Step up your security and deal with botnets further along the chain of compromiseAntivirus, Business Security Best Practices, End-Point-Protection, Malware // 15.06.2016
During the last years, there have been some big botnets that have hit the news. Today, botnets keep on running, but they are seldom newsworthy any more. They seem to have become “business as usual”. And for several years, botnets have been performing all kinds of tasks, such as data mining and espionage, in infected infrastructures, instead of just the typical dDos or spam email attacks.
Botnets are like automated backdoors to your corporate network, and most malware attacks are somehow connected to botnets, which are used to get remote control of the system, and further distribute malware. Bots can also quite easily be used to target an organization, as compromised nodes can be rented fairly cheaply.
Millions of computers have been compromised over the years by the biggest botnet chains, such as Conficker, ZeroAccess, and Storm, and the botnet chains keep on growing. An article in Hacked.com estimates that just the fake traffic to online ads generated by bots will end up earning criminals an astounding 7.2 billion in 2016.
You can protect your network against botnets on several layers. Bots are often delivered through a malicious attachment, for example, which one or several employees might be tricked into clicking. So, in addition to the first layer, which of course is up-to-date, proper security software, you should step up your security and address the botnet threat also further along the chain of compromise, once some of your assets have already been compromised.
Jarno Niemelä from F-Secure Labs explains:
As bots need to be able to access the resources, Command & Control (C&C) servers are often the primary target of an attack. Through the C&C, they communicate with the compromised systems remotely. Cut that communication and the botnet will be incapacitated. They will just lie dormant (until you find the resources to clean them out of the system).
To efficiently fight botnets, F-Secure Business Suite now comes with Botnet Blocker. Botnet Blocker prevents communication to Command & Control domains to stop criminals from controlling compromised assets. This is done by blocking Domain Name Server (DNS) queries on the host level, resulting in an effective way to disable Botnet operations, as you can decide which domains are allowed to use the C&C server. Depending on the required protection level, the configuration options for queries are “Allow all”, “Block unsafe and suspicious”, and “Allow safe only”. Blocking all but safe connections will of course result in the best protection, as you would efficiently block malware from spreading.