Bots, Bots Everywhere

Implementing firewall rules at both the host and the perimeter could stop a lot of bot infections

4:34 PM -- Who ever thought that bots were limited to home PCs? With the proliferation of compromised Websites hosting malware, how are enterprises dodging the bullet? They're not, and that's exactly the point of Kelly Jackson Higgins's recent article. (See Bots Rise in the Enterprise.)

It's hard to believe that the same threats exists for enterprises as do for home users, but it's the truth. The home users work somewhere, right? And they are simply bringing their bad behavior from home to the office. The only difference is that enterprises have full-time staff whose job it is to mitigate the risks introduced by those users.

One of my favorite blogs is Dancho Danchev's "Mind Streams of Information Security Knowledge" where he uncovers infected Websites and do-it-yourself malware kits. I've always bragged about how I come across the most cutting edge malware by working with students everyday, but the things he comes across are incredible.

Danchev documented a Web server hosting over 20 magazine Websites that were all serving up malicious javascript hidden in the the pages (See "A Portfolio of Malware Embedded Magazines"). The target audiences of the magazines were all IT-related, with titles like Network Week Magazine, Service Provider Weekly, and Health Care IT Magazine. At the time of his blog post, only 8 out of the 31 antivirus scanning engines used at Virus Total caught the malware.

The visitors to those Websites aren't people like my mom and sister, but IT folks who will likely be visiting them from company computers. And, if they're not paying attention, they might just get infected. If that wasn't enough, how many of you IT workers out there just have to run as administrator? Shame on you!

Enterprises need to wake up and invest time in watching their outbound traffic, not the just the inbound attacks. By properly implementing firewall rules at both the host and the perimeter, many of these bots could be stopped. They typically receive commands using IRC servers, compromised Websites, and peer-to-peer networks. Blocking everything outbound that is necessary -- just like you do inbound -- would negate most of the communication methods. For the others, inspect every bit of traffic that must go out, and proxy it when possible to keep an eye for abnormalities.

Now, I could follow up with something like "an ounce of prevention is worth a pound of cure," but I think "do it right now, because becoming a statistic sucks" will resonate better.

– John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading