Today, Microsoft released its 9th edition of the Security Intelligence Report.  You can download the full pdf version here if you so desire.  SIRv9 covers the period of time from January to June 2010.  It contains all of Microsoft’s data and analysis surrounding threats in the cyber world.

The nice thing about SIRv9 is that all of the data is no longer constrained to the pdf document (or print version).  No, now I recommend going to the page itself and having a browse-through of the Key Findings, Featured Intelligence and as well as advice for Managing Risk.  Microsoft has a unique position because it has multiple security products and controls the OS itself and so it has data around patches for its various components.  As such, it is able to assimilate a more comprehensive overview of some threats than others when it comes to those niche plays.  For example, Microsoft is involved in both search (Bing) and A/V (Microsoft Security Essentials) so it can report on threats/trends in both categories.  Similarly, it can provide stats on threats that are cleaned via its Malicious Software Removal Tool so it gets a much broader representation of botnets and malware that aren’t otherwise available in a traditional security company.

This SIR’s featured intelligence is surrounding botnets.  It has six sections on this:

  1. The Introduction
  2. What is a Botnet?
  3. The Scope of the Problem
  4. Fighting Back
  5. A More Secure Microsoft
  6. Malware Case Study

I think my readers are all pretty familiar with what botnets are and what the scope of the problem is.  Instead, let me quote some of the parts on how to detect them and fight back (since I helped edit this part of the SIR).


Detecting Botnets

Methods for detecting bots can generally be divided into two categories— those that involve static analysis, or checking computers’ characteristics against a list of known threats, and those that involve behavioral analysis, or monitoring communications in a network for behaviors that are known to be exhibited by botnets. Static analysis results in more reliable judgments, but requires threat signatures that are current and available. Behavioral analysis potentially allows for much broader detection methods (especially by aggregating information from multiple sources), but is more likely to result in false positives. Effective botnet detection strategies generally involve aspects of both static analysis and behavioral analysis

Static Analysis and Behavioral Analysis

Static Analysis

Static analysis methods involve checking items against a known list of malicious or dangerous items, such as executable binaries, URLs, and IP addresses. If the list is accurate and up-to-date, this process can be a very fast and relatively risk-free way to identify bad items. In practice, however, static analysis alone is not an effective way to keep a network free of botnets, because of the continuing efforts of malware authors to generate fully undetected threats. Malware authors use a variety of techniques to avoid detection by antivirus tools and security researchers. These techniques include the following:

  • Polymorphism, which involves the creation of multiple unique but functionally identical malware files (See “Defending the Botnet” for more information.)

  • URL obfuscation methods, such as using escape sequences and converting an IP address to its decimal representation.

  • Changing IP addresses rapidly, and using large numbers of alternate URLs that connect to the same resource (or copies of the same resource).

  • Serving different downloads or web pages depending on factors like the time of day or the origin of the request (for example, serving clean web pages to requests coming from security software vendors).

Behavioral Analysis

Behavioral analysis can be a powerful tool for identifying botnets, but processing time, the need for an appropriate environment in which to observe the computer’s behavior, and the danger of false positives can make diagnosis difficult. The process is further complicated by the tendency of some malware to refuse to run if it detects that it is being executed in a virtual or isolated environment, or a debugger.

It was once common to see bots that would attempt connections to each port on a target computer in sequence (a port scan). This technique allowed the target to recognize an attacker quite easily. Now it appears that most bots use targeted attacks in their efforts to spread. They examine only a small number of ports, which are generally those that are in use by some other service and therefore open to connections.

Researchers from Microsoft and elsewhere have observed that the external behavior of bots tends to have a number of distinctive characteristics:

  • Bot activities are often, although not always, closely coordinated with DDoS attacks and time-sensitive spam and phishing attacks, as evidenced by a sharp correlation in the timing of their network activities. For example, the controller instructs all bots to start sending their pump-and-dump spam payload at the same time. For individual bots, network activity tends to be almost silent for much of the time, and then have a very high number of connections in a short period of time.

  • The intervals between a bot’s acquisition of new targets (distinct destination IP addresses) are generally much shorter than the intervals between an uninfected computer’s communication with other distinct IP addresses. In other words, bots talk to more distinct IP addresses in a shorter period of time than uninfected computers do. In addition, bots tend to evenly distribute their attentions among their targets—they make about the same number of connections to each of a large number of destination IP addresses.

  • Bots often have a higher number of failed connections than uninfected computers do.

  • Bots that are controlled via IRC often exhibit a significant amount of IRC traffic. IRC is a well-known protocol that is used legitimately in many contexts, including games and technical support web applications, but it is still relatively rare and many computers and even whole networks have no legitimate reason to use it at all.

  • Bots are much more likely than uninfected computers to send large volumes of email from locally installed Simple Mail Transfer Protocol (SMTP) servers. Most home and enterprise users connect to email servers that are operated by their ISPs or IT departments, and have no need to install SMTP servers on their desktop or laptop computers.

  • Some bots use the User Datagram Protocol (UDP) exclusively, which is somewhat unusual for Internet communication.

  • HTTP bots often communicate using the IP addresses of web servers rather than server names, which is less common for legitimate traffic. HTTP traffic between bots and C&C servers can include suspicious URI strings or non-standard HTTP headers (such as the "Entity-Info:” and "Magic-Number:” headers used by Win32/Bredolab C&C servers to transmit data).

  • However, it is certainly possible for legitimate computer users and programs to exhibit many of the behaviors listed here.

In particular, online games often use IRC and UDP extensively, and have built-in SMTP servers.


These are all pretty good advice for botnet detection and how to figure out when you have a problem. The entire SIR’s section on botnets is a good read, indeed.