Remove bots from your system -- a four-step process
Kevin Beaver, CISSP
11.08.2006
Rating: -3.14- (out of 5)
|
If there's ever been a mystery malware, it's arguably the "bot." A bot (sometimes referred to as a zombie) is a type of malicious software that can infect Windows servers or workstations and can be used for propagating spam, distributing denial of service attacks and other criminal hacker shenanigans. Bots have not had the media exposure that viruses and rootkits have had. But times are changing. Research reports and malware vendor marketing hype are growing and bots are starting to get the exposure needed for people to start taking them seriously.
Several bots affect the Windows platform, including Rbot, Sdbot, Agobot, Wootbot and Mocbot. In action, bots are essentially backdoor Trojans. They're installed by an unsuspecting user, or automatically propagate to unpatched and vulnerable networked systems, providing a way for criminals to remotely control their victims' computers. With enough bot-infected systems accessible via a network or the Internet (referred to as a botnet), attackers have a very powerful tool at their disposal that's hard to stop.
Like most of the newer forms of malware, bots can be hard to detect and even more difficult to remove. I'm hearing more and more people say they've been infected by a bot and can't remove it. Many of the infections are on critical Web servers and domain controllers that they can't just take offline and/or reload on a whim.
Battling the bots
If you suspect an infection (such as a server that's running very slowly during production downtime or odd network traffic found in firewall logs), take these steps to figure out what's going on:
There are new emerging methods for thwarting bot infections and botnets, like the SenderIndex technology developed by Habeas Inc. and Simplicita Software Inc.
All in all, you're still
To continue reading for free, register below or login
To read more you must become a member of SearchEnterpriseDesktop.com
on your own to keep your Windows environment safe from bot outbreaks. The most responsible proactive stance you can take against bots is to document the applications that are running on your systems (at least on your servers) so you'll know what's right and what's not when doing your initial assessment and troubleshooting. Get a good network baseline and document which hosts and protocols should be present. This will make it much easier to determine what doesn't belong when you have to fire up your network analyzer.
Also, find yourself a good malware protection vendor (or vendors) that you can count on to be a leader in bot, rootkit and other emerging malware protection. Follow that up by performing regular port and vulnerability scans, and follow up on any anomalies or weaknesses with patches as well as network firewall and personal firewall policy changes if needed. Finally, tell your users what to look out for, what not to do and so on, and encourage them to report strange computer and network behavior. However, never ever rely on your users to be a trusted line of defense against a bot infection. They're busy doing other things and are just too unreliable.
About the author: Kevin Beaver, an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC,has spent six long years obtaining his degree in computer engineering that included Blue Pill like bit and byte manipulation. He has more than 18 years of experience in IT and specializes in performing information security assessments for compliance and IT governance. He has written six books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver@principlelogic.com.
|
|
|
|
|
|
