Apathy amongst Bots leading to their proliferation
May 1st, 2008By Supranamaya Ranjan
A recent article by Kelly Jackson Higgins, Senior Editor at Dark Reading, brings forth an interesting theory about the continued proliferation of botnets. She propounds the view that may be the owners of machines infected with Bots don’t care or don’t know enough to do anything about it. If they knew enough, then may be they would have gotten rid of the malaise.
While until now most botnets have been used for launching spam campaigns, we are starting to see them being used for geo-political attacks against an organization or a country. The recent DDoS attacks (Estonia ‘07, Radio Freedom Europe or RFE/RL ‘08) may just be a precursor of things to come. We can only hope that users become more aware about the botnet phenomena in time before we see an all-out cyber war.
Patching your machine with the latest update from your Anti-Virus company may only go so far in preventing your machine from being hijacked by a Botnet. We have seen time and again how during zero-day worm attacks (Code Red), signatures couldn’t be extracted in time. That gap can fortunately be filled by Service Providers, who can see the traffic entering their customers’ network and can hence alert them via a Managed Security Services (MSS) offering. Potentially, a Service Provider could keep track of presence of botnets within their customer periphery and then pro-actively alert them to get rid of the same.
The NarusInsight Secure Suite provides this capability to Service Providers at multiple levels. First, a Service Provider can detect and bounce off all attacks that are entering its paying customers’ network periphery. Second, the provider can dynamically deploy new layer-7 parsers (or, signatures) to detect botnet Command-and-Control traffic (or, traffic exchanged between a bot and its commanding server). Thus, as soon as a human analyst reverse-engineers the language for communication between bots and their command-and-control server, it can be quickly pushed out via this dynamic parser to the NarusInsight platform, whereby future traffic that matches this pattern would automatically be classified as botnet traffic.