 |
||||
|
|
|
||
|
Contents 
Introduction
What are they?
Taking a gamble
An Australian story
Attacking the bots
Sidebar: Getting to the bottom of bots
Sidebar: Bot facts
Sidebar: Keeping your botside covered |
|
||
|
|
||||
|
|
||||
It only takes one bot to create a security risk. Paul Ducklin, head of technology at Sophos Asia-Pacific, says that Australian businesses have been able to escape the risk of bots in the past but the security risk can no longer be ignored -- especially in light of the present escalation of networks.
"Bots are now so rapid and prominent that everyone needs to join in the fight against them. Companies in Australia will generally cut some slack for those [inadvertently] harbouring bots but it comes down to liability -- who is ultimately to blame for allowing bot attacks to happen. If your company is taking reasonable and simple precautions, then you should feel you have done the right thing by those you are doing business with," Ducklin says.
So what can you do to protect yourself from bots? All fingers seem to point to the very things you should also be doing to protect from all other strains of attack such as viruses, Trojans, and other malicious virtual life forms. This means firewalls, antivirus software, and simple e-mail protection procedures like canning all dubious e-mails and not opening vague attachments. But with a multitude of hackers out there, often targeting not only computers in your own country but a series of machines worldwide in an attempt to dodge national legislation and information technology laws, there is another important element: keeping all protection updated.
Ducklin says it is often software sloppiness that tends to lead to a bot infestation. "The difference between a botnet computer and a normal one is that someone has collective information about the computers being utilised. If someone gets on your machine you should automatically assume that all security bets are off -- bots can have codes that will disable firewall and security monitoring and antivirus software. This can leave your network open to Trojans and viruses that are three years old," Ducklin says.
"Once you have been compromised it is even more difficult to recover your system unless you can identify what malicious code you were compromised with. A Trojan can go out of its way to make it very difficult for you to even notice that your protection is off."
So having the proper defence is the best protection. Managing e-mail content is a good start to keeping bots at bay. You should also be careful to only let traffic you absolutely need into your system, to make sure the software you use has all its security patches installed, that your system is immunised and applications kept up-to-date and antivirus software recent.
"It really depends on the current security culture that is forged. The implementation of controls such as firewalls can be made a lot easier by having a detailed knowledge of the origin of networks and Internet connection requirements. By understanding these things in advance, a firewall implementation process can be made much simpler and more problem free," Gillespie says.
On individual computers, such as home or small office set-ups, protection should be much the same as that against Trojans. On a much larger scale, to eradicate bots altogether, well, that could take the financially hefty and timely process of daily updates -- something that is often too much for many small businesses.
Weafer also warns that as protection becomes greater -- as in most cases involving malicious hacker activity -- the challenge will entice a new breed of bot. "You can look at the world and say the number of source machines in general may decrease, but then you can look in areas like China, where technology is a bit newer to the general society, and see the number of people without adequate security -- you'll see that the risk still exists, and probably always will. With a bot network you can chop the off the command control -- the head of the dragon -- but the rest of the dragon can still get you. It can still be there on your system."
As Vectra's Challans says: security is a constant lifecycle -- turn your back and a bot could be there to get you. Turn your back for twice as long and a whole army could be knocking down your door.
You forgot to point out that 99% of bots only affect windows based machines :) and something as simple as following a basic security model would stop most bots dead in their tracks.
Like most malicious application in windows, bots need to write registry values into the windows registry; a normally user account only has write access to HKEY_CURRENT_USER which isn't enough to cause any serious damage to the operating system, this also greatly simplifies removal.
While I agree with the approach both yourself and Gibson have taken (scare tactic), I think you really should have been more emotive and stressed on user education. Believe it or not its not impossible to take down a botnet and with other attacks types such a DRDOS (distributed reflected denial of service) and DEDOS (distributed email denial of service) botnets can be considered small fry.
I believe everyone in the chain needs to do there part to help solve this problem. ISP's monitor ICMP and UDP activities which are normally related to botnet floods, most even egress filter these days to stop s****ing. Software vendors are constantly improve default security policies or providing updates to ensure machines aren't as easier infected. We as end user need to do as much as we can to secure our machines regardless of operating system. With higher security awareness and education comes "more" secure machines, remember there can't be botnets without insecure machines.