Stopping Zeus and Other Botnets

According to this Ars Technica article, almost all Fortune 500 have been partially infected by the Zeus botnet, meaning that they have machines that are vulnerable to being controlled by criminals on their internal networks. This has fairly scary implications for corporations as it implies that they are vulnerable to industrial espionage and / or the theft of confidential client data.

The way these bot nets work, for the most part, is that the bots have to call home to known C&C (command and control) servers (often in locations like China) which give them orders for things to do such as look for passwords, credit card numbers and so on. In addition the C&C servers may get them to install backdoors so that more specific intellectual property and other confidential data can be located and transfered to the servers, and from them to the criminals who control them.

The reason why control of the infected computers begins with the computer "calling home" is that corporate firewalls rarely block outgoing traffic and connections that are established from the inside to external servers. Firewalls typically cannot block this traffic because it is almost impossible to identify a "call home" as being different from a perfectly genuine connection to, say, a bank or an IM friend.

Well that is to say, it is almost impossible to tell when you inspect the packets. It is however possible to tell if you look at where the packet is going to, because many of the C&C servers are identified by organizations such as DShield. Some IP addresses are just plain dangerous and so what you really need is a way to tell your firewall that these addresses are ones you should avoid.

This in a nutshell is why ThreatSTOP is such a key part of any security portfolio. Known C&C servers are a key portion of the ThreatList which our customers' firewalls use to create block rules. Once a C&C server has been identified by any of our partners or customers then within 4 hours all our customers' firewalls will block and log attempted accesses to that server. With ThreatSTOP you can now stop the malicious outbound traffic without affecting all the other harmless traffic. And should that C&C server then be disinfected then once that disinfection is noted by our partners that IP address is then removed from the ThreatList and then automatically, again within 4 hours, that address is then removed from the blocklists of our customers' firewalls.

Share this: