Twitter / mailforlen

« the effect of the new windows worm for webservervices | HomePage | will our medical info be transferred to the Electronic EID »

12/05/2008

What gartner learned about botnets and why it is true and why it is a new business service

1. What gartner learned about botnets and infections in networks (or with mobile workers)

  • Enterprise security officers shouldn't assume that compromises haven't occurred, just because their antivirus, host IPS and network IPS tools don't detect botnet-infected PCs.
  • Remediation isn't easy, especially when IT operations has been outsourced. When deploying botnet sensors in an outsourced data center, an enterprise must specify acceptable, remediating ticketing and workflow processes with the outsourcer.
  • Before starting a botnet detection effort, an organization must work with its legal department to ensure that botnet monitoring is conducted in a way that doesn't violate applicable national and regional privacy regulations.

    • source http://mediaproducts.gartner.com/reprints/damballa/160517...

    2. why it is true

    when we look at this source we see a list of the most important control and command centers of botnets that honeypot network found and if their infections/connecting software or commands were discovered by security software

    194.054.090.246  2 discovered nothing

    063.173.172.098  12 discovered nothing

    210.245.211.011  12 discovered nothing

    115.126.002.121  only 1 found something

    067.149.121.039  15 discovered nothing

    069.042.216.108  20 discovered nothing

    069.042.216.090  21 discovered nothing

    064.085.160.111  16 discovered nothing

    079.132.211.024  only 6 found something

    and so on

    and if you are in Belgium you should know that there are according to other numbers around 120 active control and command centers for botnets on our Belgian network that are ACTIVE. There is no operation or planning to get them down. Not today and not tomorrow. ANd as you have been reading here before - if you follow this blog - you will understand that they use now dns fluxing and domainname fluxing to play hide and seek. THis means that the Control and Command centers can change very fast from IP address and from domain name.

    3. Give me a filter, 24/7/365 realtime updated

    I don't want a new appliance. I don't want a new product on my router on installations. I just want a specific filter - free or to pay for - that will stop any server or PC going to whatever IP address that is or has been a botnet command and control center. And I don't want new products to scan networks and so on to find PC's that act as zombies because as we have been seeing those scripts and behaviours are being scrambled and changing also very fast. And give me the possibility not only to block the access but also to send an alert and report immediately to the security officers in charge.

    The weakest link for a botnet is the contact with the command and control center. Just as the special anti botnetcenter in Japan proofs, getting them down is a big win/win operation.

    Having a botnet on your network is bad, having control and command centers that connect to them is even worse and having a botnet with their own control and command center is hell.

    13:25 | Permalink | Comments (0) | Email this | |  del.icio.us | | Digg! Digg |  Facebook

    Post a comment