Botnets: Who Really "0wns" Your Computers? - Page 2

Executive Overview: With the survival time of a fresh Windows install sometimes measured in seconds, knowing a little about some of the more pervasive bits of malware out there and how to ferret them out on your network can't hurt.

 By Charlie Schluting
Page 2 of 2   |  Back to Page 1
Print Article

Continued From Page 1

What Can You Do?
IRC bots are normally installed via known vulnerabilities, so preventing your computer from being taken over should be as easy as keeping up to date on Windows Updates and virus definitions. Windows file sharing (ports 135-139 and 445) and MS-SQL (1433, 1434) should never be allowed in from the Internet. In a case where a new computer is being installed, it is common for an infection to take place before Windows update has a chance to complete. Installing in a secure area with the appropriate ports blocked should allow for a safe installation and update, assuming no internal computers are infected and trying to fan out. NAT (define) is the obvious solution for this, but doesn't always work in enterprise environments doing unattended installations of Windows.

Tracking IRC bots has become quite a hobby for some people. From a network perspective, most anomalous traffic these days is turning out to be IRC bot related. IRC bots will respond to an "infect" command, and start scanning the local network and infecting others. This type of activity (scanning) normally raises a few eyebrows on carefully managed networks. Intrusion detection systems, like snort, also have signatures for some of the more common IRC bots.

For example, if the string "Exploiting IP" is seen in an IRC message, chances are very high that this is an IRC bot reporting home. They don't attempt to conceal what they are doing most of the time, as can be seen by running ngrep "#exploit" on a network monitoring host (#exploit is the IRC channel name). Even though you will be able to see the IRC traffic once you have identified which host is possibly infected, detecting infected computers on your network is not always a simple task. Snort does a fair job, if you've updated the signatures to tell it what to look for.

Owners of a botnet are always looking to expand operations. They are in a constant struggle to own more and more slave computers. The more high quality the botnet, the more revered the owner will be. Corporate and educational owned computers are prime targets, since they are normally well connected in terms of Internet bandwidth. The sad part is, in general, infecting corporate and educational networks is just as easy as infecting residential computers.

Sdbot, rxbot, and agobot are a few of the most common bots at the moment. It doesn't really matter which bot is running on a computer, since they all provide complete control to the new owner of the compromised computer, resulting in a very bad day for the original owner.

Antivirus software, along with the new Malicious Software Removal Tool from Microsoft, are both able to detect existing bots. Some bots have been known to propagate via e-mail as well, making the infection a bit harder to block.

Aside from user education, the best method to prevent previously unseen infections from taking over a computer is to simply block the above mentioned ports. New Windows vulnerabilities may exist in the future, but for the time being, you should be relatively safe.

This article was originally published on May 13, 2005
Get the Latest Scoop with Networking Update Newsletter