Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Cyber Security Awareness tip #22 Detecting and Avoiding Bots and Zombies SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cyber Security Awareness tip #22 Detecting and Avoiding Bots and Zombies

Today is the 22nd day of our Cyber Security Awareness month which means we will be covering Detecting and Avoiding Bots and Zombies. If I had created the list I would have put this on the 31st in honor of Halloween.
One problem solving technique I like is divide and conquer.

So divide this task into two sections one for detection and one for avoiding the Bots and Zombies.
Then let us break it again one network based and one for host based.
Detection Network based:
How does one detect Zombies?
One way is to watch network traffic for unusual destinations, services, packet type, or packets per second.
Enterprise networks often have the ability to look at firewall, IDS and other logs for network anomalies.  
Home users may not have or may not know how to use their network devices to look for anomalies. Purchasing a network detector or using currently available network based reporting tools would help many home users detect Zombies.

3rd party reporting services:
Many enterprises have a 3rd party service that assists them in detecting Botnet members within their network.
Home users frequently do not have such resources or do not know they have access to those resources.
Most home users do not have static IP addresses. Their IP address change with some frequency. There are a number of services that will report your external IP address. Given the external IP address a home user can type it into the main Internet Storm Center page and type their external IP address into the “port/ip lookup/search: box and click GO.
This way home users can see if their address has been reported by any of the dshield users. They can also use a well known trusted Remote Black Listing service (RBL).

Detection Host based:
There are many great host based network detection tools. They all have the same basic flaw once the system is compromised by an unknown, undetected exploit they can be disabled or circumvented.

Most enterprises monitor various host or application logs for significant system events.

Most home users do not. They either don’t know how or don’t have the tools.

Avoiding Bots and Zombies:
Network based:
Block unknown or untrusted services and content.
Enterprises often do this by having an enforced network policy.
Most home users do not have a network policy or a method to enforce one.

Human filtering:
Many bots or zombies are installed by the end user. Usually this occurs unknowingly due to some social engineering trick. Being a bit paranoid or untrusting can significantly improve your odds in avoiding Bots and Zombies.   

I am sure a lot of you have some great ideas on how to avoid or detect Zombies and Bots please contribute your comments via the contact link @


206 Posts
Oct 22nd 2007

Sign Up for Free or Log In to start participating in the conversation!