Select Page

Cyren Security Blog

How to Detect A Botnet on Your Network with Botnet Detection Techniques

The ratio expressed in the saying “an ounce of prevention is worth a pound of cure” is off by several magnitudes when applied to Internet security. While avoiding getting infected in the first place is obviously ideal, evasive tactics invariably fool many (many!) security systems—or simple carelessness does the job.

What is Botnet Detection?

Botnets are a collection of compromised workstations that are utilized to accomplish a malicious agenda. They are controlled by remote servers which perform malicious acts. Remote commands and a control server can manage botnet computers. They can perform many types of attacks, which may include:

  • Denial-of-service (DDoS) attacks
  • Spam and virus attacks
  • Stealing any private data from clients

Traditionally, botnets use HTTP and IRC protocols in order to communicate with infected botnet clients. Botnet communication has unfortunately evolved to evade security services. They can find other paths in order to control infected botnet clients on non-traditional network ports, as well as social networks, and PTP networks.

Static vs Behavioral Botnet Detection

Botnet detection can fall into two different categories: Static analysis and behavioral analysis. Static analyses are simple, quick, and resource-friendly. Behavioral analyses go more in-depth but are much more resource-intensive.

Static Analysis

Static techniques are where you look for a highly specific match to something. This could include a malware signature, specific executable, or a C&C connection address.

Unfortunately, this doesn’t always work. Botnet managers are becoming increasingly sophisticated, using counters like file polymorphism in order to alter the executables in unpredictable ways. Typically, botnet detection by static analysis simply is not enough.

Behavioral Analysis

Behavioral analysis is almost always essential to botnet detection. The timing of attacks is typically a dead giveaway. C&C servers usually issue blanket orders for bots, so they take specific actions.

The average interval of time between connecting endpoints to a different outbound server will be low for bots because there is not a human driving the network activity. There will also be failed connection attempts. Those connection attempts are more likely to involve a numerical IP address than a server name. In addition, port-scanning local networks for new infiltration opportunities is the classic behavior for a bot.

How to Detect a Botnet On Your Network

There are different signs, as well as initial symptoms which can all help IT teams recognize a botnet might have infiltrated their network. These typically manifest quickly after botnet infiltration, when the compromised machine begins executing its instructions.

Symptoms of botnet infiltration may include:

  • Linking your network to established C&C servers where they receive instructions
  • Generating Internet Relay Chat (IRC) traffic through a range of different ports
  • Generating identical DNS requests
  • Generating Simple Mail Transfer Protocol (SMTP) traffic and e-mails
  • Reducing workstation performance/Internet access to the point it’s obvious to end-users

To find the bot within, follow the chatter—to detect a bot you should search for the two-way communications that the bot conducts with its command and control (C&C) server. There are several warning signs and methods that an organization can use to uncover the presence of bots:

  • Check email traffic. If your organization’s emails are being rejected by recipient organizations or ISPs, this may indicate that at some point emails from your company were blacklisted, probably as a result of spam activity originating on your network.
  • Utilize corporate firewalls. They may have rule sets for detecting suspicious port use or unknown transactions.
  • Install an intrusion prevention system. This type of system comes with built-in open source or vendor-defined rules for detecting bot traffic.
  • Use Web security/URL filtering systems. These types of systems, like WebSecurity offered by Cyren, block outbound bot communications to C&C’s, and help admins identify where the bots are in order to remove them.
  • Consider creating a “darknet” on your network. By creating a subnet on your LAN that shouldn’t normally have traffic routed to it, with logging machines in it, you can detect which computers aren’t obeying your normal network setup; for example, these computers may be scanning for nodes on the network they intend to infect.
  • Use security solutions from vendors who specialize in bot detection. There are vendors who specialize in bot detection and rely on behavioral analysis using the combined approach of log analytics and traffic analysis.

Once unwanted traffic has been detected, the next step is tracking down the source. Cybersecurity solutions offer the best chance to discover who has compromised your network. Preference should be given to solutions that can provide user identification to simplify the process, especially where users are behind network address translation (NAT) devices. Cyren blocks outbound bot communications to C&C’s, and helps admins identify where the bots are in order to remove them.

Final Thoughts

As botnets have evolved, so have the tools to detect and eradicate them. Today, focused solutions, such as Cyren Inbox Security, are available to:

  • Determine unusual network activity in predefined ways
  • Identify network origins
  • Analyze nature and impact
  • Quarantine, limit, or eradicate local bots

To go deeper on botnets, download Cyren’s special threat report on botnets.


Want to learn more about cloud-based email & web security? Contact us here!

You might also like

Square Enix Phishing Campaign

From July 20 until August 16, 2021, Cyren observed a significant increase in the number of Square Enix phishing URLs. The campaign coincided with 14 days of free play announced by Square Enix on July 12, 2021. During this period, we detected a total of 47,076 URLs for...