Botnet Mitigation

By Bill Prout, Technical Engineer

If you are infected with a botnet, don't worry, it's not the end of the world. The capabilities of botnets range from nothing to complete takeover of a machine. Most botnets are far towards the "nothing" side, allowing you to continue to use the system, but take a small section of resources for things like producing spam.

If you suspect an infection (slow computing experience, "strange" network behavior, etc.), the first thing you should do is simply unplug any network connection. Then, scan the PC with your anti-malware scanner of choice. Once you are confident that you are not infected or that you have disinfected successfully, reintegrate the system onto the network. Of course, this doesn't work if you never suspect a system of infection. If this is the case, then you have to look at some proactive controls.

First, you will want to make sure that you have a tuned IPS/IDS on your network. The IPS will alert you to any suspicious activity. Make sure that it is tuned, though, so that when you get an alert, you know that it is not likely to be a false positive. Then you can investigate any alerts that you receive and it will assist with bot hunting.

Second, you will want to ensure that your firewall is blocking outbound traffic that is not necessary to business continuity. Often, an administrator will assume that any outbound traffic is ok and makes a wide-open rule to allow all traffic to travel outbound. This is how command and control systems will update the zombie computers, so make sure that you aren't assuming too much about your outbound traffic.

Finally the ubiquitous security mantra, "update, update, update." An updated system does not give you extra security, per se, but it does reduce the attack vectors available to an attacker. A skilled attacker will likely have some experience in gaining access to systems that are up to date. However, the not-so-skilled will have a much more difficult time as they rely on previously disclosed and well understood security holes. If your system is up to date, the chances of a known security hole existing that a not-so-skilled attacker can use is very limited. Reduce the attacker pool and the likelihood that you will be attacked by updating.