Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Cyber Security Awareness tip #22 Detecting and Avoiding Bots and Zombies InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness tip #22 Detecting and Avoiding Bots and Zombies

Published: 2007-10-21
Last Updated: 2007-10-22 16:28:17 UTC
by donald smith (Version: 2)
0 comment(s)

Today is the 22nd day of our Cyber Security Awareness month which means we will be covering Detecting and Avoiding Bots and Zombies. If I had created the list I would have put this on the 31st in honor of Halloween.
One problem solving technique I like is divide and conquer.

So divide this task into two sections one for detection and one for avoiding the Bots and Zombies.
Then let us break it again one network based and one for host based methods.
Detection Network based:
How does one detect Zombies?
One way is to watch network traffic for unusual destinations, services, packet type, or packets per second.
Enterprise networks often have the ability to look at firewall, IDS and other logs for network anomalies.  
Home users may not have or may not know how to use their network devices to look for anomalies. Purchasing a network detector or using currently available network based reporting tools would help many home users detect Zombies.

Running a nepenthes server (http://nepenthes.mwcollect.org/) listening on local subnet(s) is a great way of automating detection of infected hosts scanning local subnets for other vulnerable hosts. (Ned)
Similar to above, setting up and monitoring a darknet to identify spurious network traffic can help with early detection of infected hosts. (Ned)


I have written an IDS rule that looks for IRC nickname changes on non-standard ports.  With a network of over 15,000 PC's worldwide, my true positive detection rate is over %90.
alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"CHAT IRC nick change on a non-standard port"; content:"NICK "; offset:0; nocase; classtype:policy-violation; sid:100001; rev:1;) (Brian)

Gary wrote in to remind us of Bot-Hunter http://www.cyber-ta.org/BotHunter/
"BotHunterTM is a novel, dialog-correlation-based engine (patent-pending), which recognizes the communication patterns of malware-infected computers within your network perimeter."


3rd party reporting services:
Many enterprises have a 3rd party service that assists them in detecting Botnet members within their network.
Home users frequently do not have such resources or do not know they have access to those resources.
Most home users do not have static IP addresses. Their IP address change with some frequency. There are a number of services that will report your external IP address. Given the external IP address a home user can type it into the main Internet Storm Center page and type their external IP address into the “port/ip lookup/search: box and click GO.
This way home users can see if their address has been reported by any of the dshield users. They can also use a well known trusted Remote Black Listing service (RBL).

Detection Host based:
There are many great host based network detection tools. They all have the same basic flaw once the system is compromised by an unknown, undetected exploit they can be disabled or circumvented.

Most enterprises monitor various host or application logs for significant system events.

Most home users do not. They either don’t know how or don’t have the tools.

Many bots/zombies contain built in backdoor functionality. Netstat is a great tool for identifying unknown processes listening on external ports that shouldn't be. (Ned)

Avoiding Bots and Zombies:
Network based:
Block unknown or untrusted services and content.
Enterprises often do this by having an enforced network policy.
Most home users do not have a network policy or a method to enforce one.

Many/most bots spread through known vulnerabilities - ensure all software is fully patched (not just Windows Updates). (Ned)

One thing, which probably isn't addressed enough for the home users, is if they are running any type of software firewall, they should block IP ranges that are known as bad. I have used a software based firewall for years on my home network, and it is simple to add a range of IP's that I never visit or plan to visit any time soon.Also most home routers offer a basic firewall that they can master in a short period of time to perform IP address space and untrusted or risky port filtering. (Gary)


Human filtering:
Many bots or zombies are installed by the end user. Usually this occurs unknowingly due to some social engineering trick. Being a bit paranoid or untrusting can significantly improve your odds in avoiding Bots and Zombies.   

I am sure a lot of you have some great ideas on how to avoid or detect Zombies and Bots please contribute your comments via the contact link @ http://isc.sans.org/contact.html.

Keywords:
0 comment(s)
Diary Archives