{"id":4983,"date":"2015-06-29T04:12:06","date_gmt":"2015-06-29T08:12:06","guid":{"rendered":"http:\/\/me-en.kaspersky.com\/blog\/?p=4983"},"modified":"2017-09-24T18:37:08","modified_gmt":"2017-09-24T14:37:08","slug":"ask-expert-kamluk-ddos-botnets","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/ask-expert-kamluk-ddos-botnets\/4983\/","title":{"rendered":"Ask the expert: Vitaly Kamluk answers questions about DDoS and botnets"},"content":{"rendered":"<p>Vitaly Kamluk has more than 10 years of work experience in IT security, and now he is Principal Security Researcher at Kaspersky Lab. He specializes in malware reverse engineering, computer forensics, and cybercrime investigations. Currently Vitaly lives in Singapore and works as a member of INTERPOL Digital Forensics Lab team, doing malware analysis and investigation support.<\/p>\n<p><a href=\"https:\/\/instagram.com\/p\/1xKFAOv0I5\/\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/instagram.com\/p\/1xKFAOv0I5\/<\/a><\/p>\n<p>We have proposed our readers to ask Vitaly questions. Actually, there were so many questions that we decided to break down this Q&amp;A session into several parts. Today, Vitaly will answer DDoS and botnets related questions.<\/p>\n<p><strong>What is the number of large botnets, that include more than 50,000 zombified computers, in the world?<\/strong><\/p>\n<p>My feeling is that it\u2019s less than 20, but it\u2019s pure speculation, because we usually discover the real size of the botnet only after takedown. While criminals are interested in having as many infections as possible, they may keep the size of the botnet under a certain threshold to stay below the radar.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Free Tool From Kaspersky To Check If Your PC Is Part of <a href=\"https:\/\/twitter.com\/hashtag\/Simda?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Simda<\/a> Botnet:<a href=\"https:\/\/t.co\/Tidy1kf7Cs\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/Tidy1kf7Cs<\/a><a href=\"https:\/\/twitter.com\/hashtag\/SecurityWithoutBorders?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#SecurityWithoutBorders<\/a><\/p>\n<p>\u2014 Kaspersky Lab ME (@KasperskyME) <a href=\"https:\/\/twitter.com\/KasperskyME\/status\/588594903422148608?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">April 16, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><strong>Are there sufficiently sophisticated botnets whose aim is to create clusters consisting of smartphones, PCs, and Macs?<\/strong><\/p>\n<p>Sometimes a botnet may include both PC and smartphone infection. A good example was Zeus-in-the-Mobile and Zeus for PC. There are botnets for Macs, but according to our experience they are mostly standalone.<\/p>\n<p><strong>How do you detect a botnet? Where do you start? What are the latest trends regarding malware and botnet?<\/strong><\/p>\n<p>Firstly, you should detect a suspicious process or file on disk. Next step is to analyze this object and to locate the list of command and control (C&amp;C) servers. Then you need to learn the protocol and request updates from the C&amp;C periodically.<\/p>\n<p>Some of the recent trends of malware and botnets include search for reliable control mechanisms, such as those based on Tor and P2P communications. There are many articles and whitepapers on this topic. If you are interested in looking into the latest trends simply search for \u201cTor Botnet\u201d on the web to get initial direction.<\/p>\n<p><strong>What do you need to do to deactivate botnet?<\/strong><\/p>\n<p>The best way is to arrest the owner of the botnet. Arresting the distributor and the developer of the bot software, exploit kit and packer at once works even better.<\/p>\n<p><strong>Which region of the world do botnets come from? What programming language is used to develop botnets software? How can we be sure that domestic systems are not infected with botnets? In unforeseen circumstances, is there a second line of defense, if cyber-attacks are not neutralized?<\/strong><\/p>\n<p>Botnets are everywhere and programming language is just a matter of personal choice. To make sure your systems are not part of the botnet you should scan them with AV software and then look into network communications. You need to make sure there\u2019s no alien and unexpected connections.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Ask the expert: Vitaly @vkamluk Kamluk answers questions about #DDoS and #botnets<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FU5qe&amp;text=Ask+the+expert%3A+Vitaly+%40vkamluk+Kamluk+answers+questions+about+%23DDoS+and+%23botnets\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>As for the second line of defense, unfortunately, current architecture of computer systems doesn\u2019t provide it by design. Every owner of a computer system is responsible for it. Neutralizing a threat remotely is considered a network intrusion and will be illegal in most of cases. After all, once you are compromised you can\u2019t rely on that system completely until a total reinstall and that makes it even harder. Many of the owners don\u2019t care about computer infections until they start losing their own money.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/DDOS?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#DDOS<\/a> Attacks With <a href=\"https:\/\/twitter.com\/hashtag\/Botnets?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Botnets<\/a> In Q1 2015:<a href=\"https:\/\/twitter.com\/hashtag\/CyberSecurity?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#CyberSecurity<\/a> <a href=\"http:\/\/t.co\/eg5pBVJpn6\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/eg5pBVJpn6<\/a><\/p>\n<p>\u2014 Kaspersky Lab ME (@KasperskyME) <a href=\"https:\/\/twitter.com\/KasperskyME\/status\/607864981787447296?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">June 8, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><strong>Is it relevant for modern botnets to be controlled via IRC? Is it enough to deprive botnet owner\u2019s ability to control it in order to eliminate the botnet?<\/strong><\/p>\n<p>Criminals can use different approaches to control botnets. IRC is just one of many application protocols, it has its own advantages and disadvantages. I\u2019d say its clearly outdated method \u2014 in general, modern botnets are built using HTTP.<\/p>\n<p>To eliminate a botnet for sure you need to find and arrest its owner. And that\u2019s exactly what we do in collaboration with INTERPOL. Attempts to deprive owner\u2019s ability to control botnet doesn\u2019t help for long, since most bad guys are well-prepared for this kind of counteraction.<\/p>\n<p><strong>What tools and methods are suitable when DDoS deploying attempts are discovered, considering scenarios of customer edge, ISP, regional, national or even transnational ISP?<\/strong><\/p>\n<p>Well, the strongest tools from customer edge to large ISPs will always be effective filtering. But to implement that you have to research the threat first. That\u2019s why it\u2019s important to catch the bot responsible for DDoS and carefully analyze it. The ultimate solution is to takeover botnet control mechanism and stop it from the center, but that\u2019s a different story.<\/p>\n<p><strong>How is it possible to mitigate an amplification DDoS attack?<\/strong><\/p>\n<p>Disperse the target of attack geographically and implement multiple layers of filtering.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Our expert answers your related question to digital investigations with <a href=\"https:\/\/twitter.com\/hashtag\/interpol?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#interpol<\/a>:<a href=\"https:\/\/t.co\/gLcojvlG5F\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/gLcojvlG5F<\/a><a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#infosec<\/a> <a href=\"http:\/\/t.co\/ohiEZ6tgS9\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/ohiEZ6tgS9<\/a><\/p>\n<p>\u2014 Kaspersky Lab ME (@KasperskyME) <a href=\"https:\/\/twitter.com\/KasperskyME\/status\/615080832022122496?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">June 28, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p><strong>How can I know if I am part of a botnet or a Bitcoin\u2019s mine?<\/strong><\/p>\n<p>Check your system for malware, because it\u2019s the malware that would do Bitcoin mining without your consent or make your PC part of a botnet. Some of the most efficient ways to check if you have malware include:<\/p>\n<ol>\n<li>Scan your system with reliable AV solution \u2014 that may save a lot of time, but don\u2019t think that automated scan can give you 100% reliability, so keep looking.<\/li>\n<li>Check your process list for suspicious and uninvited guests: I think users should know all processes running on their system by heart.<\/li>\n<li>Check your list of automatically starting programs. There\u2019s a free Windows app for that called Sysinternals Autoruns tool.<\/li>\n<li>Finally, an advanced check includes attaching your computer to another one (connected to the Internet) and recording all network traffic that passes through. This should reveal suspicious activity even if it\u2019s not visible from a compromised system.<\/li>\n<\/ol>\n<p>We\u2019re going to publish more answers in a couple of days. Stay tuned!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Vitaly Kamluk has more than 10 years of work experience in IT security, and now he is Principal Security Researcher at Kaspersky Lab. He specializes in malware reverse engineering, computer<\/p>\n","protected":false},"author":40,"featured_media":4957,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,1485],"tags":[1025,205,1032,575,347,352,36,131,1031],"class_list":{"0":"post-4983","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-special-projects","9":"tag-ask-expert","10":"tag-botnets","11":"tag-ddos","12":"tag-great","13":"tag-interpol","14":"tag-kaspersky-lab","15":"tag-malware-2","16":"tag-tips-2","17":"tag-vitaly-kamluk"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/ask-expert-kamluk-ddos-botnets\/4983\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/ask-expert-kamluk-ddos-botnets\/5540\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/ask-expert-kamluk-ddos-botnets\/5937\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/ask-expert-kamluk-ddos-botnets\/6371\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/ask-expert-kamluk-ddos-botnets\/6265\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/ask-expert-kamluk-ddos-botnets\/8250\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/ask-expert-kamluk-ddos-botnets\/9185\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/ask-expert-kamluk-ddos-botnets\/5484\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/ask-expert-kamluk-ddos-botnets\/5711\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/ask-expert-kamluk-ddos-botnets\/8087\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/ask-expert-kamluk-ddos-botnets\/8250\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/ask-expert-kamluk-ddos-botnets\/9185\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/ask-expert-kamluk-ddos-botnets\/9185\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/ask-expert\/","name":"ask expert"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4983","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=4983"}],"version-history":[{"count":1,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4983\/revisions"}],"predecessor-version":[{"id":9403,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/4983\/revisions\/9403"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/4957"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=4983"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=4983"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=4983"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}