Botnet removal: Detect botnet infection and prevent re-infiltration

Though botnet mitigation tactics continue to mature, so do the botnets themselves. In this tip, expert Nick Lewis gives best practices for detecting and removing cutting edge botnets.

The average information security professional may not realize it, but botnets have become arguably the No. 1 security

problem facing organizations today. Why? Most of the day-to-day security problems enterprise infosec pros spend their time dealing with -- infected endpoints, spam onslaughts and data leaks or losses -- are caused, at least in part, by botnets.

Listen to this tip as an mp3

Listen to Botnet removal: Detect botnet infection and prevent re-infiltration as an mp3 here!

In this tip, we'll briefly discuss how botnets work, and focus on what enterprises can do to identify and thwart botnet activity.

For years, botnets have victimized consumers and businesses alike, and botnet attacks show no sign of slowing. In part, this is because botnets have been improving their functionality and are becoming easier to use by less-skilled attackers.

In brief, for those who may not be familiar with how a botnet works, attackers begin by finding a way to install malware on a sizable number of target computers, often via malicious links in email, on websites or via social networking platforms. This malware allows the attackers to send instructions to the compromised computers, unbeknownst to their owners, to do whatever the attackers want. Typically, the resources of thousands of infected computers are pooled into a botnet or zombie computer army, and the combined computing power allows attackers to execute a variety of malicious activities.

More on botnets

Despite industry efforts to "take down" botnets by eliminating their command-and-control infrastructures, as well as ongoing efforts by consumers and businesses to improve their security, botnets and malware have advanced to attack new areas to achieve their illicit goals. Whereas botnets previously targeted Windows with direct network-based attacks, they've now moved on to attacking applications. Worse yet, successful application attacks usually require minimal user involvement, such as visiting a webpage or opening a malicious attachment.

Enterprise-wide identification and removal of botnets

Signs that an organization may have several machines infected by a botnet include anomalous network activity or erratic performance of client systems . Anomalous network activity could include a computer contacting a large number of external systems, but attackers have generally realized this draws attention quickly, so they are trying to reduce the number of hosts or the amount of data sent outbound and are using HTTP, HTTPS or other common protocols to minimize detection. Erratic performance of client systems could include issues such as slow performance, yet this is also becoming less common, since end users may report slow performance resulting in someone investigating the local system. Enterprises can detect botnet infection on their networks via a combination of network analysis and correlation with local system logs or investigations. One detection method would be to examine a local system and compare outbound network connections observed on the network to what the tools that run locally are reporting. Anything that is observed on the network, but not reported on the local system, could be the command-and-control channel or data sent out of your environment.

The most effective detection method for a large, distributed network is to use a dedicated network appliance that has access to all Internet traffic in order to identify suspicious packets. The traffic may look like standard Web data, but when a large amount of data is sent outbound, especially by multiple systems, it's important to have a method to identify such traffic and the system(s) generating it. It's also possible to identify suspicious traffic by scanning for connections from IP addresses associated with known botnet controllers.

Once an enterprise has identified infected systems, attention should turn to botnet removal, since, as mentioned above, botnets can be used for a variety of malicious purposes, including to attack internal systems or commit fraud. The standard advice is to format and reinstall an infected system, always the most effective method to remove the malware. While the local system is being rebuilt, it should be removed from the network to prevent further infections, and the remote systems the infected local system contacted while infected should also be blocked to prevent other potentially infected local systems from contacting the remote system. Enterprises could minimize downtime by not storing data on local systems, and using standardized system builds and automated software distribution.

Another option is to restore a system from a backup to get the system back into production. You could try manually removing the malware or bot software using antimalware, or custom tools -- such as those provided by antimalware vendors or internally developed -- may be appropriate for systems without access to sensitive data, but this could still result in malware or a rootkit re-infecting a system. In general, it's a better idea to reformat and reinstall any infected systems.

What else could an enterprise do?

Implementing a handful of basic security controls will prevent most botnet attacks and are necessary as building blocks for advanced controls, should the basic controls alone fail to contain the threat. These basic security controls should include:

  • Client-side antimalware software -- Every client computer should have modern antimalware software installed and updated regularly, ideally on an automated basis, or other similar controls.
  • Operating system hardening – Every client computer should have basic hardening done, such as removing unnecessary software or services.
  • Firewalls – Every client computer should be protected by a host-based firewall or network firewall, or potentially both for true defense in depth.
  • Appropriate privilege levels for employees – Every user should only login as a normal low-privilege user for standard activities.
  • Proper patch management – Every client should run updated and patched software to block attacks that exploit unpatched software.

You may also need to use advanced controls if you have enterprise applications that require disabling basic security controls, such as custom applications that require administrator-level privileges to use. These advanced controls include:

  • Dedicated antimalware or antibotnet network appliances -- like Palo Alto Networks' firewall, Actiance Inc.'s Unified Security Gateways, the free BotHunter tool or others -- can be used to identify and block botnets for the entire network, regardless of the controls in place on local systems, to provide an additional layer of protection.
  • Sandboxes – These could be used to protect the most frequently used and highest-risk applications, like Web browsers, PDF readers or multimedia players from being compromised by cordoning them off from other parts of the system.
  • Whitelisting – This technique can prevent certain types of malware from infecting a system by placing strict limits on what a system is allowed to do.
  • Browser security tools -- These tools, like the NoScript add-on for Firefox, Trusteer Inc.'s Rapport and others, could also be used to protect browsers against exploitation.
  • Antiphishing tools -- These can work in conjunction with other tools to protect against targeted email attacks against users. Additionally, many of these can send their logs to a security information and event management (SIEM) system to help identify advanced attacks. All of these controls should be evaluated, however, as to their other potential impacts on a network in terms of management and complexity.

However, should you identify an instance where the basic security controls didn't adequately protect an infected system (i.e., ground zero following a botnet infection), it's a good idea to do an in-depth investigation to determine which control failed and why, to identify if more advanced controls need to be implemented. This investigation could compare network traffic to locally reported network connections, or use forensic investigation techniques to determine what files were created, deleted or modified during the infection.


While security researchers have taken down some botnets in the last year, botnets have advanced and continued to victimize more consumers and enterprises. Enterprises should already have basic security controls to minimize the impact of botnets and other attacks, and should use or invest in advanced controls when the basics have failed. Following a botnet infection, organizations should perform an investigation to identify what controls failed and what changes need to be made to protect against future attacks. Enterprises should identify and remove botnets as quickly as possible to minimize the attacks on other systems and online financial transactions.

About the author:
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the risk management program and also supports its technical PCI compliance program. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining his current organization in 2009, Nick worked at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University. He also answers your information security threat questions.

This was first published in April 2011

Dig deeper on Malware, Viruses, Trojans and Spyware



Enjoy the benefits of Pro+ membership, learn more and join.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: