Abstract
Administrators must have faith in the security products installed today at the desktop and gateway levels of their networks. They have faith that these technologies provide a reasonable protection against most worms from infecting and spreading within the internal network. However an overdependence on the very security products installed leaves many standing potentially exposed when the network is hit with an undetected piece of malware. For any organization, internal bot infections cause serious repercussions, including loss of man hours and downtime. The average cost1 of such disasters runs into the tens of thousands of dollars. The most recent cases are the W32/Mocbot,2 W32/Mytob,3 and W32/Zotob4 outbreaks, which caused widespread havoc within several large corporate networks. Having an early warning system in place that proactively alerts and captures bot-like activity on an internal network goes a long way in the containment and isolation of the source of infection or attack. Furthermore, no organization should rely solely on a security vendor’s information or solution. Organizations must also have in place their own information gathering methods, techniques, and defences. This paper describes setting up an IRC honeypot on a network, using minimal resources and requiring little maintenance. The honeypot serves, as an early warning system to proactively alert on bot-like activity. We also discuss using the internal IRC honeypot to disrupt the flow between bots and their command and control (C&C) server. This can allow the network administrator to gain control over infected machines and assist in removing bots from infected machines.
Similar content being viewed by others
References
Bächer, P., Holz, T., Kötter, M., Wicherski, G.: Know your enemy: tracking Botnets, from http://www.honeynet.org/papers/bots/ (2005)
Barford, P., Yegneswaran, V.: An inside look at Botnets, special workshop on malware detection. In: Advances in Information Security. Springer, Berlin from http://www.cs.wisc.edu/~pb/botnets_final.pdf (2006)
Baylor, K., Brown, C.: Killing Botnets: a view from the trenches. McAfee Whitepaper, from http://www.mcafee.com/us/local_content/white_papers/wp_botnet.pdf (2006)
Canavan, J.: The evolution of Malicious IRC Bots. In: Proceedings from Virus Bulletin 2005 Conference, Dublin, Ireland, from http://www.symantec.com/avcenter/reference/the.evolution.of.malicious.irc.bots.pdf (2005)
Ianelli, N., Hackworth, A.: Botnets as a vehicle for online crime CERT Coordination Center, from http://www.cert.org/archive/pdf/Botnets.pdf (2005)
Myers, L.: AIM for Bot co-ordination. In: Proceedings from Virus Bulletin 2006 Conference, Montreal, Canada, from http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_vb2006_myers.pdf (2006)
Porst, S.: Public malware contest Luxembourgish Computer Security Research & Response Team (CSRRT-LU), from http://www.the-interweb.com/serendipity/index.php?/archives/2006/05.html (2006)
Thomas, R., Martin, J.: The underground economy: priceless. The USENIX Magazine, December 2006, from http://www.usenix.org/publications/login/2006-12/openpdfs/cymru.pdf (2006)
Thomas, V., Jyoti, N.: Defeating IRC Bots on the internal network. Virus Bulletin, February, 2007, from http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_vb_defeating_irc_bots.pdf (2007)
Author information
Authors and Affiliations
Corresponding author
Additional information
Vinoo Thomas and Nitin Jyoti are Virus Researchers with McAfee Avert Labs, based in Bangalore, India.
1http://www.pwc.com/uk/eng/ins-sol/publ/pwc_dtifullsurveyresults06.pdf.
2http://vil.nai.com/vil/content/v_136637.htm.
3http://vil.nai.com/vil/content/v_132158.htm.
4http://vil.nai.com/vil/content/v_135433.htm.
Rights and permissions
About this article
Cite this article
Thomas, V., Jyoti, N. Bot countermeasures. J Comput Virol 3, 103–111 (2007). https://doi.org/10.1007/s11416-007-0043-3
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-007-0043-3