Sunday

Botnet Remediation: Tools and Techniques

What can you do about botnets? As promised, a followup on my previous post.

  1. Let someone tell you. Make sure that your IP range is properly registrated at ARIN or APNIC or RIPE and that you list an abuse@yourdomain.com address so you can be reached
  2. Sniff your network. Deploy a network IDS (such as snort or one of the many commercial ones) to look for suspicious activity. If your security network policy (and firewalls) doesn't allow IRC, this might be an indication. The most common used communication protocol for botnets is IRC (at least for now).
  3. Try to define a baseline of your network. Monitor the bandwidth usage through SNMP and something like MRTG or CACTI. A sudden increase in network usage may indicate bots or attacks. Tools like wireshark can help you analyze the packets.
  4. Check your firewall logfiles on a regular basis. Especially scans with an internal source address might indicate a bot.
  5. Protect your endpoints. Run Anti-malware agents on desktops and laptops. Centralize the management and check every day if their databases are up-to-date. Follow up on errors.
  6. Keep systems patched and up-to-date.
If despite all your efforts to prevent infection, you get a report of an infected PC, follow the incident response procedure. Make sure that there is a policy which describes the steps to take and who's responsible for them. I will go more in details into forensics in a next discussion. In the meanwhile, a short remediation procedure:
  1. Receive warning of a infected instance
  2. Open a trouble ticket/incident number
  3. Disconnect the pc from the network
  4. Perform a quick forensic analysis of the pc
  5. Copy the user's data and scan it for viruses
  6. Reimage the PC
If you want to do a full forensic analysis later on, make a bitcopy of the harddisk before step 4. Having a 1GB USBstick with the following tools can help you in the investigation:
Check all processes and all open networkports and look for any unusal activity. Check which programs are set to run at boottime. Use a clean PC to compare if necessary. Scan it with a bootable CD with an up-to-date virusscanner. If you have any indication of a compromise, re-image the PC.

Posted by Security4all at 8.4.07

Labels: , , ,

2 comments:

Anonymous said...

These are the basics for monitoring and remediation for botnets. The more advanced stuff would require the isp to assistance and of course, maybe configure the routers or firewall to harden the stack. Servers will also have to be configured to harden their stack.

hackathology

April 10, 2007 6:51 PM
Security4all said...

Any reference to more advanced stuff is always appreciated! :)

April 12, 2007 5:37 PM

Post a Comment

Subscribe to: Post Comments (Atom)