Botnet Troubleshooting and Guidelines

Posted:  May 14th, 2018

 

What is a Botnet?

 

A botnet is a group of computers (bots) communicating through the Internet to complete common tasks and objectives. Computers that are members of a botnet usually communicate through a centralized computer that acts as a command and control (c&c) for the botnet members.  The c&c provides instructions that the botnet member computers carry out.  These instructions might be something as simple gathering data or carrying out some kind of attack.  Another term for a computer that is a member of a botnet is a “zombie”.

 

Recruitment

 

A computer becomes a member of a botnet by executing infected software either by a local user through a drive-by download on the web or by a remote user by exploiting vulnerabilities in the operating system or services the computer provides. Once infected communication with the botnet’s command and control is established and the infection either removes itself or remains active to maintain the botnet membership.

 

 

Common Uses for a Botnet

 

    > In distributed denial-of-service attacks, multiple systems submit as many requests as possible to a single Internet computer or service, overloading it and preventing it from servicing legitimate requests. An example is an attack on a victim's phone number. The victim is bombarded with phone calls by the bots, attempting to connect to the Internet.

 

    > Adware advertises a commercial offering actively and without the user's permission or awareness, for example by replacing banner ads on web pages with those of another advertiser.

 

    > Spyware is software which sends information to its creators about a user's activities – typically passwords, credit card numbers and other information that can be sold on the black market. Compromised machines that are located within a corporate network can be worth more to the bot herder, as they can often gain access to confidential corporate information. Several targeted attacks on large corporations aimed to steal sensitive information, such as the Aurora botnet.

 

    > E-mail spam are e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious.

 

    > Click fraud occurs when the user's computer visits websites without the user's awareness to create false web traffic for personal or commercial gain.

 

    > Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.

 

    > Brute-forcing remote machines services such as FTP, SMTP and SSH.

 

    > Worms - The botnet focuses on recruiting other hosts.

 

    > Scareware is software that is marketed by creating fear in users. Once installed, it can install malware and recruit the host into a botnet. For example users can be induced to buy a rogue anti-virus to regain access to their computer.

 

    > Exploiting systems by observing users playing online games such as poker and see the players' cards.

 

Symptoms of Botnet Activity

 

Botnet detection can be difficult because quite often the virus or malware that established the botnet on the computer is no longer active and has no influence on the botnet’s operation.  Some common signs that a computer is part of a botnet are:

 

    > IRC related network traffic (bots use this to communicate)

 

    > Connection attempts to known botnet C&C servers

 

    > Multiple computers making identical DNS queries

 

    > High outbound SMTP traffic (computer is connecting to SMTP servers)

 

    > Unexpected and unrelated popups (resulting in click fraud)

 

    > Slow computing or high CPU utilization

 

    > Spikes in traffic on certain TCP ports including but not limited to 6665-6667, 25 or 1080

 

    > Messages on social media or instant message systems that were not sent by the computer user

 

    > Problems with internet connectivity

 

In some cases, you could use our Outbound Hostile Traffic guide to identify suspicious processes running on your server.

 

Preventing Botnet Activity

 

Botnet activity is usually established through malware most prevention methods revolve around the prevention of infections and exploits.

 

    > Network baseline: Know what kind of Internet traffic your computer/server usually utilizes

 

    > Software patches: Keep your operating system, utilities and applications up to date.  This includes web server applications such as Content Management Systems.

 

    > Good practices: Users should refrain from executing or installing unknown software as well as not opening emails, attachments or clicking links from unknown sources.

 

    > Anti-botnet tools: Anti-botnet tools provide botnet detection for bot virus blocking before an infection occurs. Most programs also offer features such as scanning for bot infections and botnet removal as well.  Firewalls and antivirus software typically include basic tools for botnet detection, prevention, and removal.  Experienced users can use tools like network sniffers, rootkit detection packages, Network Intrusion Detection Systems (NIDS) and specialized anti-bot programs to provide more sophisticated botnet prevention or detection and removal if needed.

 

Example of known botnets

 

> Zeus and its variants Citadel, Game Over Zeus, or KINS.

We invite you to read our Guide to Zeus Infections for more information.

 

> Conficker also known as Downup, Downadup or Kido

 

> Tinba (Tinybanker)

 

> Upatre/Dyre

 

> Ramnit

 

> Torpig

 

> Sality

 

> Glupteba

 

> Cutwail/Pushdo

 

> Beebone