Botnet Detection and Cleanup

1. Introduction

Botnet is one of the major security threats nowadays. If our devices are part of botnet, they will be controlled by attackers to participate in some illegal activities; with botnet, attackers can launch sophisticated and destructive attacks, which result in wider information leak and serious service unavailability.

As we rely heavily on computer and the Internet, data and service damage can seriously affect our assets and daily life.

2. What is Botnet?

Literally, "botnet" means "a network of bots". "Bot" is short for "robot", which means a device is controlled by someone called the "bot herder". To make your device become part of a botnet, a "bot software" is installed via malware infection. The "herder" can make the bot do anything by issuing commands via a command and control (C&C or C2) server. A botnet can contain hundreds to millions of devices, including PC, Mac, Linux servers, home router, smartphone etc.

The combined resource of controlled devices become a powerful tool to launch destructive or sophiscated attack like sending billions of spam email, huge bandwidth DDoS and targeted financial fraud.

How botnet works (image created by Tom-b: http://commons.wikimedia.org/wiki/File:Botnet.svg)

3. General Cleanup Instructions

The following instructions are applicable to the cleanup of typical botnet infection on Windows PC. You can also refer to other cleanup tools on "Security Tools" page (click here). For specific botnet and solution on other platforms, please refer to the next section.

1. Visit http://www.microsoft.com/security/scanner/en-us/, and click "Download Now" to download Microsoft Safety Scanner.
   
   
    
2. Double click and run msert.exe. You need to accept the license agreement by checking the "Accept all terms of the preceding license agreement" check box before installation process. If you have accepted the agreement, click “Next” to proceed.
   
   
    
3. Select “Full scan” and click “Next” to start scanning.
   
   
    
4. Scanning is in progress. It can last for several hours depending on how many files you have in your computer.
   
   
    
5. If your computer is not infected with any malware, the result will show that no viruses, spyware, and other potentially unwanted software were detected.
   
   
    
6. If your computer is infected with some botnet malware, it will be detected and removed by the scanner.
   
   

4. Detection & Cleanup of Active Botnets in HK

Appendix A: Past Botnet Operaions by HKCERT

To response to the growth of botnet in Hong Kong, HKCERT has taken the following actions in the past few years:

1. Take down C2 server: Collaborate with law enforcement to help collect evidence and take down C2 servers located in Hong Kong.
2. Gather bot information: Collaborate with security researchers, CERT teams, security vendor and software vendor to gather HK IP addresses detected with botnet connection. HKCERT also proactively collect such information via open source intelligence (OSINT) and our IFAS on regular basis.
3. Notify device owner: After consolidating the bot information, we will collaborate with ISP to inform the owners of the devices on the IP addresses.
4. Awareness and self help: HKCERT published articles about botnets active in Hong Kong to raise public awareness, and also provide instructions on how to detect and clean up bot malware infection.

Appendix B: Further Reference

1. http://www.microsoft.com/security/pc-security/botnet.aspx