In August, Microsoft released a patch for a security flaw in Windows. Within 24 hours, code to exploit that flaw was made available on the Internet. A week later, bots – a malicious form of software – started to infect computers at companies across Canada, and Nortel Networks was no exception.
“We saw eight unique bots trying to spread on our network, and some were more successful than others,” said John Morris, a member of Nortel’s anti-virus team. “The first five or six that we saw were limiting themselves to specific regions of our network and we were able to contain them in those regions, but we did see some of the more common ones later in the week such as Zotob and Esbot.”
With a formal procedure in place for dealing with malicious attacks on its IT network, Nortel was able to isolate infected computers and minimize the overall impact of the outbreak. A recent study by CyberTrust shows that medium and large companies have an average monthly infection rate of 10 per cent, while Nortel’s is typically below one per cent.
Nortel uses the “honey-pot” method to detect intrusions, which is essentially one computer pretending to be many computers on the network. “Nobody should be talking to it in the normal course of daily activity, so basically we’re using these honey-pots as a large target for the viruses to hit,” said Morris, who is also a member of AVIEN, the Anti-Virus Information Exchange Network.
Another technique is monitoring network activity on the core routers. If any computer tries to talk to more than 20 computers in a five-minute period, it’s probably infected.
If a bot is discovered, Nortel identifies its “home” – the command-control servers on the Internet – and then blocks off access. “Then we monitor who’s trying to access those command-control servers [inside the company] to identify machines infected with the same bot,” said Morris. Nortel now offers a professional security services practice to help clients develop a formal process for dealing with malicious attacks.
Bots propagate in a way similar to viruses, but their primary purpose is not so much to cause damage to machines, but rather to set up shop and communicate externally, said Scott Hurd, global director for Nortel’s network and information security organization. They can then take instructions from the botmaster, and use the host computer and its peers – the botnet – to spread spam, send out copies of a virus, even steal intellectual property.
Botnets are now a serious business. “Spammers pay botnet owners for using time on their bots and distribute not only spam but also worms and Trojans,” said Claudiu Popa, president of Informatica Corp., a provider of security solutions. “There is a definite financial aspect to this.”
While a virus is an older concept for digital self-replication, he said, a bot is an automated mechanism for attacking third-party computers or infecting new ones by forcing copies of the bot onto them.
And there are numerous types of bots. “The most popular type of bot is built on a platform called Agobot,” said Popa. “It is free, configurable and very effective in searching for computers to infect.” It has a variety of skills in its toolbox, he added, including methods for disabling anti-virus software and a shape-shifting capability.
“A bot can download new versions of itself and it uses this as a means by which it can stay ahead of the anti-virus software,” said Morris.
“Sometimes you’ll see it via e-mail, but ones that are making use of operating system vulnerabilities are usually quite stealthy and the actual user of the computer will not directly see it unless it causes something to go wrong on the computer.” The easiest way to detect infected machines is at the network layer, he said, where one computer tries to infect several other computers on the network.
It comes down to having a formal process in place that defines how your organization will defend itself against this type of threat, said Hurd. “We have a standard process that enforces uniformity across the whole landscape for a variety of types of hardware,” he said. “Then we have processes that deal with things like patching.”
Companies need to address this type of bot behaviour in their network security policies and anticipate how bots will be prevented from joining botnets, decide on detection strategies and address removal in a clear and efficient way, said Popa.
“Network access logging and intrusion detection programs can also help by showing clear patterns of infection and destinations that point to the fact that an infection is underway,” he said. “A company-wide security awareness program will ensure that users are aware of the threat and can participate in activities that mitigate the risk, rather than becoming part of the problem.”
Comment: [email protected]