Botnets, vast armies of compromised, robot-like machines, are massing on the digital frontier, waiting for their masters' command to attack.
These hacker-controlled networks--some numbering in the hundreds of thousands of machines--are the fastest-growing menaces on the Internet. They have powerful weapons--overwhelming DDoS attacks, untraceable spam relays and ubiquitous malware distribution. When unleashed, they deliver punishing blows that devastate their targets.
Hackers, malware writers and organized crime groups love bots--the foot-soldier programs infecting PC networks--for their power and cloaking abilities. Some bots, such as Agobot and Phatbot, have characteristics similar to Trojans and rootkits, opening backdoors to systems and giving attackers control over compromised machines. Attackers only require rudimentary programming knowledge to create and control a botnet army.
Botnet commanders can start with just a handful of compromised computers that are mustered manually by sending targeted, virus-laden e-mails to broadband/ DSL users, vulnerable enterprise desktops and mobile machines. Some bot-carrying worms will even patch the vulnerability they exploited. Infected hosts automatically show up in a preprogrammed IRC channel, where they sit in a virtual holding pattern until dispatched. Attackers can "herd" their bots from channel to channel, sifting out the low-bandwidth connections to maximize the machines with the best throughput.
Their ubiquity, power and ease of use make them looming threats on both sides of the enterprise firewall. Understanding botnets will help enterprises defend against in-filtration and, perhaps, survive an invasion.
Multipronged Attack
Enterprises face botnet threats on two fronts: Attackers are trying to compromise their machines and use them for malicious purposes (a breach of integrity) or coordinated attacks such as DDoS (risk of downstream liability).
Once the computer is compromised, bots need to "phone home" to their controller. Generally, this is done through a private channel on a public IRC server or network, with communications running in the clear over the default TCP port 6667. (A prudent botnet defense is blocking and monitoring outbound TCP 6667 traffic.) Also, attackers can use IRC protocols to communicate instructions to their bots.
Attackers can use the bots and their hosts for a variety of purposes, some seemingly innocuous to the compromised enterprise. For in-stance, botnets have become the distribution method of choice for spam and phishing attacks. According to e-mail security service provider MessageLabs, nearly 70 percent of all spam and phishing e-mails now originate from botnets. Tracing these attacks is difficult due to the many layers between the source machines and the attacker.
Botnets are the ideal mechanism for unleashing malware. Conven-tional worms are released from a single point and can take hours to circle the globe. Worms released from botnets can appear from multiple points simultaneously without warning, giving enterprises and AV vendors little time to react. Last spring's lightning-quick Witty worm was launched from a relatively small botnet of 4,200 nodes.
The more visible and devastating attack type is the DDoS attack. More than just simple SYN floods, botnet-controlled DDoS attacks can flood a network with seemingly legitimate requests, clogging the pipes, overloading services and denying all legitimate traffic. A moderate-sized botnet could completely disable Web, mail and VoIP communications; a DDoS attack directed at your DNS server could make your enterprise disappear from the Internet.
Your enterprise will most likely become aware of a botnet infiltration through user reports of performance issues; third-party reports of attacks originating in your IP address space; victims' reports of DDoS floods; and the detection of high inbound and outbound scanning, outbound flooding or traffic passing through hosts that should be acting like desktop clients.
To stay ahead of botnets, you need stay current with prevention tools and techniques (e.g., proactive vulnerability scanning, patch management, appropriate use of firewalls and VPNs, user education, and policy enforcement). You also need to have sufficient computer forensics and incident response capabilities to adequately deal with compromises when they occur, and to return compromised machines to a trusted state as quickly as possible.
