June 29, 2015

Ask the expert: Vitaly Kamluk answers questions about DDoS and botnets

Interviews News Security

Vitaly Kamluk has more than 10 years of work experience in IT security, and now he is Principal Security Researcher at Kaspersky Lab. He specializes in malware reverse engineering, computer forensics, and cybercrime investigations. Currently Vitaly lives in Singapore and works as a member of INTERPOL Digital Forensics Lab team, doing malware analysis and investigation support.

We have proposed our readers to ask Vitaly questions. Actually, there were so many questions that we decided to break down this Q&A session into several parts. Today, Vitaly will answer DDoS and botnets related questions.

What is the number of large botnets, that include more than 50,000 zombified computers, in the world?

My feeling is that it’s less than 20, but it’s pure speculation, because we usually discover the real size of the botnet only after takedown. While criminals are interested in having as many infections as possible, they may keep the size of the botnet under a certain threshold to stay below the radar.

Are there sufficiently sophisticated botnets whose aim is to create clusters consisting of smartphones, PCs, and Macs?

Sometimes a botnet may include both PC and smartphone infection. A good example was Zeus-in-the-Mobile and Zeus for PC. There are botnets for Macs, but according to our experience they are mostly standalone.

How do you detect a botnet? Where do you start? What are the latest trends regarding malware and botnet?

Firstly, you should detect a suspicious process or file on disk. Next step is to analyze this object and to locate the list of command and control (C&C) servers. Then you need to learn the protocol and request updates from the C&C periodically.

Some of the recent trends of malware and botnets include search for reliable control mechanisms, such as those based on Tor and P2P communications. There are many articles and whitepapers on this topic. If you are interested in looking into the latest trends simply search for “Tor Botnet” on the web to get initial direction.

What do you need to do to deactivate botnet?

The best way is to arrest the owner of the botnet. Arresting the distributor and the developer of the bot software, exploit kit and packer at once works even better.

Which region of the world do botnets come from? What programming language is used to develop botnets software? How can we be sure that domestic systems are not infected with botnets? In unforeseen circumstances, is there a second line of defense, if cyber-attacks are not neutralized?

Botnets are everywhere and programming language is just a matter of personal choice. To make sure your systems are not part of the botnet you should scan them with AV software and then look into network communications. You need to make sure there’s no alien and unexpected connections.

As for the second line of defense, unfortunately, current architecture of computer systems doesn’t provide it by design. Every owner of a computer system is responsible for it. Neutralizing a threat remotely is considered a network intrusion and will be illegal in most of cases. After all, once you are compromised you can’t rely on that system completely until a total reinstall and that makes it even harder. Many of the owners don’t care about computer infections until they start losing their own money.

Is it relevant for modern botnets to be controlled via IRC? Is it enough to deprive botnet owner’s ability to control it in order to eliminate the botnet?

Criminals can use different approaches to control botnets. IRC is just one of many application protocols, it has its own advantages and disadvantages. I’d say its clearly outdated method — in general, modern botnets are built using HTTP.

To eliminate a botnet for sure you need to find and arrest its owner. And that’s exactly what we do in collaboration with INTERPOL. Attempts to deprive owner’s ability to control botnet doesn’t help for long, since most bad guys are well-prepared for this kind of counteraction.

What tools and methods are suitable when DDoS deploying attempts are discovered, considering scenarios of customer edge, ISP, regional, national or even transnational ISP?

Well, the strongest tools from customer edge to large ISPs will always be effective filtering. But to implement that you have to research the threat first. That’s why it’s important to catch the bot responsible for DDoS and carefully analyze it. The ultimate solution is to takeover botnet control mechanism and stop it from the center, but that’s a different story.

How is it possible to mitigate an amplification DDoS attack?

Disperse the target of attack geographically and implement multiple layers of filtering.

How can I know if I am part of a botnet or a Bitcoin’s mine?

Check your system for malware, because it’s the malware that would do Bitcoin mining without your consent or make your PC part of a botnet. Some of the most efficient ways to check if you have malware include:

  1. Scan your system with reliable AV solution — that may save a lot of time, but don’t think that automated scan can give you 100% reliability, so keep looking.
  2. Check your process list for suspicious and uninvited guests: I think users should know all processes running on their system by heart.
  3. Check your list of automatically starting programs. There’s a free Windows app for that called Sysinternals Autoruns tool.
  4. Finally, an advanced check includes attaching your computer to another one (connected to the Internet) and recording all network traffic that passes through. This should reveal suspicious activity even if it’s not visible from a compromised system.

We’re going to publish more answers in a couple of days. Stay tuned!