Market Sectors

block 10


How can we address the growing botnet issue?

Brendan Ziolo

The high-profile takedown of the "DNS Changer" botnet, which had control of more than four million machines and generated $14 million of “income,” shows what many in the security industry have known for some time: The botnet problem continues to grow and more coordinated efforts are needed to solve the problem.

Recent research by Kindsight Security Labs showed that 12 percent of home networks are infected on a typical day and that four of the top seven infections in early November 2011 were botnets, including Nineball/Gumblar (#1) and Alureon/TDL/TDSS (#3), which are both malware associated with the DNS Changer botnet.

As more and more computers and devices become infected, consumers often don’t realize that they have been hacked and unknowingly have become part of a botnet. As a result, the U.S. Department of Commerce and U.S. Department of Homeland Security requested information in late September on possible approaches to creating a voluntary industry code of conduct to address the detection, notification and mitigation of botnets.

While there are multiple security techniques to identity and mitigate botnet infections, one of the most effective techniques is to use signature-based intrusion detection technology that is embedded in the service provider’s network. With the correct signature set, you can detect real-world malware infections with far greater accuracy and provide a valuable service to the consumer.

The reason that signature-based, network intrusion detection techniques are so effective is that the packaging of malware changes frequently, which makes it difficult for client-based security software to keep up, but the malware command and control (C&C) protocols are often built on the same framework.

For example, a network signature that was designed in 2010 to catch the NineBall and Gumblar infections is still effective against Alureon and DNSChanger, more than a year later. The malware has changed and the names have changed, but the network signature remains the same.

Service providers also are ideally positioned for an effective notification and remediation process. As consumers have an ongoing relationship with their service providers, they are more likely to view alerts from their service provider as credible threats and take the recommended action to remove the malware.

Consumers could be sent alerts using email, SMS, mobile apps or interstitials (i.e. warnings added to the next Web page(s) visited) and then directed to a self-service Website with instructions and tools that will help the user remove the botnet infection from his or her system, including:

  • A temporary, online scanner that can be downloaded to remove the threat;
  • A system-check tool that makes sure the operating system, plug-ins and applications are up-to-date;
  • Updated anti-virus software.

However, this infrastructure costs money, so it’s clear that for service providers to move forward they must be free to develop innovative business plans to promote adoption of enhanced Internet security, including the flexibility to either charge for the service, sell additional services or use novel funding approaches, where the service is monetized in other ways.

In the end, to secure a system you need to deploy multiple layers of protection. Adding a network-based component will help to ensure more users know they have been infected and be able to take the steps needed to fix the problem. Any efforts by government or private industry to make this happen should be encouraged, as the fight against botnets continue.

Brendan Ziolo is a vice president at Kindsight, a network-based security and analytics provider. He can be reached at:

[email protected]


Recent Videos

IntraLogic's official release of the "One Button" Lockdown system on CBS 2 News.
HID Global is opening the door to a new era of security and convenience.  Powered by Seos technology, the HID Mobile Access solution delivers a more secure and convenient way to open doors and gates, access networks and services, and make cashless payments using phones and other mobile devices. ...
Mobile device forensics can make a difference in many investigations, but you need training that teaches you how to get the most out of your mobile forensics hardware and software, and certifies you to testify in court. Read this white paper to learn how to evaluate mobile forensics training...
PureTech Systems is a software company that develops and markets PureActiv, its geospatial analytics solution designed to protect critical perimeters and infrastructure.  Its patented video analytics leverage thermal cameras, radars and other perimeter sensors to detect, geo-locate, classify, and...