Avoid becoming a Zombie and prevent Botnet attacks

Avoid becoming a Zombie and prevent Botnet attacks

Tags:    prevent Botnet attack   tips to defeat zombies   Zombie awareness month

By SecurityAsia Editors | May 5, 2011

As May is Zombie Awareness month , we thought we’d highlight the current dangers and activities of the zombies.

Of course, in this particular instance, we’re talking about computer zombies: infected machines that obediently obey commands from remote masters without question or complaint. Zombies have the potential to exponentially grow in numbers, each ultimately reporting to the same master, forming a botnet.

Today, Fortinet Labs is conducting a full-blown war on zombies. Yes, “The Walking Dead” in Cyberspace. But, this is no Hollywood act. Authorities and security experts around the globe are joining forces to hunt, monitor and destroy these zombies. Recent examples include Bredolab (Dutch High Tech Crime Unit), Rustock (Microsoft DCU) and Coreflood (FBI). With a wealth of infectious zombies crawling about, we want to focus on how to spot and avoid today’s zombie menace.

Below are seven tips for enterprises:

1.     Inspect machines/environments on a regular basis
Zombies can be very patient pieces of code that can wait weeks or months before activating. Do not assume all is well on a one-shot inspection that fails to observe malicious activity.

2.    Do not rely on visual inspection or what your machine tells you.
Gateway inspection of traffic is the best approach to sniff out a zombie, since packets have already been sent from a machine and should not be further altered. Zombies can infect machines with rootkits, gaining kernel-level privileges that allow it to essentially control the operating system – hiding files, windows, network traffic, etc.

3.     Quarantine a machine on detection, or visual clues such as fake antivirus pop-ups. Clean before re-instating into network.
Zombies make money for their masters. The most popular way is through scareware, windows that pop up claiming a user needs to purchase cleaning software. It’s a sure sign a resident zombie has downloaded this software to generate cash flow. Zombies can quickly infect other local machines on a network, so it’s very important to quarantine immediately until the threat has been cleansed. Fortinet’s FortiCleanup Rootkit & Malware removal tool can be found here free of charge: http://www.fortiguard.com/antivirus/malware_removal.html

4.     Profile traffic
Zombies often have a repetitive habit of responding the same way to the same servers on the same port–Typically HTTP. If a steady stream of outbound HTTP requests to the same IP is detected, especially a browser isn’t in use, then there’s a good chance a zombie has infected the system.

5.     Inspect egress traffic
Intrusion prevention helps stop zombies from invading a network. The same technology can also help detect zombie chatter. Even if a machine is infected with a zombie, detecting and blocking zombie traffic that is outbound to its master is an effective way to mitigate the threat. This way, the zombie still lives but cannot receive commands or send information such as stolen bank credentials.

6.     Avoid infection. Defend against attacks.
Zombies can infect through email attachments, malicious links, USB drives and PDF documents. Ensure autorun is not enabled. Usually, a file needs to be opened or a link needs to be followed to trigger an infection. Always observe links before clicking on them. Where is it taking you to? Is the domain spelled wrong? It doesn’t matter if the link is sent through email, social networking or instant messaging – the same thought process applies. PDF, DOC, XLS files can also be the source of an infection. Take a moment to examine emails with attachments and links before opening them.

7.     Deploy a unified threat management (UTM) approach to security

  • Antivirus inspection can help block binary zombie code from executing on your system
  • Intrusion prevention can help block exploit code from planting a zombie on a system through a malicious Website
  • Web filtering can help block malicious URLs before malicious code is sent to a browser (and inspected)
  • Antispam can help flag malicious emails carrying attachments and links
  • Application control can help block zombie chatter, cutting it off from its master

 
 

Similar

Related Articles

Add comment

Post a Comment

The content of this field is kept private and will not be shown publicly.
Verification Code
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
 

Similar

Related Articles

knowledge_central_tab

 
 
Knowledge Central
Trusted Mobility Index
The mobile ecosystem of devices, services and networks is at a critical inflection point.While the mobile revolution is unleashing massive opportunities in both emerging and mature economies, it is also increasing in complexity and confusion. The reality is the lightning-fast adoption of powerful, smart devices is outpacing society’s ability to secure them. Today, trust in mobility hangs in the balance.
The state of the Internet, Q4, 2011
Geography appears to play a role in frequency of observed attacks on specific ports. For example, Port 23 (Telnet) is a favorite target for attacks observed to be originating from South Korea and Turkey, where it accounted for more than five times the number of attacks targeting the next most popular port (445 in both countries). Other instances of geography-based port targeting include observed attacks centered on Port 1433 (Microsoft SQL Server) in China and on Port 80 (WWW/HTTP) in Indonesia.
 
 
 
HID Global deploys a centralized, web-based IP access control solution at Fuxi Power Plant
Unable to meet the needs for real-time monitoring with its traditional patrol system, China's Fuxi Power Plant has deployed HID Global's VertX V2000.
StubHub: How to spot fraud before it happens
Whenever a list of log-on credentials is dumped onto the Web, retailers get hit with waves of automated attacks. Here's how ticket marketplace StubHub fights the threat.