If there's ever been a mystery malware, it's arguably the "bot." A bot (sometimes referred to as a zombie) is a type of malicious software that can infect Windows servers or workstations and can be used for propagating spam, distributing denial of service attacks and other criminal hacker shenanigans. Bots have not had the media exposure that viruses and rootkits have had. But times are changing. Research reports and malware vendor marketing hype are growing and bots are starting to get the exposure needed for people to start taking them seriously.
Several bots affect the Windows platform, including Rbot, Sdbot, Agobot, Wootbot and Mocbot. In action, bots are essentially backdoor Trojans. They're installed by an unsuspecting user, or automatically propagate to unpatched and vulnerable networked systems, providing a way for criminals to remotely control their victims' computers. With enough bot-infected systems accessible via a network or the Internet (referred to as a botnet), attackers have a very powerful tool at their disposal that's hard to stop.
Like most of the newer forms of malware, bots can be hard to detect and even more difficult to remove. I'm hearing more and more people say they've been infected by a bot and can't remove it. Many of the infections are on critical Web servers and domain controllers that they can't just take offline and/or reload on a whim.
Battling the bots
If you suspect an infection (such as a server that's running very slowly during production downtime or odd network traffic found in firewall logs), take these steps to figure out what's going on:
- Use the Windows Task Manager -- or better yet, Sysinternals' Process
Explorer -- to search for applications that don't seem to belong or appear to be consuming a
large amount of system resources. Odds are you're not going to find a bot directly in this manner,
but the information your system gives you can help point you in the right direction.
- Your next step (as obvious as it may seem) is to make sure you've scanned your system with the
latest antivirus signatures. I also highly recommend running
anti-rootkit tools. Again, not a guaranteed solution, but you still need to do it. If you do
find a bot or related malware at this point, you may be able to remove the code with the right
tool. However, as with rootkits, the only definitive way to get a bot off your system is to backup,
reformat and reload.
- Next, scan your system(s) for open ports and vulnerabilities. You can kill both birds with one
stone by using a vulnerability scanner like Nessus or QualysGuard, which shows you which ports are
open and which vulnerabilities are present (for example, the MS05-039 Plug and Play vulnerability
that facilitates Sdbot). In addition, you can use a vulnerability scanner as a proactive and
preventive measure during your ongoing security scans. Make sure you scan all of your systems --
servers, workstations and all. Any Windows-based host is fair game for a bot infection.
- Finally and foremost, test for a bot infection by watching the traffic entering and leaving the compromised host(s). The best way to view this traffic is to use a network analyzer like EtherPeek or Ethereal that is installed on the local host or, ideally, on another system that has access to the traffic stream via a mirror/span port on a managed Ethernet switch. Here I outline malicious Trojan behavior that a network analyzer can discover. At this point, if you detect malicious traffic entering or leaving your system(s), you need to try and block it at the network perimeter or via a personal firewall application that blocks both inbound and outbound traffic, such as BlackICE or Windows Live OneCare.
There are new emerging methods for thwarting bot infections and botnets, like the SenderIndex technology developed by Habeas Inc. and Simplicita Software Inc.
All in all, you're still on your own to keep your Windows environment safe from bot outbreaks. The most responsible proactive stance you can take against bots is to document the applications that are running on your systems (at least on your servers) so you'll know what's right and what's not when doing your initial assessment and troubleshooting. Get a good network baseline and document which hosts and protocols should be present. This will make it much easier to determine what doesn't belong when you have to fire up your network analyzer.
Also, find yourself a good malware protection vendor (or vendors) that you can count on to be a leader in bot, rootkit and other emerging malware protection. Follow that up by performing regular port and vulnerability scans, and follow up on any anomalies or weaknesses with patches as well as network firewall and personal firewall policy changes if needed. Finally, tell your users what to look out for, what not to do and so on, and encourage them to report strange computer and network behavior. However, never ever rely on your users to be a trusted line of defense against a bot infection. They're busy doing other things and are just too unreliable.
About the author: Kevin Beaver, an independent information security consultant
and expert witness with Atlanta-based Principle Logic,
LLC,has spent six long years obtaining his degree in computer engineering that included Blue
Pill like bit and byte manipulation. He has more than 18 years of experience in IT and specializes
in performing information security assessments for compliance and IT governance. He has written six
books including Hacking
For Dummies (Wiley), Hacking
Wireless Networks For Dummies, and The
Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at
This was first published in November 2006