A few weeks ago, I wrote about how you can use the IRC blocking capability of your web filter to detect the presence of bots on your network. In that post, I assumed that we all understood the threat posed by bots — why they’re different from good ol’ fashioned malware infections. I’ve been asked to expand on that a bit, so here goes.

As we all know, the Internet has become a critical business tool and criminals have taken notice. Just as there is money to be made in doing business on the Internet, there is money to be made in carrying out crime on the Internet. And as criminals have focused more on the Internet, their tools have necessarily evolved and become more sophisticated.

Five years ago, the typical virus or worm author’s sole purpose was to gain notoriety and cause end-user headaches. Liabilities were limited to business outages and user downtime. Those are significant liabilities to be sure, but they seem almost quaint in light of the new threat landscape.

Today, the malware author’s intent is to take over the end-user’s computer to carry out digital attacks on other computers. To this end, criminals have developed a new type of malware that security researchers call “bots”. This malware is designed to install silently, check in with a server controlled by the attacker, then lay dormant until it receives instructions from the criminal who controls it, aka the “bot herder”. Folks refer to the computer infected by a bot as a “zombie”.

Bot networks (aka “botnets”) are becoming so sophisticated, that bot herding is becoming a commodity unto itself. Bot herders now actively build their networks in order to rent them out to criminals seeking to carry out cyberattacks. This is the alleged scheme of the creators of the Storm Worm botnet, which is without question the largest botnet ever created. Some security researchers estimate that the number of computers infected with Storm Worm bots is in the millions, giving it raw computing power that surpasses the world’s largest supercomputers.

Clearly, bots present a new set of liability concerns for the enterprise. Bots can be used as agents in distributed denial of service attacks that can force web businesses offline. Bots can be used to host porn sites serving malicious code or phishing sites designed to steal user bank account information. Liability concerns now include things like the theft of confidential business information and the use of business resources to carry out crime against other businesses.

Are you liable if a laptop on your network is used to steal online banking information from someone who doesn’t work for you? Are you liable if a desktop computer on your network is used to take down a Fortune 500 company’s web site? These are open legal questions that I guarantee you will soon find their way into the public discussion surrounding bot infections and the obligation businesses have to secure their infrastructure.

Here are a few things you must be doing to protect your business from bots (and malware in general):

1. Deploy end-point security solutions like anti-virus and anti-spyware that can prevent bot infections on the end-point.
2. Deploy gateway security solutions that scan email and web traffic to prevent users from accidentally downloading bots. Use them to detect the outbound traffic from bots, which allows you to identify bot-infected machines on your network. And make sure that they are hardened against circumvention.
3. Build a proactive security response group. Task them to aggressively respond to infections detected, actively identify unprotected machines, keep software patched (especially Windows), and monitor the update infrastructure for your security solutions (like anti-virus signatures).
4. Conduct frequent user training and maintain up-to-date training material with the objective of teaching users how to recognize email and IM scams and avoid falling for the social engineering attacks that are used to propagate bots and other types of malware.

Even if you have a small network or a single IT person, security should be a top-level responsibility for them. Bots change the game when it comes to potential liability, and businesses in the networked world are going to expect every enterprise connected to the Internet to take the threat seriously.

Tags: Bots, irc, liability, malware

This entry was posted on Friday, November 2nd, 2007 at 4:41 pm and is filed under Bots. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.