Today, Microsoft released its 9th edition of the Security Intelligence Report. You can download the full pdf version here if you so desire. SIRv9 covers the period of time from January to June 2010. It contains all of Microsoft’s data and analysis surrounding threats in the cyber world.
The nice thing about SIRv9 is that all of the data is no longer constrained to the pdf document (or print version). No, now I recommend going to the page itself and having a browse-through of the Key Findings, Featured Intelligence and as well as advice for Managing Risk. Microsoft has a unique position because it has multiple security products and controls the OS itself and so it has data around patches for its various components. As such, it is able to assimilate a more comprehensive overview of some threats than others when it comes to those niche plays. For example, Microsoft is involved in both search (Bing) and A/V (Microsoft Security Essentials) so it can report on threats/trends in both categories. Similarly, it can provide stats on threats that are cleaned via its Malicious Software Removal Tool so it gets a much broader representation of botnets and malware that aren’t otherwise available in a traditional security company.
This SIR’s featured intelligence is surrounding botnets. It has six sections on this:
I think my readers are all pretty familiar with what botnets are and what the scope of the problem is. Instead, let me quote some of the parts on how to detect them and fight back (since I helped edit this part of the SIR).
Methods for detecting bots can generally be divided into two categories— those that involve static analysis, or checking computers’ characteristics against a list of known threats, and those that involve behavioral analysis, or monitoring communications in a network for behaviors that are known to be exhibited by botnets. Static analysis results in more reliable judgments, but requires threat signatures that are current and available. Behavioral analysis potentially allows for much broader detection methods (especially by aggregating information from multiple sources), but is more likely to result in false positives. Effective botnet detection strategies generally involve aspects of both static analysis and behavioral analysis
Static analysis methods involve checking items against a known list of malicious or dangerous items, such as executable binaries, URLs, and IP addresses. If the list is accurate and up-to-date, this process can be a very fast and relatively risk-free way to identify bad items. In practice, however, static analysis alone is not an effective way to keep a network free of botnets, because of the continuing efforts of malware authors to generate fully undetected threats. Malware authors use a variety of techniques to avoid detection by antivirus tools and security researchers. These techniques include the following:
Behavioral analysis can be a powerful tool for identifying botnets, but processing time, the need for an appropriate environment in which to observe the computer’s behavior, and the danger of false positives can make diagnosis difficult. The process is further complicated by the tendency of some malware to refuse to run if it detects that it is being executed in a virtual or isolated environment, or a debugger.
It was once common to see bots that would attempt connections to each port on a target computer in sequence (a port scan). This technique allowed the target to recognize an attacker quite easily. Now it appears that most bots use targeted attacks in their efforts to spread. They examine only a small number of ports, which are generally those that are in use by some other service and therefore open to connections.
Researchers from Microsoft and elsewhere have observed that the external behavior of bots tends to have a number of distinctive characteristics:
In particular, online games often use IRC and UDP extensively, and have built-in SMTP servers.
These are all pretty good advice for botnet detection and how to figure out when you have a problem. The entire SIR’s section on botnets is a good read, indeed.