Question: What responsibilities do ISPs have with regard to tracking and reporting botnets?

Answer:

In the U.S., ISPs really keep such matters at arm's length. The reason given is usually First Amendment rights. Most will not actively detect and react to botnet activity unless it interferes with the deliver of network services to their users. For instance, if one of their customers' servers experiences a denial-of-service attack and it interrupts service to other customers, they'll react to it. Otherwise they'll usually turn a blind eye. I've never heard of an instance where they informed end users that there is a bot on their home system.

ISPs are independently owned and operated, so your experience may differ, but they're simply not required to do anything by law. A law requiring an ISP to monitor its users for malicious activity without a court order would be a slippery slope indeed. If there is bot activity reported to them, such as a command-and-control server operating on their network, most -- but not all -- will shut it down. Often it depends on who notifies them, an email to abuse@[enter isp name here].net may go unnoticed, while a phone call from a law enforcement agency may get a more immediate response.

Question: Is running Netstat-AB in continuously running batch file the quickest and most reliable way to determine if I am infected with a bot? Or are there obfuscation techniques that would hide this traffic from my observations?

Answer:

I don't think running Netstat in a batch file is a viable strategy for ongoing malware or bot detection. As I said in the tutorial, it's a good first step to detect most bots at this particular point because they don't seem to be making much effort to hide their network connections from Netstat.

That said, many bots do actually hide their traffic quite effectively. Using Netstat is a great first step when you suspect you may have a problem, because it's simple enough to learn to use and it's built right into Windows, Linux, and Unix. It's also an option for some Apple operating systems.

An effective strategy for NOT becoming infected with a bot or other malware includes timely patching of the operating system and applications, antivirus software, personal firewall, and avoiding nefarious Websites. You can also go the extra step of using alternative browsers, email, and chat clients. It's not that they're made any better, it's just that they're less frequently the target of attack because there are fewer of them.

Question: How might application white-listing make a difference in combating botnets? Or is this like with personal firewalls -- the bot herders will eventually figure out how to add themselves to the white list?

Answer: Application white lists, at any level, are pretty effective against malware like bots. While no single defense is perfect, a white list would probably thwart most bots now in use.

Ideally, a white list would be used in conjunction with good patching practices, up-to-date anti-virus, DNS blacklisting, and an application proxy at the Internet border as a layered protective control solution. Layered controls are proven to be the most effective, because you're not relying on any one control for protection.

I have seen bots that enter their own signatures in anti-virus, their own exceptions in personal firewalls, and bots that simply shut down security software running on the victim computer. Most of them won't bother, however, because they don't encounter effective controls often enough to impede the botnet's operation. As technologies like white lists become more common, so will the bots that attempt to subvert them.

Question: Why isn't my antivirus vendor making more noise about botnets and bot infection? This seems like such an obvious place for them to make a difference, way more than anti-adware or -spyware capabilities.

Answer: Like most companies (and people), they probably aren't keen to point out their weaknesses! That said, however, most AV companies are aware of the changing circumstances and are trying to evolve their products toward behavioral detection and away from basic signature technology. Even so, the attacker will always have the advantage -- it's just the nature of the beast. An attacker is limited only by his imagination; the good guys have to wait for it and then react. The best attackers will continue to make their living in the brief period of time between attack and reaction.

Question: I work from home and don't have much in the way of firewall, DMZ, or antivirus updates -- as I would if I were inside corporate headquarters. What's the single smartest thing for me to do every day, or even every week, to protect myself against botnets?

Answer: The main thing you need to do is make sure your operating system and primary applications, such as email and Web browser, are regularly patched. That's pretty easy to do these days, as most applications patch themselves.

If you want to hedge your bets and stay out of the middle of the target, you can use an alternative browser such as Firefox or Safari and an alternative mail application like Thunderbird. Beyond that, you can catalogue the running applications on a regular basis and look for anything unfamiliar.

Question: I'll often find 10-15 emails returned to my inbox as undeliverable. These emails have been sent to addresses that don't exist in my address book to countries where I don't ever do business. Am I bot-infected?

Answer: What you are experiencing is very common and most likely caused by your email address being forged as the sender of a spam message. While it's possible that a bot on your computer harvested your email address, it's more likely it was harvested elsewhere. While bots do harvest email addresses, there are lots of other ways for spammers to get ahold of it.

While it's not likely this is being caused by a bot on your computer, it's definitely not impossible.