Image courtesy of cooldesign /

How to Defend Against Botnets

Follow these three tips to protect your agency’s systems from becoming part of a malicious network.

Bots and botnets have become a major concern for many organizations, including federal agencies.

A bot is a computer that has been infected with malware and has specialized malicious tools installed so that it can attack other computers as directed by a hacker. Botnets — global networks of bots — are used every day in various types of attacks, from compromising other computers to generating phishing e-mails and committing financial fraud.

Keeping bots out of your environment can be challenging, but the steps are straightforward.

1 Prevent bot infections.

Traditionally, the most important security control for preventing malware infections is antivirus software. While this is a critical component of stopping bots, by itself it’s not sufficient. Organizations should strive to eliminate the low-hanging fruit, such as unpatched operating systems and applications that are not configured securely.

Mitigating vulnerabilities such as these will greatly reduce the opportunities for hackers to compromise an organization’s computers. Agencies should also consider adding other security controls to supplement antivirus software, such as intrusion prevention systems, firewalls, content filtering and inspection technologies (spam filtering and web content filtering, for example), and application whitelisting.

Don’t forget about the “soft” side of prevention — having policies that address malware prevention and implementing an effective awareness program that helps users understand how to avoid malware infections. Many malware infections succeed by preying on users’ mistakes, not by technical vulnerabilities in the computers they ultimately infect.

2 Identify when a computer has been taken over.

Most of the same tools that are recommended for stopping malware, particularly antivirus software, intrusion prevention systems and application whitelisting, are also helpful for determining when a computer has been infected with a bot or other malware. Anti­virus software and intrusion prevention systems are most effective at identifying known attacks. If application whitelisting is properly implemented and monitored, it can identify changes to a computer’s executables and detect the presence of unknown new executables — both signs of a possible malware infection.

@ More protection
For more information about defending against botnets, see the National Institute of Standards and Technology’s Special Publication 800-83 Revision 1, Guide to Malware Incident Prevention and Handling for Desktops and Laptops.

A specialized type of intrusion prevention system known as network behavior analysis (NBA) can identify unusual network traffic patterns, such as those produced by bots attacking other computers. If some computers have been turned into bots, an NBA system may be quite effective at finding their activity on the network and helping to identify which computers are affected.

3 Clean up machines that have become infected.

After identifying any computers that are infected with bots, the next step is to isolate them. Disconnect them from the networks to prevent them from infecting other computers or causing other damage. Ideally, cleaning up an infected machine would simply involve using antivirus software or a specialized bot removal tool to uninstall the malware, as well as mitigating the vulnerability that was exploited to install the bot in the first place. Unfortunately, it’s increasingly common that such tools are unable to uninstall or otherwise remove malware from computers.

If administrator-level access was gained by the bot software or other malware on the computer, or the malware cannot be removed by typical means, it is highly recommended that you rebuild the computer, including reinstalling and securing the operating system and all applications, then restore its data from clean backups. If a computer is not properly cleaned up after an infection, it is very likely that it will be re-infected and become part of another botnet.

Oct 25 2012