In its original form, a bot is not malicious software. Bot code was created to automate the maintenance and administration of IRC (Internet Relay Chat) channels. Eventually though, more malicious developers figured out that bot code could also be used to quietly infiltrate unsuspecting computer systems and provide a means of hijacking or controlling those machines to perform other malicious tasks.
Bot code makes its way onto computer systems in a variety of ways. Users that visit IRC chat rooms or Web sites of a questionable nature are at a higher risk of becoming infected by bots. Some bots, such as the variants of Agobot (an IRC-controlled backdoor with network spreading capabilities), also spread themselves in the form of a network share and peer-to-peer file-sharing network worm.
The bot threat
Computer systems that become compromised by bot code typically initiate communication with an IRC channel to register themselves and announce to the IRC channel that the computer is available. At that point, the computer essentially lays dormant, awaiting commands from an attacker to tell it what to do next.
Hundreds of thousands, and possibly millions, of computers are compromised by bot code. These computers are also referred to as "Zombies" because of the way they sit in a dormant state until they receive a command to rise from the dead and attack.
Botnets, or collections of bot-infected systems, are maintained on underground lists and are bought, sold and traded by malicious hackers. By activating the dormant zombies and issuing commands for them to execute certain actions, a zombie army encompassing thousands of machines can be used to initiate a denial-of-service (DoS) attack against a specific Web site, start spreading a new virus or worm threat or generate millions of spam email messages that can't be traced back to their true source.
Defeating the bots
Traditionally, bots have primarily compromised or impacted home computer users. However, bot code and botnets are a rising threat to corporate networks as well. For the Internet as a whole, bot incidents have spiked in the last three months to four times what they were the previous quarter, according to McAfee. To keep your computer from joining the ranks of the cyber-undead and protect your network from being taken over by a botnet, follow these steps:
- Block unsolicited inbound traffic at your perimeter firewall: Even if computer systems inside the network are compromised, they can't be activated if the attacker can't communicate with them.
- Run up-to-date antivirus software: Known bot threats are detected and removed by antivirus software products. Performing periodic scans with up-to-date antivirus software can locate and remove most bot infections.
- Keep computer systems patched: Bots, like other malware, often exploit unpatched vulnerabilities in order to propagate and compromise vulnerable systems. Patched systems provide less opportunity for infection.
- Use IDS or IPS monitoring: An intrusion detection or intrusion prevention system running on the internal network can identify suspicious activity and alert you or take action to halt it.
- Block outbound traffic on port 25: Only known email servers should be allowed to distribute SMTP email traffic on your network. Blocking outbound SMTP traffic from unknown email sources can help stop the spread of many malware threats and prevent computers on the internal network from being used as spam distribution points.
These are certainly not unusual preventive measures, but the nature of bots and botnets requires specific awareness and attention from Windows security professionals. A bot could be lurking just under the surface, ready to spring into action at the request of a malicious hacker. Only an organized effort can help to mitigate the threat of bots.
About the author: Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is recognized by Microsoft as an MVP in Windows Security, and he is the About.com Guide for Internet / Network Security, providing a broad range of information security tips, advice, reviews and information. Bradley is co-author of Hacker's Challenge 3, McGraw-Hill Osborne Media, and author of Essential Computer Security, Syngress Publishing. He also contributes frequently to other industry publications. For a complete list of his freelance contributions, visit S3KUR3.com.
This was first published in July 2006