Prevention:
- Ensure OS and software patches on the desktop are up to date.
- Disallow installation of new software on desktop (users have no administrative rights)
- Block domains that are known to be distributing malware.
- Malware domains http://www.malwaredomains.com
- C&C list http://www.emergingthreats.net/rules/bleeding-botcc.rules
- RBN list http://www.emergingthreats.net/rules/bleeding-rbn.rules - Utilize a different AV scanning on web proxy (defense in depth).
- Blocking IRC ports which offers some protection against older generation of botnets.
- Blocking all bad ports and make all traffic go through proxies, where traffic and anonymous behavior can be monitored.
- Browser hardening using Firefox Noscript and IE zones.
- Watch office documents in email, particularly from spoofed sources. If the in coming source IP doesn't match the header information, drop the email.
- When performing JRE updates, ensure the old version get removed.
- Using HIPS (Host Intrusion Prevention System) to prevent potential harmful or abnormal behavior on the desktops.
Detection:
- Deploy listening nepenthes sensors on local IP space for early detection of infected machines.
- Deploy commercial and opensource detection systems - BotHunter, MainNerve .
- Setting up internal darknets to detect bots that are wildly spreading thru blind network scans.
- Egress monitoring during off-hours to pick out phone homes.
- Monitor user-agent strings on the web proxy and detect anomalies.
- Content monitoring using Data Loss Monitoring systems.
- Scan for BHO (Browser Helper Object) and match it against known bad list such as the one at Castlecops.
