US-CERT Cyber Security Tip ST06-001 -- Understanding Hidden Threats: Rootkits and Botnets

[US-CERT Security Tips <security-tips@xxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        Cyber Security Tip ST06-001
              Understanding Hidden Threats: Rootkits and Botnets

   Attackers are continually finding new ways to access computer systems.
   The use of hidden methods such as rootkits and botnets has increased,
   and you may be a victim without even realizing it.

What are rootkits and botnets?

   A  rootkit  is a piece of software that can be installed and hidden on
   your  computer  without your knowledge. It may be included in a larger
   software package or installed by an attacker who has been able to take
   advantage  of a vulnerability on your computer or has convinced you to
   download  it (see Avoiding Social Engineering and Phishing Attacks for
   more  information).  Rootkits  are not necessarily malicious, but they
   may  hide  malicious  activities.  Attackers  may  be  able  to access
   information,  monitor  your actions, modify programs, or perform other
   functions on your computer without being detected.

   Botnet  is  a  term derived from the idea of bot networks. In its most
   basic  form,  a bot is simply an automated computer program, or robot.
   In the context of botnets, bots refer to computers that are able to be
   controlled by one, or many, outside sources. An attacker usually gains
   control  by  infecting  the  computers with a virus or other malicious
   code  that  gives  the attacker access. Your computer may be part of a
   botnet  even  though  it appears to be operating normally. Botnets are
   often  used  to  conduct a range of activities, from distributing spam
   and viruses to conducting denial-of-service attacks (see Understanding
   Denial-of-Service Attacks for more information).

Why are they considered threats?

   The  main  problem  with  both  rootkits  and botnets is that they are
   hidden.  Although  botnets  are  not hidden the same way rootkits are,
   they may be undetected unless you are specifically looking for certain
   activity.  If  a rootkit has been installed, you may not be aware that
   your   computer  has  been  compromised,  and  traditional  anti-virus
   software  may  not be able to detect the malicious programs. Attackers
   are  also  creating more sophisticated programs that update themselves
   so that they are even harder to detect.

   Attackers  can  use rootkits and botnets to access and modify personal
   information,  attack  other  computers,  and  commit other crimes, all
   while  remaining  undetected.  By  using multiple computers, attackers
   increase  the  range and impact of their crimes. Because each computer
   in a botnet can be programmed to execute the same command, an attacker
   can have each of them scanning multiple computers for vulnerabilities,
   monitoring  online  activity, or collecting the information entered in
   online forms.

What can you do to protect yourself?

   If  you  practice  good  security habits, you may reduce the risk that
   your computer will be compromised:
     * Use   and  maintain  anti-virus  software  -  Anti-virus  software
       recognizes  and protects your computer against most known viruses,
       so you may be able to detect and remove the virus before it can do
       any   damage  (see  Understanding  Anti-Virus  Software  for  more
       information).   Because  attackers  are  continually  writing  new
       viruses, it is important to keep your definitions up to date. Some
       anti-virus vendors also offer anti-rootkit software.
     * Install  a  firewall - Firewalls may be able to prevent some types
       of  infection  by  blocking  malicious traffic before it can enter
       your computer and limiting the traffic you send (see Understanding
       Firewalls  for  more information). Some operating systems actually
       include a firewall, but you need to make sure it is enabled.
     * Use  good  passwords - Select passwords that will be difficult for
       attackers  to  guess,  and  use  different passwords for different
       programs  and  devices  (see Choosing and Protecting Passwords for
       more  information). Do not choose options that allow your computer
       to remember your passwords.
     * Keep  software  up  to  date  -  Install  software patches so that
       attackers    can't   take   advantage   of   known   problems   or
       vulnerabilities  (see Understanding Patches for more information).
       Many  operating systems offer automatic updates. If this option is
       available, you should enable it.
     * Follow good security practices - Take appropriate precautions when
       using  email and web browsers to reduce the risk that your actions
       will  trigger  an  infection  (see other US-CERT security tips for
       more information).

   Unfortunately,  if  there is a rootkit on your computer or an attacker
   is  using  your computer in a botnet, you may not know it. Even if you
   do  discover  that  you  are a victim, it is difficult for the average
   user  to  effectively recover. The attacker may have modified files on
   your  computer,  so  simply removing the malicious files may not solve
   the problem. If you believe that you are a victim, consider contacting
   a trained system administrator.

   As an alternative, some vendors are developing products and tools that
   may remove a rootkit from your computer. If the software cannot locate
   and  remove  the  infection,  you may need to reinstall your operating
   system, usually with a system restore disk that is often supplied with
   a  new  computer.  Note  that  reinstalling or restoring the operating
   system  typically erases all of your files and any additional software
   that you have installed on your computer.
     _________________________________________________________________

     Author: Mindi McDowell
     _________________________________________________________________

     Produced 2006 by US-CERT, a government organization.
  
     Terms of use
 
     <http://www.us-cert.gov/legal.html>
  
     This document can also be found at
 
     <http://www.us-cert.gov/cas/tips/ST06-001.html>
 

     For instructions on subscribing to or unsubscribing from this
     mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
     
     
       
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ9fys30pj593lg50AQIZdQf/Xeedvp2w7pLMuHHrRV4qtz1jMmDk51g8
lUQkXNNDD1uFTLSumnAjn+4dwBDmbhH98rxAFERAxPuJriqeLXYPp5cS+lohfTnm
9a9T+7ShVhC2m2eIeFtLkLvD7MAVYKcx6ekSOTljgIupg5LfrqgzRiYp1VuTREp0
T1cmbG/LRrVb/ge0NCbO2ErwXV7lobLvs+sBGd7jrdlTNzNXHbYfJzuX+G0+1aJI
zEVZmCEJHNmds9baU76+miofh1P4ZunUpQHDr8Z/lXix3gUj/NphmKgDBL+Pmtwu
RwkuRr81B2BkTVml5ZCFWZCVCJ1UIShZN7gwHC2h2TxtYsrIqQo/nw==
=8zW8
-----END PGP SIGNATURE-----