Not sure what set me in bot mode this week, but I have been intrigued by them and started a deeper study. That coupled with today supposing to be Conficker's day to check in to it's CnC for updates probably has helped keep it a topic on my mind as well.
So sure they work on IRC in a lot of cases. IRC is a pretty straight forward protocol that many of us are probably at least a little familiar with. What though are the reasons for bots, techniques of bots and how can we protect against them? I would go as far as recommending a three step process:
1. Egress filtering at your edge firewall. This is going to block any traffic that you do not trust. Most people block untrusted communication from the Internet in, but I'm talking from the LAN out! Depending on your firewall maker, you may only get a good port blocker, which should help in a lot of cases, but if you have a firewall that is doing deep packet inspection, you can get most of your problem traffic stopped before these bots can phone home.
2. Update your OS and applications! This may seem like a no brainer, and you may say "I have automatic updates on". The problem is that many of these bots and other malware are turning that service off or tricking that process into thinking it's checking in, when it really isn't. Also notice that I said applications as well. As much as we all like to bash Microsoft for being insecure, a lot of new techniques are being used to take advantage of thrid party applications as well because these tend to be ignored or harder to update automatically.
3. Update your AntiVirus. This is twofold. A lot of people think they are fine with that Norton 2003, (mentioned for example purposes only), because they are getting their signature updates still. The problem with that is these malware are becoming polymorphic. These types of malware cannot be noticed with general signatures. They have to be caught by recognizing abnormal traffic. The newer AV engines are able to view this type of behavior through other signatures and IPS functionality. If you are not also updating your AV engine, you might as well not update your signatures either.
OK, thats probably going too far, but it is important. We also need to make sure we are getting updates. Check the definition file date from time to time to ensure it is up to date. I have my AV update a couple times a day, in most cases I'm suprised to see a definition file that is more than 24 hours old.
If you have a corperate Anti Virus system, someone should be running reports on your clients, making sure they are checking in and getting the latest updates. The reason for all of this is because again these malware are turning off AV systems or hindering thier ability to do updates.
All that done and you should be in a good position to fight off these types of attacks. This is not everything you need but I find that these 3 steps will help most. Of course it doesn't hurt to have an IPS/IDS on the netowrk as well; stopping these things before they get on your network to begin with is also a great step!
If you are interested in learning more about bots, I found the following links posted to a email list I am a part of. It is a series of presentations from the folks over at Watchguard. Watchguard is not my first choice of security appliance, but there are many that are worse. The information contained in this series is good for an introduction into bots from a high level. Enjoy and of course if you have questions you can ask me directly. I am glad to help you formulate a plan to protect your network for free. Yes free! OK enough with the shameless plug :) I will probably be posting more as I dive deeper into the realm of bots and botnets. Keep your eyes out!
Watchguard Botnet Series:
Part 1
Part 2
Part 3
Botnet Source Code for Overachievers
skip to main |
skip to sidebar
My rational point at the intersection of multiple dimensions in the field of IT security
About Me
- Curt Shaffer
- GIAC Certified Penetration tester and General IT Security Enthusiast
No comments:
Post a Comment