National Webcast Initiative
Invasion of the “Bots”
You Could Be A “Zombie” and Don’t Know It!!
Wednesday, May 18, 2005
Question and Answer Transcript
Question: Would a typical infected machine have IRC ports
open/listening?
Answer: It depends on the role of the machine. If the
machine is a botnet server, then yes, it will be listening on open ports.
If the machine is a bot or zombie, it will try to connect to the IRC
server but will not be listening on IRC ports.
Question: Does anti-virus software check for
bots?
Answer: Yes, it will check for known bot software,
but it is easy to create new variants that will bypass the antivirus
software.
Question: Once the bot worm software is deconstructed,
and the IRC server is identified, doesn't it become fairly easy to either
get the cooperation of the IRC administrator, or shut down the IRC server?
Answer: Yes, in most cases, the administrator
will agree to take down the malicious machine.
Question: Do all botnet commands come through
IRC (e.g. can we stop the botmaster at our perimeter by blocking all IRC
at our perimeter firewall?)
Answer: Yes, all commands run on IRC, however,
they can choose any port that they want to communicate over, including
port 80. The big question is how can you definitively identify the traffic
as IRC? If you can analyze traffic anomalies, then it is possible to
block non-http traffic, however, this is not normal business practice
currently except for high-end enterprises.
Question: Are there valid uses for bots?
Answer: Yes, bots are used by search engines
for indexing “www” pages among other uses.
Question: What steps can you take to detect
if you've been infected?
Answer: Please refer to the botnet paper released
in conjunction with the MS-ISAC and USCERT at http://www.msisac.org/webcasts/05_05/index.htm
Question: What is the easiest way to check
and see if your computer has been taken over by a bot?
Answer: You should see illegitimate traffic
outbound. In addition, your computer/network may slow down.
Question: I bought a new computer with dial-up
connections. The Windows updates are over 12MB, therefore, I can't download
it. What can I do? The same applies to auto-update.
Answer: Contact Microsoft and request to have
a CD with the updates sent to you.
Question: How do you define broadband?
Answer: Broadband describes a network connection
that has enough capacity to carry a large amount of traffic, such as
high-speed Internet traffic. In addition, for a definition of other terms
used throughout the 5/18 webcast, please refer to the Glossary of Terms
located at http://www.msisac.org/webcasts/05_05/index.htm .
Question: If I turn my computer off at night,
is it still subject to an attack?
Answer: There is no way your computer can be
infected while it is turned off, however, it can be infected while it
is on.
Question: Do DSL and cable modems act as firewalls?
Answer: No, unless it is a combination modem/router.
If it is just a cable/DSL modem, you need either a router (which has
firewall functionality built-in) or a personal firewall on all your computers.
Question: A user would have to initiate a file
transfer or execution of code on a website, correct? A user isn't in danger
if he/she accidentally browses to a site and does not execute code?
Answer: It is possible to execute code by accidental
browsing if the code takes advantage of a vulnerability in the web browser
and your browser is not patched. The user would not necessarily have
to click on anything or initiate any file transfer for this to happen.
Question: Are there any tools to remove and/or
identify bots from an infected host on my network?
Answer: Anti-virus scans will identify most
infections but variants come out faster than new anti-virus signatures.
Monitoring your firewall logs for outbound IRC traffic “may” also
be an indicator of an infected system. If you are a corporate network
administrator, intrusion detection or intrusion prevention systems will
help identify infected systems.
Question: Would you recommend a software based
or hardware based firewall?
Answer: It depends on the size of the network
you are protecting. Larger networks may benefit more from a hardware
based firewall.
Question: The result from netbot activity are
illegal for the most part, but is creating a bot and collecting a net illegal?
Is there specific federal, international, or state statute covering this
activity?
Answer: Yes, there are laws covering this illegal
activity. You should contact your local, state or federal law enforcement
for specifics.
Question: Are there any kind of wireless botnet?
Answer: The same botnets that run over wired
networks can also run over wireless (i.e. 802.11a/b/g) networks.
Question: Would setting computers at your work
to a user profile as opposed to an admin profile reduce your bot/virus
risk?
