With the recent global Law Enforcement actions in taking down the GameOverZeuS, botnet users need to understand what a botnet is, how it works, and most importantly, how can they protect themselves from becoming a dreaded Zombie (aRe yoU Botted?). Trend Micro recently developed an Infographic that helps people understand what the basics of a botnet are.
One of the challenges we see today is that the criminal underground buys and sells (or rents) botnets on a regular basis among their peers. As such, users are often unwitting victims of these activities as many times the zombie (a compromised computer within a botnet) is used for things other than stealing the victim’s financial data or other Personally Identifiable Information (PII) data. Botnets are regularly used in sending out spam or phishing emails used in Distributed Denial of Service (DDOS) attacks, or used as part of the infrastructure in a targeted attack. This may be as a Command & Control (C&C) server or as a drop zone for uploading stolen data for the criminals.
Particularly troubling is when a victim’s system is used against our own critical infrastructure; for example, a DDOS attack against a bank or against a government agency that provides these much needed services. We often say that an infected system isn’t just a threat to the victim, but also a threat to the public as well.
At Trend Micro, we have been regularly monitoring the botnet threat and even tracking both C&C servers and communications between the server and its victims. Our global botnet map shows this data in near real-time and gives viewers a look at where many of these servers and victims are located.
Click on the image to enlarge.
Users should be aware that they are constantly being targeted by criminals for recruitment into a botnet. Cybercriminals look for certain criteria as to what kind of victim they need for their botnet, so things like geo-location, system type, user type (consumer versus commercial) and bandwidth are some of the items they look for when selecting a target. This segmentation allows the cyber criminals to use, sell, or rent their botnets for very specific campaigns based on their needs.
How can one know if they are a zombie or not? That is a difficult question to answer since many times the criminals will make sure their compromised system does not exhibit any of the traditional characteristics of being infected. More of a concern, once they have the communication paths established between themselves (C&C server) and the victim (zombie), they can continually replace and update the malicious code running on the machine to ensure they are not detected by traditional security solutions. As such, users need to be extra vigilant in looking for signs, which may be a slowdown of their computer by excessive traffic going out of their systems (likely a DDOS attack being activated). Other tell-tale signs may be new executables being installed or new programs running on the computer. But most of these are not likely to be caught by the average user. As such, you need a program that specifically looks for bot-like activities. Trend Micro developed a free tool a few years back and we’ve recently updated it to support newer operating systems and also look for some of the newer bot communications that have been developed by the criminals behind the botnets. RUBotted is a tool that will run in the background (can run along with standard security software) and identifies malicious traffic patterns associated with botnets. If it finds something an alert will pop-up on your computer and it will ask if you want to run a HouseCall scan, which is Trend Micro’s free security scanner that runs on-demand to detect and clean malicious code from your computer.
You don’t want to become a zombie and be associated with the living dead out there on the Internet, so install RUBotted now. Look for my next blog post which will go into a bit more depth on the latest botnet techniques being used within the cybercriminal underground. Leave a comment if you have questions or just want to tell me you thoughts.