| Backbone TV |
NEW Geoweb video
|
|
|
| 'Bot wars: How to fight back when botnets attack |
July 10, 2008 |
By Danny Bradbury
 Since Backbone ran its “I, Botnet” article about online crime in the March/April issue, hundreds of thousands more legitimate Web pages have been hacked in order to channel malicious software from rogue servers through to visitors’ browsers. Even UN Web sites have been hit. That means thousands more computers will have been infected and remotely controlled by online crooks. How can you avoid your computer suffering the same fate?
Traditionally, users have been encouraged to install anti-virus software and avoid opening suspicious attachments. Fail to do that and you are to blame if you get infected, goes the conventional wisdom. There’s a certain truth to it, because users can do some naive things. “A computer is just a tool. We must try to educate people in what they should and shouldn’t do,” said Luis Corrons, technical director of PandaLabs, the malware analysis and detection laboratory at Panda Security. Users will often click on a link in an e-mail, or select Yes when asked to run a script on a Web site, he said. “If criminals are using that, it’s because it works. People are taught to install software just to see a picture or a video. The only thing we can do is to educate the users. It’s the human being that is deciding to click or not to click.”
But now that otherwise legitimate Web sites are infecting computers en masse, can users really be expected to know how to avoid trouble? Gerhard Eschelbeck, chief technology officer at anti-virus company Webroot, doesn’t think so. He points out that we are also still suffering from vulnerabilities that were accidentally coded into systems in the past. “So the safety belt (now) has to be on the technology side.”
But even the companies that sell traditional technological solutions such as anti-virus tools admit they can’t guarantee protection. “All of that stuff can help, there’s no question about it,” said David Emm, senior technology consultant at anti-virus software company Kaspersky. “But even taking that on board, there is a possibility that you may get hit by someone.”
“Anti-virus software is not completely worthless, but mostly worthless,” said Joe Stewart, a security researcher at SecureWorks. Malware writers generally test their software against the better anti-virus engines before releasing it, to try and dodge detection, he said.
“You won’t be able to stop 100% of the infections, but you’ll stop some of them,” counters Cody Pierce, a member of the research team at security firm TippingPoint, who recently helped to infiltrate the Kraken botnet. It’s better to use anti-virus software that might still let in an attack, rather than use nothing at all, he said.
Defend yourself
In an uncertain security landscape, the best protection involves multiple lines of defence. “It works best in a layered solution where you have a firewall and an anti-virus product and a Web filtering product,” said Fiaaz Walji, Canadian country manager at Web security product vendor Websense. “That way, not only are you being pre-emptive, but you’re also providing a level of remediation and patching your computers.”
Web filtering software can monitor incoming and outgoing Web traffic, blocking predefined URLs, traffic types and file types. It can be a good complement to an intrusion prevention system that will watch for specific patterns of activity on a company network and take specific measures. An IPS that spots rogue activity might quarantine a computer, or block traffic from certain parts of the LAN that are behaving unusually.
Eschelbeck recommends a strong vulnerability management program so that companies can root out exploitable software flaws before hackers do. Another option is robust spam protection, because many infections are delivered via e-mail, either as attachments or links. Finally, a malware protection system provides another line of defence, even if all such products are ultimately fallible. Putting spam protection and Web filtering software at the gateway between the company network and the rest of the Internet can help stop e-mail and other malicious traffic from making its way onto desktop computers. Similarly, a firewall at the gateway can stop malicious traffic getting out, which can be a useful way of choking off further infection if a machine inside an organization is compromised.
Infected botnet machines will usually try to spam lots of e-mail to other computers. “If they don’t have access to e-mail, at least the organization won’t be blacklisted as a source of spam,” said Brian Bourne, founder of the Toronto Security User Group and CEO of Microsoft-specialist security consultancy CMS. “At that point you should have something alerting you to ask why all of your desktops are making outbound SMTP connections.”
As companies allow more workers to take machines home or use them on the road, simple gateway protection won’t be enough. A company may filter its incoming traffic, but a laptop used in a Wi-Fi cafe might be compromised and then infect the rest of the network from behind the gateway when the employee brings it into the office. Consequently, PC-level protection is also necessary.
“People running operating systems other than Windows are less at risk,” said SecureWorks’ Stewart. With more companies switching to Macs, Apple now has roughly six per cent of the PC market. However, malware is also appearing for that platform and OSX users won’t be able to surf smugly forever.
“Most of what I see getting installed on workstations is because the user had administrative rights,” Bourne said. Consequently, forcing Windows desktops to run in non-administrative mode will significantly reduce the risk, and will also stop less experienced users from installing software that they shouldn’t. Bourne said it was difficult for IT departments to remove administrative privileges from lots of PCs across the company in Windows XP. But companies that have rolled out Windows Vista can set the system into non-administrative mode using Group Policy settings and force the concept of least privilege on their users.
Get Firefox
Because many attacks now arrive directly in the browser via drive-by downloads, Walji advises switching browsers. “Botnets go to where the crowds are,” he said, adding that browsers from the open source Mozilla Foundation, such as Firefox, are still less popular. The other advantage of switching to Firefox is that it allows for third-party extensions, Stewart said. The NoScript extension uses a white list of authorized Web sites that it will accept scripts from and scripts are the way criminals hijack browsers.
So what’s the answer? There isn’t one. Instead, there are a number of options that, together, form a protective wall. The Internet has become a bad neighbourhood and, just as in the physical world, no one can guarantee complete safety. But firewalls, anti-virus software, judicious systems administration and Web filtering are the digital equivalent of rolling up your car windows, not venturing down dark side roads, and locking your doors. Use enough layers of protection and you’ll be able to rest a lot easier at night.
ExecutiveOverview Archive
|
|
|
| Green Innovation |
|
|
| Top 300 Issue |
 
|
| Gadget of the Week (Canadian) |
|
Pick the best 3G for you
RIM Blackberry Bold
Choosing the right smartphone is an important decision, and here’s the good news: while both the new iPhone and the Bold are excellent, the feel is entirely different, making it easy to choose.
more>>
|
| Gadget of the Week (Japanese) |
Sounds of Japan
Why record just the visual when you can capture the sounds as well.
more>> |
| Backblog RSS feed |
Click to subscribe  |
|
sponsored by 
