Methods for detecting bots can generally be divided into two categories— those that involve static analysis, or checking computers’ characteristics against a list of known threats, and those that involve behavioral analysis, or monitoring communications in a network for behaviors that are known to be exhibited by botnets.
Static analysis results in more reliable judgments, but requires threat signatures that are current and available. Behavioral analysis potentially allows for much broader detection methods (especially by aggregating information from multiple sources), but is more likely to result in false positives. Effective botnet detection strategies generally involve aspects of both static analysis and behavioral analysis.
Static analysis methods involve checking items against a known list of malicious or dangerous items, such as executable binaries, URLs, and IP addresses. If the list is accurate and up-to-date, this process can be a very fast and relatively risk-free way to identify bad items. In practice, however, static analysis alone is not an effective way to keep a network free of botnets, because of the continuing efforts of malware authors to generate fully undetected threats.
Malware authors use a variety of techniques to avoid detection by antivirus tools and security researchers. These techniques include the following:
- Polymorphism, which involves the creation of multiple unique but functionally identical malware files
- URL obfuscation methods, such as using escape sequences and converting an IP address to its decimal representation
- Changing IP addresses rapidly, and using large numbers of alternate URLs that connect to the same resource (or copies of the same resource)
- Serving different downloads or web pages depending on factors like the time of day or the origin of the request (for example, serving clean web pages to requests coming from security software vendors)
Behavioral analysis can be a powerful tool for identifying botnets, but processing time, the need for an appropriate environment in which to observe the computer’s behavior, and the danger of false positives can make diagnosis difficult. The process is further complicated by the tendency of some malware to refuse to run if it detects that it is being executed in a virtual or isolated environment, or a debugger.
It was once common to see bots that would attempt connections to each port on a target computer in sequence (a port scan). This technique allowed the target to recognize an attacker quite easily. Now it appears that most bots use targeted attacks in their efforts to spread. They examine only a small number of ports, which are generally those that are in use by some other service and therefore open to connections.
A honeypot is a computer that is configured by security analysts to act as a deliberate target for malware infection. The intent is to collect malware infections so that their behavior can be analyzed in detail, and in some cases to collect logs of the bots’ activities. The Honeynet Project (http://honeynet.org), one of the best known sources of honeypot data, provides information, tools, and techniques for setting up honeypots and analyzing the data they provide.
A darknet is a subnet of unused IP addresses that are monitored for incoming traffic. The intent is to detect malware as it scans a subnet while crossing over the darknet. Data can also be used to identify network configuration issues. Darknets can be used to host flow collectors, DDoS backscatter detectors, and intrusion detection systems as well as to redirect traffic to honeypots.
And when all else fails you can always go the legal route which involves applying in federal court for a temporary restraining order (TRO) to shut down the malicious domains at the registry level.
Legal actions have been based on a three-pronged approach and aim to:
- disrupt the peer-to-peer command and control mechanism
- disrupt the DNS/HTTP command and control mechanism; and
- disrupt the top two tiers of command and control