-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST06-001
Understanding Hidden Threats: Rootkits and Botnets
Attackers are continually finding new ways to access computer systems.
The use of hidden methods such as rootkits and botnets has increased,
and you may be a victim without even realizing it.
What are rootkits and botnets?
A rootkit is a piece of software that can be installed and hidden on
your computer without your knowledge. It may be included in a larger
software package or installed by an attacker who has been able to take
advantage of a vulnerability on your computer or has convinced you to
download it (see Avoiding Social Engineering and Phishing Attacks for
more information). Rootkits are not necessarily malicious, but they
may hide malicious activities. Attackers may be able to access
information, monitor your actions, modify programs, or perform other
functions on your computer without being detected.
Botnet is a term derived from the idea of bot networks. In its most
basic form, a bot is simply an automated computer program, or robot.
In the context of botnets, bots refer to computers that are able to be
controlled by one, or many, outside sources. An attacker usually gains
control by infecting the computers with a virus or other malicious
code that gives the attacker access. Your computer may be part of a
botnet even though it appears to be operating normally. Botnets are
often used to conduct a range of activities, from distributing spam
and viruses to conducting denial-of-service attacks (see Understanding
Denial-of-Service Attacks for more information).
Why are they considered threats?
The main problem with both rootkits and botnets is that they are
hidden. Although botnets are not hidden the same way rootkits are,
they may be undetected unless you are specifically looking for certain
activity. If a rootkit has been installed, you may not be aware that
your computer has been compromised, and traditional anti-virus
software may not be able to detect the malicious programs. Attackers
are also creating more sophisticated programs that update themselves
so that they are even harder to detect.
Attackers can use rootkits and botnets to access and modify personal
information, attack other computers, and commit other crimes, all
while remaining undetected. By using multiple computers, attackers
increase the range and impact of their crimes. Because each computer
in a botnet can be programmed to execute the same command, an attacker
can have each of them scanning multiple computers for vulnerabilities,
monitoring online activity, or collecting the information entered in
online forms.
What can you do to protect yourself?
If you practice good security habits, you may reduce the risk that
your computer will be compromised:
* Use and maintain anti-virus software - Anti-virus software
recognizes and protects your computer against most known viruses,
so you may be able to detect and remove the virus before it can do
any damage (see Understanding Anti-Virus Software for more
information). Because attackers are continually writing new
viruses, it is important to keep your definitions up to date. Some
anti-virus vendors also offer anti-rootkit software.
* Install a firewall - Firewalls may be able to prevent some types
of infection by blocking malicious traffic before it can enter
your computer and limiting the traffic you send (see Understanding
Firewalls for more information). Some operating systems actually
include a firewall, but you need to make sure it is enabled.
* Use good passwords - Select passwords that will be difficult for
attackers to guess, and use different passwords for different
programs and devices (see Choosing and Protecting Passwords for
more information). Do not choose options that allow your computer
to remember your passwords.
* Keep software up to date - Install software patches so that
attackers can't take advantage of known problems or
vulnerabilities (see Understanding Patches for more information).
Many operating systems offer automatic updates. If this option is
available, you should enable it.
* Follow good security practices - Take appropriate precautions when
using email and web browsers to reduce the risk that your actions
will trigger an infection (see other US-CERT security tips for
more information).
Unfortunately, if there is a rootkit on your computer or an attacker
is using your computer in a botnet, you may not know it. Even if you
do discover that you are a victim, it is difficult for the average
user to effectively recover. The attacker may have modified files on
your computer, so simply removing the malicious files may not solve
the problem. If you believe that you are a victim, consider contacting
a trained system administrator.
As an alternative, some vendors are developing products and tools that
may remove a rootkit from your computer. If the software cannot locate
and remove the infection, you may need to reinstall your operating
system, usually with a system restore disk that is often supplied with
a new computer. Note that reinstalling or restoring the operating
system typically erases all of your files and any additional software
that you have installed on your computer.
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST06-001.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBQ9fys30pj593lg50AQIZdQf/Xeedvp2w7pLMuHHrRV4qtz1jMmDk51g8
lUQkXNNDD1uFTLSumnAjn+4dwBDmbhH98rxAFERAxPuJriqeLXYPp5cS+lohfTnm
9a9T+7ShVhC2m2eIeFtLkLvD7MAVYKcx6ekSOTljgIupg5LfrqgzRiYp1VuTREp0
T1cmbG/LRrVb/ge0NCbO2ErwXV7lobLvs+sBGd7jrdlTNzNXHbYfJzuX+G0+1aJI
zEVZmCEJHNmds9baU76+miofh1P4ZunUpQHDr8Z/lXix3gUj/NphmKgDBL+Pmtwu
RwkuRr81B2BkTVml5ZCFWZCVCJ1UIShZN7gwHC2h2TxtYsrIqQo/nw==
=8zW8
-----END PGP SIGNATURE-----
