Select Page

Cyren Security Blog

How to Track Botnets on Your Network with Botnet Detection Techniques

The ratio expressed in the saying “an ounce of prevention is worth a pound of cure” is off by several magnitudes when applied to Internet security. While avoiding getting infected in the first place is obviously ideal, evasive tactics invariably fool many (many!) security systems—or simple carelessness does the job.

What is a Botnet?

Botnets are a collection of compromised workstations that are utilized to accomplish a malicious agenda. They are controlled by remote servers which perform malicious acts. Remote commands and a control server can manage botnet computers. The operator of the command and control infrastructure, also known as the bot herder or botmaster, utilizes said compromised computers, or bots, to attack other computers. This is typically done by crashing a target’s network, injecting malware, harvesting credentials or executing CPU-intensive tasks.

How Does a Botnet Attack Work?

Since botnet owners have the ability to access and send commands to several thousand machines simultaneously, they can cause much harm to networks. Initially, botmasters can access these devices by using specific trojan viruses – assaulting the security mechanisms of the computer and then developing software for command and control. This enables them to produce large-scale operations. These actions can also be automated in order to promote as many attacks as possible simultaneously. Various attacks may include:

  • Denial-of-service (DDoS) attacks
  • Spam and virus attacks
  • Stealing any private data from clients

Traditionally, botnets use HTTP and IRC protocols in order to communicate with infected botnet clients. Botnet communication has unfortunately evolved to evade security services. They can find other paths in order to control infected botnet clients on non-traditional network ports, as well as social networks, and PTP networks.

Static vs Behavioral Botnet Detection

Botnet detection can fall into two different categories: Static analysis and behavioral analysis. Static analyses are simple, quick, and resource-friendly. Behavioral analyses go more in-depth but are much more resource-intensive.

Static Analysis

Static techniques are where you look for a highly specific match to something. This could include a malware signature, specific executable, or a C&C connection address.

Unfortunately, this doesn’t always work. Botnet managers are becoming increasingly sophisticated, using counters like file polymorphism in order to alter the executables in unpredictable ways. Typically, botnet detection by static analysis simply is not enough.

Behavioral Analysis

Behavioral analysis is almost always essential to botnet detection. The timing of attacks is typically a dead giveaway. C&C servers usually issue blanket orders for bots, so they take specific actions.

The average interval of time between connecting endpoints to a different outbound server will be low for bots because there is not a human driving the network activity. There will also be failed connection attempts. Those connection attempts are more likely to involve a numerical IP address than a server name. In addition, port-scanning local networks for new infiltration opportunities is the classic behavior for a bot.

How to Detect a Botnet On Your Network

There are different signs, as well as initial symptoms which can all help IT teams recognize a botnet might have infiltrated their network. These typically manifest quickly after botnet infiltration, when the compromised machine begins executing its instructions.

Symptoms of botnet infiltration may include:

  • Linking your network to established C&C servers where they receive instructions
  • Generating Internet Relay Chat (IRC) traffic through a range of different ports
  • Generating identical DNS requests
  • Generating Simple Mail Transfer Protocol (SMTP) traffic and e-mails
  • Reducing workstation performance/Internet access to the point it’s obvious to end-users

To find the bot within, follow the chatter—to detect a bot you should search for the two-way communications that the bot conducts with its command and control (C&C) server. There are several warning signs and methods that an organization can use to uncover the presence of bots.

Check Email Traffic

If your organization’s emails are being rejected by recipient organizations or ISPs, this may indicate that at some point emails from your company were blacklisted, probably as a result of spam activity originating on your network.

Check Botnet Status Sites

When you hear about a large botnet attack, it’s important to check sites to see if you may be a part of the problem. You can then have the ability to mitigate an attack. 

Watch Out For Windows Processes

If you open Task Manager in Windows 10, you have the ability to see which processes are using your network. Take a look at these and determine if anything looks suspicious. If you don’t recognize one of the processes running, do a little research on the Internet to see if the process or behavior is related to a botnet.

Utilize Corporate Firewalls

Corporate firewalls are typically the first line of defense when it comes to your network’s security. It creates a virtual fence in between secure internal networks and any untrusted sources like specific websites or the Internet as a whole. Corporate firewalls also have rule sets for detecting suspicious port use or unknown transactions.

Install an Intrusion Prevention System

Intrusion prevention systems are a form of network security working to detect and prevent identified threats. Intrusion prevention systems continue to monitor networks, looking for any possible malicious incidents and then capturing relevant information about them. This type of system comes with built-in open-source or vendor-defined rules for detecting bot traffic.

Use Web Security/URL Filtering Systems

These types of systems block outbound bot communications to C&C’s and help admins identify where the bots are in order to remove them. Cyber threat intelligence feeds and web categorization/classification engines can help.

Consider Creating a “Darknet” on your Network

By creating a subnet on your LAN that shouldn’t normally have traffic routed to it, with logging machines in it, you can detect which computers aren’t obeying your normal network setup; for example, these computers may be scanning for nodes on the network they intend to infect.

Use Security Solutions from Vendors Who Specialize in Bot Detection

There are vendors who specialize in bot detection and rely on behavioral analysis using the combined approach of log analytics and traffic analysis.

Once unwanted traffic has been detected, the next step is tracking down the source. Cybersecurity solutions offer the best chance to discover who has compromised your network. Preference should be given to solutions that can provide user identification to simplify the process, especially where users are behind network address translation (NAT) devices. Cyren technology is embedded into many cloud services and security products that block outbound bot communications to C&C’s and helps admins identify where the bots are in order to remove them.

Final Thoughts

As botnets have evolved, so have the tools to detect and eradicate them. Today, organizations must layer security measures like:

  • Threat intelligence to help to correlate known threats with activity on your network
  • High-performance malware detection to identify new families and variants of malicious software
  • Post-delivery analysis of emails and automated incident response to contain confirmed email threats

To get further up to speed on everything related to botnets, discover Cyren’s botnet protection services, or download our report on all things malware.

You might also like

11 Types of Social Engineering Attacks

What is social engineering? Social engineering attacks are the manipulation of individuals to the point that they give up confidential information. The type of information these attackers may seek varies, but when individuals or employees are targeted, they more often...

Phishing Targets Phantom Wallet

The Solana Phantom Wallet by Kervin Alintanahin Phantom is a browser based crypto wallet where you can store, send, receive, stake and exchange tokens in the Solana blockchain. With the skyrocketing prices of crypto currencies including SOL, a crypto wallet is one of...