More tips on detecting botnet infestation

IT Best Practices Alert By Linda Musthaler, Network World
August 19, 2009 03:10 PM ET

The CIO-level business angle on the latest tech

This week I reached out to Chris Poulin, the CSO at Q1 Labs, maker of the QRadar family of log management and security information and event management products. Poulin says that botnets are different from other security threats, but they are detectable because they exhibit "signature behavior."

"Botnets follow a cycle of behavior," Poulin says. "The start of the cycle is when the botnet is trying to find a weakness that will allow it to get into your network. This weakness, or exploit, is about a means to an end."

The botnet world is booming

Poulin says the exploit could be an unpatched system, a compromised Web site visited by an unsuspecting user, an infected USB drive, or any number of situations.

Related Content

The second phase in the cycle begins when the exploit proves fruitful and the botnet gains a foothold on your network. The signature activity here is that the compromised PC -- the bot -- will contact the command and control (C&C) server of its herder to announce that it is ready to accept directions on what to do.

Phase three is when the bot performs some unwanted activity, such as sending out spam, stealing credentials or other sensitive data, or participating in a denial-of-service (DoS) attack. This activity is controlled by the herder and can change over time.

Poulin says intrusion-prevention systems (IPS) can be effective in phase one of the cycle. "An IPS tool looks for behavior that indicates a botnet is looking to get into a network and may be able to prevent that from happening," he says. Even with an IPS in place, networks can have vulnerabilities that allow the botnet malware to slip in. "SIEMs have an overall perspective of a network -- an overarching view of what is occurring and what has occurred." He adds that SIEMs are important tools to detect and correlate minute events that add up to something bigger, such as bot activity.

Just what kind of events might that be? IBM's Internet Security Systems (ISS) X-Force, an R&D team that provides the foundation for a preemptive approach to Internet security, provides some examples. This team has seen their share of botnets, and they provide the following signs of a botnet infestation on your network.

The following signs are related to communication and payload:

* Look for unexpected IRC traffic from internal hosts. This is due to bots operating via IRC. The port being used for IRC traffic may even be a non-standard IRC port.

* Watch for rapid connection attempts to multiple external hosts. This is a result of bots operating with multiple C&C servers or those that operate in peer-to-peer mode. Additionally, unidentified protocols may indicate encrypted and/or custom communication protocols being used. This technique was used with Conflicker, and ISS X-Force decoded the traffic to be able to see Conflicker infections all over the world earlier this year.

* Rapid and multiple DNS queries for random-looking domain names may suggest bots that use domain name generation techniques. Such techniques are used by bots so that the host name or IP address of the C&C server is not hard-coded in the bot, thus making it difficult to blacklist or to take down the C&C server. This was another Conflicker "signature" behavior.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.