Answer: This will reduce the impact of a successful
break-in, but not your risk of getting a bot or virus. Many of the vulnerabilities
that viruses and bots take advantage of give the attacker the same privileges
as the user logged in, so if you are logged in as an administrator, then
the virus or bot now has administrator privileges. If you are logged
in as a user, there is less that the bot or virus can do on your machine.
Question: Can personal firewalls indicate when
unexpected outgoing traffic is occurring?
Answer: It varies with the firewall but generally,
yes - you can set the firewall to notify you if unexpected traffic is
occurring.
Question: I would consider a bot program to
be the ultimate spyware program. Why do you think most anti-spyware programs
would not detect the presence of Bots on a computer?
Answer: Similar to anti-virus programs, anti-spyware
programs detect the existence of a malware by using signatures. Because
the anti-spyware signatures are not written to detect bots, they cannot
detect them.
Question: You said that Bots often use well
known code. If this is so, why can't programs be written to detect and
remove them?
Answer: Anti-virus software will typically
remove them but this can be circumvented by just minor changes in the
code. The botnet attackers are continuously doing this to try to stay
a step ahead of anti-virus software. The anti-virus software companies
have to catch the new version and analyze it to add it to their signatures,
which take some time.
Question: Until recently, stateful firewalls
were the big thing because they allowed internal traffic to go out and
come back in. Now it sounds like we should block all traffic, inbound and
outbound, and only allow what is needed. Would you agree?
Answer: This is now considered to be a best
practice to have strict inbound and outbound filters. Restriction of
outbound connections will prevent your bot from "phoning home" and
limit the types of activities that it can be used for. Although it may
still get infected with a bot - the bot is relatively useless.
Question: Are there ANY tools available to
systems administrators/security administrators to detect and/or clean bots?
Answer: Most system administrators will use
simple programs such as regmon, tcpmon, procmon by sysinternals to detect
anomalies on a system. On the other hand, well used programs such as
netstat and tcpdump will quickly give you hints about your system.
Question: Are the new entertainment devices
(like xbox, playstation, and other types of upcoming pieces of hardware)
also vulnerable to botnets? How would any infection be prevented or is
it limited to a personal hardware firewall?
Answer: Currently, botnets primarily infect
Windows-based devices so any gaming systems based on Windows could be
possibly be infected.
Question: How does a user turn off specific
ports?
Answer: A user can use software firewalls to
block specific ports on a computer.
Question: Will the overall slow down of your
machine be sporadic or will it be fairly constant?
Answer: It may be sporadic - some botnets may "sleep" for
awhile.
Question: Can I check the network status from
my machine using netstat command to identify how many connections I do
have, in order to identify bot activity?
Answer: It is possible to detect a bot in this
manner if it has an actual connection, however many are preprogrammed
to only connect at certain times or days in order to receive directions,
so you may not see a dormant one while scanning.
Question: Why is restricting user
permissions not mentioned very often as a defense? Wouldn’t this
prevent many bots from installing?
Answer: Most bots will infect a machine through
programs running with root privileges such as rpc daemon. Therefore,
restricting user privileges will not be effective.
Question: What's the difference between a Trojan
horse and a bot?
Answer: A Trojan horse allows someone to connect
to your machine. It can also be called a backdoor. Bots connect to a
controller which controls multiple machines. The functionality is similar;
the difference is in how the machine is controlled.
Question: Is constant pop-ups a sign that you
are infected?
Answer: This is usually a sign of a spyware
infection.
Question: If your home computer is connected
to an IRC (MIRC) is it vulnerable, or is it contributing to the problem?
Answer: IRC itself is a legitimate service
but can be used for malicious purposes. Using IRC does not make you vulnerable
per se nor does it contribute to the problem if you are using "safe" IRC
servers. However if you get infected, having IRC already installed saves
the worm some work.
Question: What about installing software packages
that store passwords safely?
Answer: Some bots install keystroke loggers
so storing your password safely is inconsequential if they can capture
your password as you enter it.
Question: Is it worthwhile to disconnect the
DSL connection when you are done with your home computer when not in use?
