Ask the expert: Vitaly Kamluk answers questions about DDoS and botnets

Kaspersky Lab security expert Vitaly Kamluk answers our readers’ questions about DDoS and botnets counteractions.

Vitaly Kamluk

Vitaly Kamluk has more than 10 years of experience in IT security and he holds the title Principal Security Researcher at Kaspersky Lab. He specializes in malware reverse engineering, computer forensics, and cybercrime investigations. Currently Vitaly lives in Singapore. He works with INTERPOL as a member of Digital Forensics Lab, doing malware analysis and investigation support.

We previously invited our readers to ask Vitaly questions. There were so many, in fact, that we decided to break down this Q&A session into several parts. Today Vitaly will answer questions related to digital investigations and cooperation with INTERPOL.

According to you, what is the number of large botnets, that include more than 50,000 zombified computers in the world?

My feeling is that it’s less than 20, but it’s pure speculation, because we usually discover real size of the botnet only after a takedown. While criminals are interested in having as many infection as possible they may keep the size of the botnet under certain threshold to stay below the radar.

Are there sufficiently sophisticated botnets whose aim is to create clusters consisting of either smartphones, PCs and Macs?

Sometimes it happens, that botnet may include both PC and smartphone infection. A good example was Zeus-in-the-Mobile and Zeus for PC. There are botnets for Macs, but according to our experience they are mostly standalone.

How do you detect a botnet? Where do you start? What are the latest trends regarding malware and botnet?

Firstly, you should detect a suspicious process or file on disk. Next step is to analyze this object and to locate the list of command and control (C&C) servers. Then you need to learn the protocol and request updates from the C&C periodically.

Some of the recent trends of malware and botnets include searching for reliable control mechanisms, such as those based on Tor and P2P communications. There are many articles and whitepapers on this topic. If you are interested in looking into the latest trends simply search for “Tor Botnet” on the web to get initial direction.

What you need to do to deactivate botnet?

The best way is to arrest the owner of the botnet. Arresting the distributor and the developer of the bot software, exploit kit and packer at once works even better.

Which region of the world do botnets come from? What programming language is used to develop botnets software? How can we be sure that domestic systems are not infected with botnets? In unforeseen circumstances, is there a second line of defense, if cyber-attacks are not neutralized?

Botnets are everywhere and programming language is just a matter of personal choice. To make sure your systems are not part of the botnet you should scan them with AV software and then look into network communications. You need to make sure there’s no alien and unexpected connections.

As for the second line of defense, unfortunately, current architecture of computer systems doesn’t provide it by design. Every owner of computer system is responsible for it. Neutralizing a threat remotely is considered a network intrusion and will be illegal in most of cases. After all once you are compromised you can’t rely on that system completely until total reinstall and that makes it even harder. Many of the owners don’t care about computer infections until they start losing their own money.

Is it relevant for modern botnets to be controlled via IRC? Is it enough to deprive botnet owners ability to control it in order to eliminate the botnet?

Criminals can use different approaches to control botnet. IRC is just one of many application protocols, it has advantages and disadvantages. I’d say it’s clearly outdated method — in general, modern botnets are built using HTTP.

To eliminate botnet for sure you need to find and arrest it’s owner. And that’s exactly what we do in collaboration with the Interpol. Attempts to deprive owner’s ability to control botnet doesn’t help for long, since most of the bad guys are well-prepared for this kind of counteractions.

What tools and methods are suitable when DDoS deploying attempts are discovered, considering scenarios of customer edge, ISP, regional, national or even transnational ISP?

Well, the most strong tools from Customer Edge to large ISPs will always be effective filtering. But to implement that you have to research the threat first. That’s why it’s important to catch the bot responsible for DDoS and carefully analyze it. The ultimate solution is to takeover botnet control mechanism and stop it from the center, but that’s a different story.

How is it possible to mitigate an amplification DDoS attack?

Disperse the target of attack geographically and implement multiple layers of filtering.

How can I know if I am part of a botnet or a Bitcoin mine?

Check your system for malware, because it’s the malware that would do Bitcoin mining without your consent or make your PC the part of a botnet. Some of the most efficient ways to check if you have malware include:

  1. Scan your system with reliable AV solution — that may save a lot of time, but don’t think that automated scan can give you 100% reliability, so keep looking.
  2. Check your process list for suspicious and uninvited guests: I think users should know all processes running on their system by heart.
  3. Check your list of automatically starting programs. There’s free Windows app for that called Sysinternals Autoruns tool.
  4. Finally, an advanced check includes attaching your computer to another one (connected to the Internet) and recording all network traffic that passes through. This should reveal suspicious activity even if it’s not visible from compromised system.

We’re going to publish more answers in a couple of days. Stay tuned!