How To Detect Botnets In Your Network

It seems that even the regular scanning of computers with antiviruses will not prevent your computer from becoming apart of a botnet.

Matt Sergeant, senior anti-spam technologist for MessageLabs Ltd., feels that large organizations and Internet Service Providers still have a lot to learn with regards to internal botnet infections. According to Sergeant there is an insufficient number of DNS blacklists tracking botnets, which is not the greatest of news for an anti-spam economy.

Large organizations tend to assume that antivirus engines will catch botnet infestations, but most of the times they don't. Some botnets are so good at hiding that when you run an antivirus scan it gives your PC a clean bill of health, while behind the scenes the botnet is still operating smoothly.

With the overwhelming use of polymorphic codes and ever evolving malware attacks, antivirus vendors are struggling to keep up with botnet infections. It was found that Botnets also are inclined to operate in several stages for instance; at first a PC is infected by a piece of malware. By the time the antivirus identifies it, the malware will have already downloaded the second phase of malware. Lastly it will delete the original infected file. Many botnets are capable of disabling antivirus engines in order to remain undetected.

Sergeant says it takes a lot of determination and some expertise to detect bots in-house. Recognizing patterns in large quantities of email, and recognizing new items coming in is key in the detection of in-house bots. Unfortunately almost all mail servers do not provide the standard of detail on messages required to single out bot originating messages.

Sergeant advised that the fist step to bot detection is to block Port 25 for both incoming and outgoing traffic, but don't block traffic to your mail server. From there your firewall logs can be trusted to display any intruder machines trying to send spam from your network. Keep an eye out for the number of DNS queries that take place, bots do a lot more DNS queries than normal, so that would be a good indication. Also look out for MX lookups and .ru, .cn, and .info lookups. These usually signify that communication is attempting to take place between the bots and their command-and-control server.

TCP fingerprinting is also recommended, as you can search for specific characteristics already discovered botnets such as Srizbi. You can merely watch for unusual volumes of bot traffic in your network, too, and track flow data, for instance. In some cases the use of honeypots to block botnet traffic will also help.

Doing your own botnet investigation can be dangerous, remember you are dealing with criminals here, so it would be wise to get some legal advice if you choose to take that root. DOS attacks is one thing you can definitely expect if it is found out that you are investigating a botnet, these guys don't mess around.
Should you find a bot in your network get the machine cleaned up with your preferred antivirus then let the upstream service provider know so they can shut down the command and control machines. Other than that there is nothing much you can do. Matt Sergeant be doing a presentation on "Tracking Current and Future Botnets" on the 7th of October at SecTor.