Ed Felten (a Princeton professor who does a lot of interesting security research) asks "Why so little attention to botnets?" He points out that the ongoing battle with botnets isn’t going so well. I wanted to point out how ZoneAlarm users are protected from this malware and give you tips to prevent your system from becoming a part of a botnet.
First, what are botnets used for? One of the most prevalent uses is Spam. Attackers load spam-trojans on computers causing the infected systems become part of a SpamNet. A SpamNet is a group of systems that are used to send spam. Once infected, these systems become spam engines — awaiting a new spam "seed" from the spammer and relaying that email out to thousands of other people.
How much spam do these hijacked systems send? As mentioned in a previous post, some estimates show 50%-80% of spam is sent by hijacked home PCs. From my experience, I’d say that seems like a reasonable estimate.
Some botnets are used to conduct Distributed Denial of Service (DDoS) attacks on target companies or networks. These types of attacks are very under reported, while working at a couple large ISPs in the past, I’d see these types of attacks weekly.
How do these DDoS attacks work? The attacker would launch a small, short attack lasting only a couple minutes to scare the target company and get their attention. Soon after the first attack, the company would receive an "extortion letter". This letter would request "protection money" — a request for payment that would "protect" the company from future attacks. Some companies think the only option is to pay, but once they do that, they start a downward spiral of paying protection money to an attacker (who effectively has their network hostage).
How can you protect yourself? Ensure your systems are patched and keep them clean. Run your AV/AS scanner regularly and ensure the signatures are up-to-date. ZoneAlarm offers a couple different protections specific to botnets. First, to protect against SpamNets, Za provides Outbound Mailsafe Protection:
As you can see, if your computer attempts to send more than 5 emails in 2 seconds, or email to more than 50 recipients, ZoneAlarm will warn you.
Next, is the Spy Site Blocking feature:
Unlike browsers that can only block web traffic to bad sites, ZoneAlarm is a firewall, so it can block all network traffic to sites distributing malware/spyware/adware, botnet IRC channels, etc. not just browsing activity. Furthermore, we’ve added specific protection from malicious botnet "Command and Control" channels to Spy Site Blocking. These Command and Control channels are usually IRC channels where the attacker can use the zombie machine to send spam or attack other networks.
This prevents your system from being remotely controlled and blocks participation in DDoS attacks. The AV/AS scanner can then find and remove malware that has infected the machine.
As a vendor of enterprise anti spam software, it’s great to hear that you guys are adding zombie blocking software on the client side. We have seen an increase of about 70% in the volume of spam since September. This volume is crippling email servers worldwide and requiring many organizations to re-evaluate the way they process inbound mail. Filtering is no longer enough, it seems, because the volume is so high.
In an effort to resist zombie attacks we have started to publish a list of infected IP addresses. For those for which this may be beneficial, here it is. http://www.zombienet.info