Detecting botnet infections for free
Has your organization’s network been compromised by a malicious bot like the ever-evolving conficker? How do you know?
Botnets infect millions of home computers but also infiltrate corporate networks. Security software vendor Damballa claimed recently that “3% to 5% of enterprise assets are compromised with targeted attack/bot malware – even in the presence of the best and most up-to-date security tools.”
Botnet client malware (drones) are almost never detected by antivirus software… the better-written bots regularly download new versions of themselves, both to change behavior and to evade the utterly obsolete signature detection methodology used by AV software.
The only effective way of detecting bots is by detecting their activity: monitoring outbound network traffic to catch bots phoning home to their command and control centers and when they launch attacks.
Some large organizations do proper egress filtering and outbound activity monitoring to detect botnet activity, but smaller organizations rarely have the resources even to outsource such monitoring.
Fortunately, free services exist to monitor outbound malicious activity originating from your netblocks:
Project Honeypot IP Monitor Service:
Project Honeypot is an effort primarily to catch email address harvester robots and identify spam sources. An international network of honeypots detects suspicious activity and reports the source IP.
Their IP Monitor service will monitor a Class C netblock plus five unrelated addresses for free and email a regular report. Sending spam is a common use of botnet clients, so this can alert you to bots on your network or even an employee misusing coporate resources.
The IP monitor is just one of many services offered. The service works even better if you can install one of their honeypots or setup a subdomain to detect spammers.
To sign up and learn about other offerings, visit the Project Honeypot Services page.
Shadowserver Alerting & Reporting Service:
The Shadowserver project aims to raise awareness of compromised servers, malicious attackers, and the spread of malware. They monitor malware, botnet and fraud activity and produce daily and historical reports.
The group recently announced an ASN & Netblock Alerting & Reporting Service. The service claims to detect a wider range of activity than Project Honeypot:
- Detected Botnet Command and Control servers
- Infected systems (drones)
- DDoS attacks (source and victim)
- Scans
- Clickfraud
- Compromised hosts
- Proxies and spam relays
- Malicious software droppers and other related information.
The service is available for a wider range of IP addresses than the Honeypot offering. For details and to sign up, see Shadowserver ASN & Netblock Alerting & Reporting Service.
Limitations
Obviously, these services can only detect malicious activity that hits one of their honeypots. The above projects have a large ever-changing number of honeypots scattered around the net, so chances are good that eventually bots on your network will hit one eventually.
Still, this could take months, or even not happen at all if the bots on your network are used in targeted attacks against specific networks.
A report of malicious activity originating from a public IP address won’t tell you the specific source on your internal network. Further investigative work on your part will be needed to track down the offender.
Free but please contribute
Both Project Honeypot and Shadowserver are volunteer efforts.
The Honeypot monitor service is provided free for a small range of IPs and available for a fee for larger ranges. Even so, please contribute if you use the service. You can also assist the project by running one of their honeypots and setting up a subdomain to act as a spamtrap.
Related posts: