Computeruser.com
Latest News

Are you aware of Botnets on your Network?

For many organizations the threat of a botnet operating within their organization is indistinguishable from any kind of malware that has the ability to propagate from one host to another. Unfortunately that lack of understanding can have disastrous consequences for the business.

For many organizations the threat of a botnet operating within their organization is indistinguishable from any kind of malware that has the ability to propagate from one host to another. Unfortunately that lack of understanding can have disastrous consequences for the business.

While the technical line of differentiation between a self-propagating worm and a semi-autonomous bot agent is somewhat blurred, the difference between the threat lies with the modus operandi of the people behind the attack. Self-propagating worms are noisy and can cause immediate damage to the network – as evidenced by inoperable infected hosts and the spewing of unwanted network traffic – but they have predictable infection patterns and are often easy to combat once you know what you’re looking for. Their creators are normally looking to cause some kind of damage or have an immediate return on their ‘investment’ – whether that is media attention or acting as an infection vector for botnet incorporation.

The malware typically used for building botnets tends to borrow many of the capabilities from top-of-the-line worm technology (including semi-autonomous propagation techniques and pre-programmed logic), but their ability to link in with a centralized command and control (C&C) and provide an updatable delivery platform for an assortment of criminal money-making enterprises are several evolutions beyond any other malware threat.

The fact that bot agents can poll a central C&C channel and receive updated operating instructions means that they can rapidly adapt to the specifics of the networked environment they find themselves within. Add to that the fact that they can also receive new code updates to the agent – gaining entirely new tools and abilities – means that those that have been evidenced entering the network originally can morph in to an entirely different entity overnight (consequently requiring different detection and remediation strategies). On top of all that, whilst bot agents almost always have the ability to be scripted, they also contain the ability to be controlled remotely in an interactive manner by botnet herder who manages their C&C.

All these capabilities escalate the threat to infected networks, and make it much more difficult to eradicate the problem. For example, individual bot agents may inventory the infected host – retrieving user authentication details and other configuration information – and export those stolen credentials to the bot herder. Should an individual bot agent be discovered within the enterprise network and be removed, other (non-remediated) bot agents can be used to re-infect the host – even after the host has been rebuilt and patched – by reusing the previously stolen user credentials. The net result is a botnet infection that has to be dealt with en mass, rather than a series of one-off removals.

This remediation process is further complicated with frequent code updates to the bot agent. Many advanced non-bot malware contain their own morphing code within themselves and use this morphing capability to alter their structural makeup to defeat signature-based detection systems as they self-propagate within a network.

In a lot of cases, the code that the malware uses to create future iterations of itself can often be used to identify its progeny. In the case of bot agents, since the code updates are instigated from a remote source and morphing tools are also remote, it is much more difficult to identify infected hosts and their progeny.

As new malware updates are applied to the infected host, their detection signatures and traffic fingerprints also change – making it increasingly difficult to utilize enterprise-wide automated removal scripts and tools. A strategy for remediating this update threat is to block the C&C communications to the infected hosts before the remediation process starts.

Leave a comment

seks shop - izolasyon
basic theory test book basic theory test