Internet security : detecting botnets

Bots are computer programs that perform tasks with some degree of autonomy. Bots can be used for malicious purposes including sending spasm, spying on private data, distributing malicious software, phishing attacks and ddos attacks. Botnets are networks of bots controlled remotely by bot-herders. As a rule bot-herders make efforts to hide their botnet and implement schemes to prevent detection. Generally bots are installed by tricking the user in to agreeing to install the software or by exploiting faults in the operating system, browsers or applications. The bots are designed and tested to avoid detection by antivirus programs. Malware kits can be purchased to construct botnets or ready built botnets can be bought or hired. Botnets are widely considered to be a major security threat on the Internet. Reports indicate 95% of spam is sent by botnets. Banking fraud, using credentials captured by botnets, is becoming an increasing problem. The question arises on a well managed enterprise computer networks using “security in depth” policy are undetected botnets a problem? If botnets are not a problem what are the security measures that prevent infection? Detecting botnets can involve active static analysis or behavioral analysis. Static analysis involves using signatures of know malware or blacklists of IP’s or URL’s. Behavioral analysis attempts to identify the malicious activities of the bots. Honeypot/Honeyclient systems may be used to trap bots. By searching historical network data using updated detection systems it is possible to identify bots that were previously undetected. By this research a greater understanding of real world botnets can be obtained, leading to improved prevention and detection techniques. All computer administrators and users benefit from improved computer security.