QUESTION & ANSWER

A botnet and rootkit removal 101

By Dhwani Pandya, Principal Correspondent 10 Feb 2010 | SearchSecurity.in

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.in: How much of a serious threat are botnets and rootkits in Asia, especially in India?
Mikko Hypponen:: In India, the average internet connection speed is slower as compared to the US or Europe, a primary factor that has a direct impact on activities undertaken through an infected computer. If a machine does not have enough bandwidth, the attackers are not interested. They need machines with fast connections and sufficient bandwidth to send spam and malicious emails, so this works to the advantage of Indian users.
We have observed rootkit-enabled Trojans which are complicated in structure and target online banking transactions. Targeted corporate espionage attacks are also on the rise; however, they are few in number.
 

SearchSecurity.in: In what ways can organizations detect and mitigate bot attacks within their networks?
Hypponen:: Organizations must strengthen individual workstations to block, prevent and detect the infection. With network traffic monitoring, IDS and IPS, companies should be able to locate inhouse infections created by botnets. An administrator who monitors firewall logs can also manually detect bots by keeping an eye on user activity.

More botnet related stories Botnets, Trojans and phishing 2.0 pose serious online banking threats Use BotHunter for botnet detection Best practices to tackle (small) botnets Virtual Honeypots: From Botnet Tracking to Intrusion Detection

If user PCs connect to servers used by known botnets, they can identify infected machines on the corporate network. After detecting bots, administrators can disconnect the computer and manually clean it to avoid re-infection of other machines.

SearchSecurity.in: Can you provide us with some best practices to avoid bot attacks?
Hypponen:: Training, education and a strong user policy are the first best practices. Users should be trained about the infection mechanisms and best practices to avoid such attacks. A good way to avoid infection is to establish a policy where users can use their work computers only for business purposes. Most infections come though the Web, of which most come from work and recreational access. People conducting Google searches end up on pages that often infect their computers.
 

SearchSecurity.in: What other trends do you see in usage of bots?
Hypponen:: Botnets on mobile platforms are on the rise. We have already seen two mobile phone botnets so far, and it can only get worse. We saw a botnet running on a Symbian based mobile device and another on an Apple iPhone. Smart phones have access to the Internet and can be targeted for hacks similar to computer based attacks. The attacker benefits through mobile malware by making money quickly and easily, since he can trace calls, messages and expensive premier numbers straight from the phone.

SearchSecurity.in: How are rootkits utilized to attack the corporate?
Hypponen:: The rootkit is basically a technology that hides the infection, which started almost five years ago. and has become common and a standard part of malware. Rootkits within malware can hide infected files, registry key and open ports. Even an advanced user may be unable to tell if a machine is infected, as rootkits hide the cause of infection. It can be used to create a 'backdoor' into the system for the hacker's use, alter log files, attack other machines on the network, and alter existing system tools to escape detection.
 

SearchSecurity.in: Can you give us some rootkit removal tips?
Hypponen:: There are two rootkit removal options after you detect them. The first way is to restore a known clean backup. If you encourage regular backups, you don't have to clean anything as such. If you don't have a full backup, then you should remove rootkits by undoing all the system changes performed by these malware. This can be a complicated process.
The most complicated rootkits that we have seen cannot be removed from within Windows. So you should basically reboot to a different operating system (from a CD-ROM or a USB stick), and then perform the cleaning.

Tags: Viruses, worms, spyware, and other malware,  Hacking countermeasures,  Application and Web threat defenses,  Enterprise risk management strategies,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Viruses, worms, spyware, and other malware Shortcut worm affects all versions of Windows How to remove rootkits from your organization How to stop Conficker: Anti-Conficker patch management, defense KHOBE attack technique: Kernel bypass risk or much ado about nothing? Microsoft fixes serious zero-day flaw, Outlook bug Microsoft to patch serious zero-day flaw, fix display driver bug Critical Adobe Reader, Acrobat update due today Gartner: Enterprises must learn to detect botnet threats Frustration growing over limited ability to shut down botnets Windows rootkit detection tools and tactics Hacking countermeasures Buying an IPS: Determine your performance requirements WNS' SIEM tool boosts inhouse incident management capabilities Demystifying WAF solutions: A Web application firewall evaluation guide How to foil ATM card skimming How to remove rootkits from your organization Man in the middle attack prevention strategies Microsoft to patch serious zero-day flaw, fix display driver bug Looking to better manage insider security risks? Try compliance Web 2.0 widgets: Enterprise protection for Web add-ons Inhouse IAM system streamlines Yes Bank's identity management Application and Web threat defenses Demystifying WAF solutions: A Web application firewall evaluation guide How to foil ATM card skimming Man in the middle attack prevention strategies SaaS evaluation: Considerations for a SaaS service-level agreement Software security requirements : A secure SDLC's critical component Social media governance needs appropriate security strategy: ISACA Web 2.0 widgets: Enterprise protection for Web add-ons Gartner: Enterprises must learn to detect botnet threats Frustration growing over limited ability to shut down botnets Zeus botnet analysis: Past, present and future threats

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary active man-in-the-middle attack  (SearchSecurityIN.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary