The term “bot” refers to a computer that is no longer under the complete control of the computer’s owner and is instead being controlled remotely by a botnet operator. When a botnet operator gains control over multiple computers, this network of computers is referred to as a botnet. In addition to maintaining and expanding the botnet, bots are usually used for the following malicious purposes:
- Data theft
- Click fraud
- Sending spam
- Distributed Denial of Service (DDoS) attacks
Computers belonging to a corporate network that become entangled in a botnet harbor enormous risks for the company concerned. Firstly, they can be used to steal data from the company. Secondly, there is a risk of reputational damage if company computers are used for the purposes of click fraud, DDoS attacks or spamming.
The main routes of infection for transforming a company computer into a bot are:
- Malicious code received by email
- Exploiting vulnerabilities
The malicious code received in the email works in the same way as conventional viruses and trojans. In most cases, vulnerabilities are also exploited using social engineering methods to target employees with emails that divert them to a specially crafted website. When accessing the website, a vulnerability – particularly in web browsers or their extensions (Java, Flash, Acrobat Reader, etc.) – is exploited and the malicious code is executed, thus transforming the company computer into a bot and enabling the botnet operator to control it. These “drive-by infection” methods, as well as malicious code embedded in emails, are more frequently using “zero day exploits” to take advantage of security holes for which no patches are yet available. Consequently, companies are often unable to effectively protect themselves from the infection of single computers.
Once the computer is infected, it contacts the botnet operator via a command and control server (C&C server). The real hazard of botnets is communication between the bot and botnet operator, which is what makes bots different from conventional malware. Firstly, the communication can be used to open a doorway to the affected company, thereby circumventing all perimeter defense measures – the intruder is essentially inside the internal network. Secondly, the communication enables the botnet operator to assign tasks and add new functions to the bot at any time and to modify malicious code in order to evade detection by antivirus software.
Internet Relay Chat (IRC) was initially used to facilitate communication between the bot and C&C server, as it is ideal for controlling many remote computers simultaneously. However, because IRC is blocked at the perimeter by nearly all company networks, IRC-controlled botnets do not pose a great risk for companies. In addition to other methods, communications between the bot and C&C server are now usually concealed in protocols like HTTP/HTTPS or DNS. Because such communication is difficult to differentiate from employees’ normal browsing behavior, HTTP/HTTPS-controlled botnets like Zeus or DNS-controlled botnets like Paleve are a major risk for companies.
In summary, it can be assumed that the infection of a company computer by the increased use of “zero-day exploits” cannot always be prevented. Relying on antivirus software to detect bots is highly problematic, because this reactive method is often unable to keep up with the updates performed by the botnet operator. Ensuring protection by means of conventional perimeter defense measures is nearly impossible, because the bot is located inside the internal network, and the same communication channels that are required for smooth company operations can also be used for communications between the bot and C&C server.
What can you do to detect bots in your company network and minimize the threat they pose?
SecuInfra has developed various techniques that enable our customers to discover bots in their company networks and take appropriate countermeasures.
The techniques we have developed are based on the following three pillars:
- Detecting the infection
- Detecting communications between the bot and the C&C server
- Detecting the bot by how it behaves when performing its tasks
To detect infections, we utilize the notifications from antivirus software and IDS/IPS systems. Although these primarily signature-based and reactive techniques have their problems, they still help to gain an overall picture of the situation.
When communication with C&C servers is detected, we look for the following anomalies (among others):
- Internal systems making unusual attempts to communicate over the Internet
- Communication with known C&C servers
- Unusual HTTP/HTTPS and DNS communication behavior
To detect bot behavior while it completes its task, we look for the following anomalies, for example:
- Executing commands to collect information
- Network scans and port scans originating from internal systems
- Internal systems attempting to access sensitive resources
The information gathered using these and other techniques is documented in a central security information and event management (SIEM) system, before being correlated and consolidated to create a general picture. This comprehensive approach makes it possible for our customers to discover bots in their companies and minimize the risks they pose.
Want to find out more?