Answer: Definitely, it limits the time that
your computer is vulnerable, but does not prevent you from being infected
while connected.
Question: How can I find out more information
on the German virus?
Answer: There is an advisory posted by the
New York State Office of Cyber Security and Critical Infrastructure Coordination
on this virus located at http://www.cscic.state.ny.us/advisories/may05/5_17.htm
.
Question: For Windows, Rootkit Revealer (free)
from sysinternals can be useful, and Security Task Manager from neuber
is also useful. Do you know of others?
Answer: f-secure has one that's a beta at the
moment.
Question: What is a good strategy to stop these
e-mails that contain a link to a Web site that spreads a worm or virus
(W32.Sober.S)
Answer: There is a list of subject lines at http://isc.sans.org/diary.php?date=2005-05-15 that
you can use in your spam filter if you have one.
Question: If you install a router firewall
on your home PC and your PC was already (unknowingly) infected with a Bot,
will the router firewall lose the botmaster?
Answer: If configured correctly with ingress
and egress filtering, the bot will still be on your machine, but will
be unable to connect back to the botmaster for direction. It may still
however monitor your machine and steal information sending it back to
the botmaster through normal channels such as email.
Question: Are there any services [other than
Windows Messaging] that can be safely turned off to prevent bots?
Answer: Instead of stopping services, you should
really think about which ports you need and block the rest of the ports.
Question: Can a bot still see a
computer that is behind a firewall? I have a router that has a built-in
firewall and I am under the assumption that my computer is "invisible" while
on the Internet.
Answer: If you block all inbound connection
attempts (i.e. are not running web servers, etc that you've made accessible)
then the bot can not see your computer. However that won't protect you
from getting infected. You can get infected from email attachments or
visiting a malicious web site.
Question: How can we detect a bot on a school
network?
Answer: Performing regular anti-virus scans
is a good idea. If you use a firewall between your school network and
the firewall, enable logging and review the logs regularly for outbound
connections to strange sites or outbound IRC traffic. This may indicate
an infected computer which should be scanned to verify.
Question: In a large enterprise, where users
are not allowed to connect as an administrator, i.e., XP Pro SP2, how can
it be detected that the automatic antivirus update is working when a user
is logged in?
Answer: For large enterprises, there are normally
consoles that would alert you to failures. Absent that, performing random
audits will assist in ascertaining the success of the updates.
Question: Are Blackberry/PDA phones vulnerable
to these types of attacks?
Answer: No, not at this time. There has been
an increase in the amount of viruses being written for blackberries/PDAs,
but there is no report on botnets being deployed on PDAs/blackberries.
Question: Are there resources for bot 'signatures'
to add to an IDS, e.g. like SNORT rules?
Answer: Yes, but in some cases they may report
just IRC traffic - not specifically that there is a botnet infection.
In some cases they have signatures for particular types of worms.
Question: If I install a root kit to another
computer, does that make the other computer more susceptible to attack?
Answer: Absolutely, you never want to install
a rootkit on anyone's machine.
Question: You mentioned there are no tools
to identify bots. What about a tool like Spybot search and destroy?
Answer: Spybot searches for adware/spyware
- not bots. Bots are typically associated with viruses and worms so anti-virus
software is more effective. However most worms first try to break the
anti-virus software to cover their tracks. Also anti-virus software is
always "chasing" new bot variants so it is possible to be infected
even with up-to-date anti-virus software.
Question: How do I monitor port 135 at home?
Answer: There are many programs that will let
you analyze network traffic. Firewalls will assist you. Zone Alarm is
free for home use and it should assist in blocking port 135 and logging
the activity.
Question: Can you recommend any good encryption
software for windows?
Answer: A number of vendors offer encryption
software. If you perform a Google search by going to http://www.google.com
and type in the search field “encryption software downloads,” there
will be a listing of software links for download. The important thing
is to use a product that uses asymmetric encryption, however that means
that if you want to exchange encrypted files with someone else, you both
need to use compatible products. Symmetric products that use "passwords" or "passkeys" can
be broken.
-