Non-IT folks look at me incredulously, thinking I'm overstimulated by too much Mountain Dew and Starbucks, while IT people dismiss my warnings because they think bots are simple viruses and no big deal. Not true. Bots are evil -- plain and simple. They are vicious and wantto steal your data so the bad guy can make a buck. Gone are the days when the biggest threat from a virus was your system might not boot, or all of your images might be overwritten. Now your identity could be stolen, your bank account cleaned out -- or worse.
Need more info to help that sink in? Let's start with the fact that bots can and will steal your data. That's why they are often referred to as crimeware by groups like the US-CERT. That should perk up your ears and help shed light on the threat that bots pose to your organization.
What makes matters worse is that if you work in one of 44 states, the District of Columbia, Puerto Rico, or the Virgin Islands, a bot attack can affect you legally. The wording of their security breach notification laws varies a bit, but ultimately they all mean the same thing: You must provide notification whenever a security breach occurs that involves personal information. (This list provides links to the laws.)
Feel that? That sick feeling in the pit of your stomach is the realization that what seemed like a simple malware infection by one of those things called a "bot" just got real complicated. Instead of following the standard incident response script, your first responders are now going to have to approach the HR manager's system with velvet gloves because it's been communicating with a botnet for the past week, and your antivirus just noticed something suspicious was happening.
Bottom line: Bots are a real threat to the digital assets of a company. If you've been treating them the same as the regular dregs of malware that you've encountered in the past, then it's time to change that mentality. I've seen firsthand how they can be used to steal user credentials and Web page form content from a client whose IDS was in the right place at the right time -- in order to capture uploads to a command and control server from an infected user's machine.
I'm not saying you need to rewrite your incident response procedures. No, I'm saying you need to elevate the level of response taken when a machine is infected with a bot to the same level as if you knew a remote attacker was logged in and actively using the compromised system.
John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.