| |
Botnet Detection and Cleanup
1. Introduction
Botnet is one of the major security threats nowadays. If our devices are part of botnet, they will be controlled by attackers to participate in some illegal activities; with botnet, attackers can launch sophisticated and destructive attacks, which result in wider information leak and serious service unavailability.
As we rely heavily on computer and the Internet, data and service damage can seriously affect our assets and daily life.
2. What is Botnet?
Literally, "botnet" means "a network of bots". "Bot" is short for "robot", which means a device is controlled by someone called the "bot herder". To make your device become part of a botnet, a "bot software" is installed via malware infection. The "herder" can make the bot do anything by issuing commands via a command and control (C&C or C2) server. A botnet can contain hundreds to millions of devices, including PC, Mac, Linux servers, home router, smartphone etc.
The combined resource of controlled devices become a powerful tool to launch destructive or sophiscated attack like sending billions of spam email, huge bandwidth DDoS and targeted financial fraud.
How botnet works (image created by Tom-b: http://commons.wikimedia.org/wiki/File:Botnet.svg)
3. General Cleanup Instructions
The following instructions are applicable to the cleanup of typical botnet infection on Windows PC. You can also refer to other cleanup tools on "Security Tools" page (click here). For specific botnet and solution on other platforms, please refer to the next section.
4. Detection & Cleanup of Active Botnets in HK
Botnet 1st Operation Max no. of IP addr detected (approx) by operation Detection and Cleanup Reference DNSChanger 2012-03 3,500
Appendix A: Past Botnet Operaions by HKCERT
To response to the growth of botnet in Hong Kong, HKCERT has taken the following actions in the past few years:
Appendix B: Further Reference | |