According to some estimates, bots infect millions of PCs -- this means lost productivity for smaller businesses. A new, automated program for detecting and disabling botnets holds promise for helping smaller businesses clean up infected computers without sucking up precious resources
Some promising developments occurred recently in the security space. Georgia Tech researchers developed an automated program seemingly capable of detecting and disabling botnets. Though still far from widespread deployment, the work promises to help in the ongoing battle against malware.
Botnet refers to a collection of compromised computers (usually termed bots or zombie computers) running malware programs, such as worms, Trojans, or trapdoors, under a common command and control infrastructure. A botnet's originator, dubbed a botmaster, often controls the group remotely, usually through a means such as an HTTP link or Internet Relay Chat, a form of real-time chat or synchronous conferencing. With most owners oblivious to the infection, networks of hundreds, thousands, tens of thousands, hundreds of thousands, and -- in a few cases -- millions of computers have been used to launch spam e-mail campaigns, denial of service attacks, or online fraud schemes.
Botnets have become more of a problem because the profile of hackers has changed. No longer does the term denote a computer enthusiast who gets pleasure from knocking other individuals' systems offline; rather, because botnets generate money, organized crime has become a prime culprit. Stock pump-and-dump schemes lure unsuspecting users into buying stocks and then crooks sell them after the price rises. Also, zombies are used to capture personal information, such as credit card data, so criminals can perpetrate identity theft.
Don't Miss: Keith Ferrell's Security Blog
Because these programs run covertly, no one knows exactly how many computers are infected at any time. On the low end, estimates are that millions of PCs have been infected; on the high end, as many as one of every four computers connected to the Internet (more than 600 million now) has fallen victim. This problem has meant lost productivity for smaller businesses. When their systems are infected, response time slows, and their bandwidth requirements increase. Also, identifying and then cleaning up infected computers chews up time, money, and resources.
Georgia Tech's BotSniffer is a prototype system designed to detect and disable botnets. The system uses traffic analysis patterns to identify zombies: the software looks for unusual activity in command and control channels, which the botmasters use to relay instructions to infected hosts. These instructions typically come at specified intervals. By detecting and then cutting off control of these channels, the botmaster no longer has control of his zombies. In effect, while malware botmasters are searching for new devices to add to their arsenal, BotSniffer will be looking for them and then helping to turn them off.
This network-based detection of botnets has potential. Programs such as BotSniffer are able to plug in to existing Intrusion Detection Systems and make it more difficult for botmasters to thrive. This approach may appeal to Internet Service Providers. They already analyze traffic for items, such as illegal downloads, so listening for bots wouldn't seem to be a significant additional burden. Fighting botmasters at the entry point is more effective than trying to keep bots from spreading once they've entered the network.
In addition to trying to thwart bots at the entry point, desktop antivirus and security packages are becoming better able to lock out botnets by detecting and removing the malicious software that turns so many desktop computers into zombies.
These steps do promise to help smaller businesses. The emergence of BotSniffer and these other techniques will make it more difficult for hackers to enter enterprise networks and turn office PCs into zombies. It also may deter some from trying to ply their craft.
However, BotSniffer, even along with the other emerging approaches, will never be a silver bullet. Hackers will undoubtedly find ways to avoid detection. In fact, they may try to use some of the same methods that work with viruses. They can take steps, such as encrypting communications and randomizing behavior, that will make it tougher to analyze what is happening. While BotSniffer may help curtail the impact of botnets, networking technology is too complicated and too much money is at stake for them to disappear completely.
Read other columns by Paul Korzeniowski
Paul Korzeniowski is a Sudbury, Mass.-based freelance writer who has been writing about networking issues for two decades. His work has appeared in Business 2.0, Entrepreneur, Investor's Business Daily, Newsweek, and InformationWeek.
