Big botnets and how to stop them

Here are the worst of the botnets, and ways you can try to stop them in their tracks

There are hundreds of botnets, ad hoc networks of Windows PCs that are infected with one or more programs to let them do the bidding of their controllers, some are far more trouble than others. While you can't afford to ignore any botnet threat, here are some of the worst of the worst.

"When it comes to Botnets, size does matter," said Scott Emo, head of endpoint solutions at Check Point, a network and endpoint security company. That's because "the larger the botnet network, the more "robot soldiers" the botnet operator has to do damage."

[ See also: The Botnet Business ]

You shouldn't get too wrapped up though in who's the baddest of the bad. Richard Wang, the manager for anti-virus company SophosLabs US commented that, Sophos "tracks botnet activity based on spam that we see, sites that malware calls back to for updates and instructions, and known malware repositories. However, we do not track individual botnets as such."

Wang continued, "Take for example the Zeus (aka Zbot) botnets. While many report that Zeus is a significant threat, they fail to explain that it is not a single botnet. Instead it is a toolkit allowing individual criminals to set up similar but separate botnets of their own. Concern about the top 5 botnets is like worrying only about crime caused by the FBI's most wanted. While they are undoubtedly serious, the chances are that if you are attacked it will be by some much smaller fry."

It's also hard just to pin down a list of baddies as Timothy Armstrong, anti-virus researcher, for anti-virus firm Kaspersky Lab pointed out, "It is hard to measure which five are currently the worst."

Armstrong continued, "While we have a botnet like Conficker (also known as Kido by Kaspersky) that is very wide spread, it has a lot of potential to do damage but has not done anything significant yet, as compared to other botnets of smaller size. Due to the work of the Conficker working group, this botnet has been all but abandoned. Zeus is currently a very large threat, as the malware is found in a large portion of malicious mail attachments."

He added, "There is not one particular botnet for Zeus. Recent versions are sold for big bucks while older versions may be found for free. Every cyber criminal using it configures it uniquely - thus creating many unique Zeus botnets.

Certainly we must also mention Koobface, which began as a Facebook-specific botnet but has grown to include Twitter, MySpace and other social networks in its attack vectors. Kaspersky estimates that there are around half a million Koobface clients active on any given day, though due to varied networking infrastructures, it is hard to pin down an exact number. Beyond these three results vary greatly.

Finally, Armstrong said, "We have such threats as TDSS, which is a rootkit and is updated very frequently, as well as Gumblar which steals FTP credentials, and is unique in how it self-propagates through layers of servers. Rustock should also be mentioned as its latest update provides the use of TLS (Transparent layer security) encryption for use in hiding its spam activities."

That said, according to Derek Manky, Fortinet's cyber security and threat research project manager, the big, bad five of botnets are:

  • Pushdo/Cutwail: Pushdo itself is a "Loader", meaning it just downloads other components to install on a system. The business model here is that, Pushdo can be customized for clients to install specific malware -- they can charge on a per-install basis. Typically this is charged by the 1,000s of installs and the rates will vary depending on the geographic location the malware is installed. Pushdo will typically always download Cutwail, an e-mail spamming engine and Webwail, a web-based spamming engine that we discovered in December 2009. Pushdo uses Cutwail to spam copies of itself, thus growing its botnet - and can also rent out a spamming service through Cutwail.
  • Bredolab: Much like Pushdo, Bredolab is a Loader that is very prevalent -- it has broken recent detection records for us because it is so successful in spreading. Instead of spamming, Bredolab is focused on downloading "Scareware," fake anti-virus programs, and "Ransomware" products. Its main business model is to infect many systems with these products, hope that the victims will purchase the Scareware/Ransomware product and then reap commission profits.
  • Zeus: Zeus is sold as a crimeware kit, meaning that it is not just one large botnet but rather many individual botnets. Any individual can utilize this kit to create his/her own botnet, and it is vastly popular. We have so many detections for Zeus variants, because there are many of them configured out there in cyber space to use different Command and Control servers. Zeus is commonly configured to steal information (keylog) such as banking credentials and report back to its attacker.
  • Waledac: Waledac, like Cutwail, can also spam using customized templates it downloads -- thus launching spam campaigns at any point in time. Since it's template based, Waledac can also charge for a spamming service. Unlike Pushdo/Bredolab, Waledac operates on a peer to peer network making it more difficult to take down the botnet. It can also load malicious software, and proxy HTTP content to host malicious websites through its botnet.
  • Conficker: This guy probably doesn't need much introduction. While old, Conficker has never really activated to cause significant damage. However, it doesn't mean the threat has gone away-- it still remains very active, and frequently tops our monthly charts for malicious network traffic.
Breaking the botnets

Anyway you look at it though, there are a lot of automated enemies out there ready and waiting to take your Windows PC and turn it into a slave for criminals. So, what can you do about it?

Well, for starters, you could get rid of Windows on your desktops. There are no botnets worth noting on Linux or Mac OS X. It's a Windows problem. And, adding insult to injury, even if you do all the usual right things to block malware: immediately apply Windows and applications updates, keep your anti-virus programs up to date, and so on, there's still no guarantee that your Windows system will be safe.

OK, so what else can you do if you stick with Windows?

Manky highly recommends having nothing to do with files from outside your company or home unless you know that they're from a trusted source. He said, "Beware of poisoned documents: PDF, XLS and DOC files are routinely exploited to drop botnet binaries."

Adobe PDFs, in particular, are being abused by both botnet users and more run of the mill malware authors. Worst still, few people seem to be updating their PDF readers even as more and more attacks using PDFs appear. While updating your software isn't any guarantee of safety, not updating it does guarantee that your chances of getting into trouble have increased.

Bradley Anstis, VP of Technology Strategy for M86 Security, a network security stated that, "It's been proven that one of the biggest first steps organizations can take to secure their company PCs is by stripping users of administrator access. We see a lot of malware installs happening on systems that are unpatched and users running out-of-date and vulnerable browsers, such as Internet Explorer. A step that all users can take is to use a browser that allows for white-listing of JavaScript. The Firefox add-on, NoScript helps to achieve this and can help to secure your system from malicious JavaScript."

Of course, the downside of NoScript and similar programs is that many Websites rely on JavaScript to display properly. Setting it to let the right Web pages show with JavaScript can be time consuming. And, there's always the problem that ad sites, which can display ads on any page, have been known to have been infected with poisoned JavaScript scripts. This means that even a trusted web page may turn out to have a source for infection.

Still, as Wang said, "In a business setting the addition of Web filtering can go a long way towards keeping bots away from your PCs. The Web is the principal means of distribution for malicious software so blocking access to known sources of malware and scanning content from everywhere else is a must for any security setup."

A good firewall can also help. While a firewall won't stop a botnet infection per se, it can block the network ports used by botnet controllers to point and shot the botnet software.

Unfortunately, while botnets used to use such relatively obscure ports as IRC's (Internet Relay Chat) TCP 6660-6669, which were easy to block. "Now," as Manky noted, "they have evolved to use common ports such as HTTP (80) and HTTPS (443) but with common protocols, that are encrypted with their own algorithms to evade detection. Peer-to-peer networks have also been established to make the botnet more bullet-proof to take down."

What it all boils down to is that there's no easy way to stop botnets. All you can do is practice all the usual PC security steps, keep your firewall guard up, and keep a close eye on your network traffic logs for any unusual activity. And, realize that even that may not be enough and you may have to eventually repair your Windows systems if you discover that your friendly PC is now under the control of an enemy.

Good luck. We all need it.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon