CHAPTER 5: FIGHTING BACK

Criminal use of malware is in the middle of an evolutionary curve. Their capabilities, target platforms and creative uses are about to enter a period of rapid change and deeper, enhanced infection vectors. Organizations without the capability to identify anomalies in their environment via monitoring tools and honeypot technologies will simply become the most compromised victims in the long term.

L. Brent Huston, @lbhuston, CEO and Security Evangelist, MicroSolved, Inc.

How to protect yourself from botnet infections

Secure software and smart security practices, such as the ones listed below, are the keys to protecting yourself and your system from cyber theft and from becoming a zombie computer in a bot network.

• Antivirus and anti-spyware software is essential to every system. It is important to keep it regularly updated. A comprehensive list of major antivirus software packages is found at http://en.wikipedia.org/wiki/List_of_ antivirus_software.
• Keep the operating system patched against known vulnerabilities by enabling automated patches.
• Keep software installed in your system patched against the known vulnerabilities. 5: Fighting Back Security patches are usually free and can be downloaded from the software vendors.
• Use a correctly configured personal firewall to protect your computer from unauthorized access.
• Be careful on the World Wide Web. Use common-sense web surfing practices and anti-malicious website protection provided by major antivirus producers.
• Disconnect your computer from the Internet, when you are not using it.
• Exercise caution when opening attachments or following links in e-mails and on websites.
• Research before downloading new, unknown software.
• Never reveal your passwords over the phone or via e-mail.
• Exercise good judgment when posting personal information on social websites and forums.

Active defense

As malware tools continue to evolve, so do the defense systems against them. Firewall, antivirus, and anti-malware software applications hold a prominent place in every personal and organizational computer system or network. And yet it has been acknowledged by the cybersecurity industry that these defense systems only catch about 25% of all malware attacks.⁶⁰

A passive defense aimed at preventing compromise by malicious code is not enough. Active defense techniques are beginning to evolve, such as confusing and frustrating the attacker, as well as counterattacking by exploiting the attacker’s vulnerabilities.

Research on counterattacking, also known as aggressive self-defense, active defense, or strike-back, has taken place for many years. The counterattacks range from passive approaches to full remote exploitation, and popular tools to gain information about attackers include honeypots and honeynets.⁶¹ Honeypots and honeynets are traps set to detect, deflect, or corrupt malware attacks on individual computers or networks.⁶²

Many antivirus firms and other research organizations have run large honeynets to collect malware and attack signatures.⁶³ These organizations research and implement counterattacks to deceive, crash, exploit, or just get information on attackers.

One such organization, MicroSolved, Inc. (www.microsolved.com), provides a product, HoneyPoint, which fools attackers into believing that they are attacking defenseless applications, while in reality they are triggering sensors that are catching them “in the act.” By doing the things attackers do, such as scanning ports, connecting to services, and probing for vulnerabilities, they are giving away their presence and tactics.⁶⁴

There has even been a suggestion to use software agents to scout networks and seek and destroy botnets.⁶⁵ Agents are defined as programs that autonomously acquire, manipulate, distribute, and maintain information on behalf of cybersecurity forces.⁶⁶

Although there is some legal controversy regarding the use of active defenses, it is the most effective deterrent to date. Once the commercially sold botnets become easily detectable and ineffective, the market value of these botnets will decrease, and so will the desire by third parties to buy and use them.

⁶⁰ Ollmann, Gunter. “How Criminals Build Botnets for Profit.” Central Ohio InfoSec Summit, Columbus, OH. 2011.

⁶¹ Weeks, Matthew. “Counterattack: Turning the tables on exploitation attempts from tools like Metasploit.” Black Hat™, Crystal City. 2011.

⁶² Ibid.

⁶³ Ibid.

⁶⁴ MicroSolved, Inc., www.microsolved.com.

⁶⁵ Dembskey, Evan, and Elmarie Biermann. “Towards an Intelligent Software Agent System as Defense against Botnets.” Proceedings of the 6th International Conference on Information Warfare and Security, The George Washington University, Washington, DC, USA, 17–18 March 2011. Reading, UK: Academic Publishing International Limited, 2011. 299–307.

⁶⁶ Ibid.