Generation IPS devices have proven themselves to be very helpful in the war on botnets. Bot herders and their botnets will however evolve, and seek to evade them. The cat and mouse game played so often in the past with virus writers will now come to the botnet world.
Nonetheless, IPS devices can pinpoint botnets, indicate
their size, show where their controllers are and enable
us to see their control & command traffic. We are
much closer to putting bot herders behind bars, with the
active assistance of law enforcement. Perhaps that is
the message bot herders should take away.
About
the Author:
Dr. Ken Baylor is Director of Risk Management Solutions with McAfee. He
has 15 years experience leading IT organizations, and is recognized as
an expert in Risk Management. Ken holds both CISSP and CISM
certifications.
|
|
,
Inc. 2549 Richmond Rd. Lexington KY, 40509
