Continued From Page 1
What Can You Do?
IRC bots are normally installed via known vulnerabilities, so
preventing your computer from being taken over should be as easy as
keeping up to date on Windows Updates and virus definitions. Windows
file sharing (ports 135-139 and 445) and MS-SQL (1433, 1434) should
never be allowed in from the Internet. In a case where a new computer
is being installed, it is common for an infection to take place before
Windows update has a chance to complete. Installing in a secure area
with the appropriate ports blocked should allow for a safe installation
and update, assuming no internal computers are infected and trying to
fan out. NAT (define) is
the obvious solution for this, but doesn't always work in enterprise
environments doing unattended installations of Windows.
Tracking IRC bots has become quite a hobby for some people. From a
network perspective, most anomalous traffic these days is turning out
to be IRC bot related. IRC bots will respond to an "infect" command,
and start scanning the local network and infecting others. This type of
activity (scanning) normally raises a few eyebrows on carefully managed
networks. Intrusion detection systems, like snort, also have signatures
for some of the more common IRC bots.
For example, if the string "Exploiting IP" is seen in an IRC
message, chances are very high that this is an IRC bot reporting home.
They don't attempt to conceal what they are doing most of the time, as
can be seen by running ngrep "#exploit" on a network monitoring host
(#exploit is the IRC channel name). Even though you will be able to see
the IRC traffic once you have identified which host is possibly
infected, detecting infected computers on your network is not always a
simple task. Snort does a fair job, if you've updated the signatures to
tell it what to look for.
Owners of a botnet are always looking to expand operations. They are
in a constant struggle to own more and more slave computers. The more
high quality the botnet, the more revered the owner will be. Corporate
and educational owned computers are prime targets, since they are
normally well connected in terms of Internet bandwidth. The sad part
is, in general, infecting corporate and educational networks is just as
easy as infecting residential computers.
Sdbot, rxbot, and agobot are a few of the most common bots at the
moment. It doesn't really matter which bot is running on a computer,
since they all provide complete control to the new owner of the
compromised computer, resulting in a very bad day for the original
owner.
Antivirus software, along with the new Malicious Software Removal
Tool from Microsoft, are both able to detect existing bots. Some bots
have been known to propagate via e-mail as well, making the infection a
bit harder to block.
Aside from user education, the best method to prevent previously
unseen infections from taking over a computer is to simply block the
above mentioned ports. New Windows vulnerabilities may exist in the
future, but for the time being, you should be relatively safe.
Images
IE 7
Firefox 2.0
