Attack of the killer bots

4. Deploy intrusion-detection and intrusion-prevention systems

Another approach is to fine-tune your IDSs and IPSs to look for botlike activity. For example, any machine suddenly blasting away on Internet Relay Chat is certainly suspicious. Ditto those connecting to offshore IP addresses or illegitimate DNS addresses. Harder to notice, but another telltale sign, is a sudden uptake in SSL traffic on a machine, particularly in unusual ports. That could indicate a botnet-control channel has been activated. Look for machines routing e-mail to servers other than your own e-mail server. Botnet hunter Gadi Evron further suggests that you learn to watch for Web crawlers that operate at high "fetch levels." Fetch levels activate all links located on a Web page, and a high level could indicate a machine is being sent to a malicious Web site.

An IPS monitors for behavior anomalies that indicate hard-to-spot HTTP-based attacks and those from remote-call-procedure, Telnet- and address-resolution-protocol spoofing, among others. Worth noting, however, is that many IPS sensors use signature-based detection, meaning that attacks are added to a database as they are discovered. The IPS must be updated regularly to recognize them, so after-the-fact detection will require ongoing effort.

5. Protect user-generated content

Your own Web operations must also be protected from becoming unwitting accomplices to malware writers. Unless you are trying to become the next hip, Web 2.0 social network, your company's public blogs and forums should be restricted to text-only entries, advises Michael Krieg, vice president of Web Crossing, maker of social-networking software and hosting services.

"I'm not aware of any one of our thousands of users that allows a JavaScript within text of a message; same thing with embedded code and other HTML tags. We don't let people do it. Our apps by default strip them out," Krieg says.

Dan Hubbard, vice president of security research at Websense, adds, "That is one of the big problems of user-created content sites, the Web 2.0 phenomenon. How do you balance the great functionality of allowing people to upload stuff but not allow them to upload anything bad?"

The answer is to be specific. If your site needs to let members swap files, it should be set to allow only limited and relatively safe file-types, those with .jpeg or .mp3 extensions, for instance. (Malware writers have begun to target the MP3 players themselves with worms, however.)

6. Use a remediation tool

If you do find an infected machine, the jury is out about how best to do remediation. Companies like Symantec assert they can detect and clean even the deepest rootkit infection. In Symantec's case, it points to technology it acquired with Veritas, VxMS (Veritas Mapping Service), which lets the antivirus scanner bypass Windows File System APIs, which are controlled by the operating system and therefore vulnerable to manipulation by a rootkit. VxMS directly accesses raw Windows NT File System files. Other antivirus vendors trying to protect against rootkits include McAfee and FSecure. Their success has varied, given how inventive malware writers can be.

Yet Evron argues that detecting malware after the fact could really be a false scent -- bait intended to make IT professionals believe they've scrubbed the PC while the real bot code remains hidden. "Antivirus is not a solution, because it is naturally reactive. The antivirus would have to recognize [the problem], and therefore the antivirus could have been manipulated," he says.

This is not to say you shouldn't try to implement the best rootkit fighter you can find in your antivirus software, just that you should be aware that doing so is a bit like buying a safe after your valuables have been stolen. Evron believes the only way to be sure that a machine is clean after bot malware is detected is to wipe it and start from scratch.

By not letting your users visit known malicious sites, monitoring your network for strange behaviors and defending your public sites from attacks, you'll be in good shape, security experts unanimously agree.

"I can see where this odd sense of futility and hopelessness can come in if some network guy wakes up and thinks, 'What am I going to do about those millions of botnets?' Let the folks concentrating on fighting botnets on a day-to-day basis worry about that one," says Chris Boyd, FaceTime's director of malware research. "Just concentrate on locking down your network and protecting it against infections -- viruses, Trojans, spyware or adware. . . . Treat it as a rogue file found on a PC. That's all you need to do."