Botnet malware defense

Published: 2008-03-13
Last Updated: 2008-03-14 05:18:00 UTC
by Jason Lam (Version: 1)
3 comment(s)

Today, we solicited ideas on protecting against botnet malware infections from an organization standpoint. The focus is on ideas or experience on certain defense approach or technologies to fight off botnet infections or detect infected machines.

Prevention
=========

- Ensure OS and software patches on the desktop are up to date

- Disallow installation of new software on desktop (users have no administrative rights)

- Block domains that are known to be distributing malware.
    - Malware domains http://www.malwaredomains.com
    - C&C list http://www.emergingthreats.net/rules/bleeding-botcc.rules    
    - RBN list http://www.emergingthreats.net/rules/bleeding-rbn.rules

- Utilize a different AV scanning on web proxy (defense in depth)

- Blocking IRC ports which offers some protection against older generation of botnets

- Blocking all bad ports and make all traffic go through proxies, where traffic and anonymous behavior can be monitored.

- Browser hardening using Firefox Noscript and IE zones

- Watch office documents in email, particularly from spoofed sources.  If the incoming source IP doesn't match the header information, drop the email

- When performing JRE updates, ensure the old version get removed.

- Using HIPS (Host Intrusion Prevention System) to prevent potential harmful or abnormal behavior on the desktops

Detection
=============

- Deploy listening nepenthes sensors on local IP space for early detection of infected machines.

- Deploy commercial and opensource detection systems - BotHunter, MainNerve .          

- Setting up internal darknets to detect bots that are wildly spreading thru blind network scans

- Egress monitoring during off-hours to pick out phone homes

- Monitor user-agent strings on the web proxy and detect anomalies.

- Content monitoring using Data Loss Monitoring systems

 - Scan for BHO (Browser Helper Object) and match it against known bad list such as the one at Castlecops

 

Thanks to the following people for contributing information,
Russ McRee, Ned Slider, Gary K, Nate, Paul Tatarsky, Drew Hunt, dxp

-----------------------
Jason Lam

Keywords:
3 comment(s)

Comments

Software Restriction policy!!!

Blocking outbound Traffic:
* Firewall rules to only allow internal DNS servers to forward queries externally.
* Firewall rules to only allow SMTP from internal mail server.
Software Restriction policy!!!

Blocking outbound Traffic:
* Firewall rules to only allow internal DNS servers to forward queries externally.
* Firewall rules to only allow SMTP from internal mail server.
Detection strategy

http://www.shadowserver.org/wiki/pmwiki.php?n=Information.BotnetDetection

Diary Archives