Will we ever beat Botnet?
By: Serafin Sanchez 3/10/08
Maybe, a few weeks ago, Georgia
Tech unveiled BotSniffer, a prototype system designed to detect and disable
botnets. By using traffic analysis the BotSniffer tries to identify
botnet members by looking for command and control channels. Apparently the
BotSniffer detector has been built as an independent plug-in for the popular
open source intrusion detection system Snort. With a host system that’s
as widely used as Snort, there could be a good possibility of such a system
eventually making it in to the real-world.
Georgia Tech suggests that
botnets’ command and control mechanism may be their Achilles heel. These
command and control channels are used by botmasters to relay instructions to
the infected hosts. Instructions are either delivered ‘live’ via IRC
channels or via HTTP where the bot will connect at pre-specified intervals and
collect instructions from a Web server. If these channels of
communication are detected and cut off then the botmaster no longer has control
of his zombies. There are normally multiple bots on a network so thorough
analysis of traffic or host activity can pick out behavioral traits and detect
bot-like activity.
BotSniffer is not the only attempt
to stamp out what has quickly become one of the Internets biggest
problems. Desktop antivirus and security packages from all of the big
brand security vendors are incorporating features aimed at locking out botnets
by detecting and removing the malicious software that turns so many desktop
computers in to bad zombies. These highlights an important point-if
botnets can be beaten then the problem has to be attacked from several
different angles. ISPs trying to detect command and control channels will most
likely never have complete success. Once ISPs or network administrators start
to detect and isolate infected hosts, bots will undoubtedly find ways to avoid
detection in just the same way that virus’s do. They can encrypt
communications, randomize behaviors, and so on. The analysis will get
smarter, but it becomes a game of catch-up. If botnets are losing hosts
due to improved desktop protection, then they come under pressure on several
fronts and will find it hard to grow.
Network based detection of botnets
seems like a very good idea and with programs like BotSniffer able to plug in
to existing Intrusion Detection Systems, we could well see that tables turn on
Botmasters. I could see this type of traffic analysis being very effective at
an ISP level-they already analyze traffic for illegal downloads.
Do you currently take any measures
to detect or block unwanted and potentially dangerous network traffic? Bots or
even P2P and other rogue applications can have a massive impact on network
security and performance. If you do, I’d be interested to know what techniques
you use-leave a comment and share your experience.