Skip to main content
SpringerLink
Log in

Bot countermeasures

  • Eicar 2007 Best Academic Papers
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

Administrators must have faith in the security products installed today at the desktop and gateway levels of their networks. They have faith that these technologies provide a reasonable protection against most worms from infecting and spreading within the internal network. However an overdependence on the very security products installed leaves many standing potentially exposed when the network is hit with an undetected piece of malware. For any organization, internal bot infections cause serious repercussions, including loss of man hours and downtime. The average cost1 of such disasters runs into the tens of thousands of dollars. The most recent cases are the W32/Mocbot,2 W32/Mytob,3 and W32/Zotob4 outbreaks, which caused widespread havoc within several large corporate networks. Having an early warning system in place that proactively alerts and captures bot-like activity on an internal network goes a long way in the containment and isolation of the source of infection or attack. Furthermore, no organization should rely solely on a security vendor’s information or solution. Organizations must also have in place their own information gathering methods, techniques, and defences. This paper describes setting up an IRC honeypot on a network, using minimal resources and requiring little maintenance. The honeypot serves, as an early warning system to proactively alert on bot-like activity. We also discuss using the internal IRC honeypot to disrupt the flow between bots and their command and control (C&C) server. This can allow the network administrator to gain control over infected machines and assist in removing bots from infected machines.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Bächer, P., Holz, T., Kötter, M., Wicherski, G.: Know your enemy: tracking Botnets, from http://www.honeynet.org/papers/bots/ (2005)

  2. Barford, P., Yegneswaran, V.: An inside look at Botnets, special workshop on malware detection. In: Advances in Information Security. Springer, Berlin from http://www.cs.wisc.edu/~pb/botnets_final.pdf (2006)

  3. Baylor, K., Brown, C.: Killing Botnets: a view from the trenches. McAfee Whitepaper, from http://www.mcafee.com/us/local_content/white_papers/wp_botnet.pdf (2006)

  4. Canavan, J.: The evolution of Malicious IRC Bots. In: Proceedings from Virus Bulletin 2005 Conference, Dublin, Ireland, from http://www.symantec.com/avcenter/reference/the.evolution.of.malicious.irc.bots.pdf (2005)

  5. Ianelli, N., Hackworth, A.: Botnets as a vehicle for online crime CERT Coordination Center, from http://www.cert.org/archive/pdf/Botnets.pdf (2005)

  6. Myers, L.: AIM for Bot co-ordination. In: Proceedings from Virus Bulletin 2006 Conference, Montreal, Canada, from http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_vb2006_myers.pdf (2006)

  7. Porst, S.: Public malware contest Luxembourgish Computer Security Research & Response Team (CSRRT-LU), from http://www.the-interweb.com/serendipity/index.php?/archives/2006/05.html (2006)

  8. Thomas, R., Martin, J.: The underground economy: priceless. The USENIX Magazine, December 2006, from http://www.usenix.org/publications/login/2006-12/openpdfs/cymru.pdf (2006)

  9. Thomas, V., Jyoti, N.: Defeating IRC Bots on the internal network. Virus Bulletin, February, 2007, from http://www.mcafee.com/us/local_content/white_papers/threat_center/wp_vb_defeating_irc_bots.pdf (2007)

Download references

Author information

Authors and Affiliations

  1. McAfee Avert Labs, c/o McAfee Software (India) Pvt. Ltd., Embassy Golf Links Business Park, Pine Valley, Bangalore, 560071, India

    Vinoo Thomas & Nitin Jyoti

Authors
  1. Vinoo Thomas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nitin Jyoti
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Vinoo Thomas.

Additional information

Vinoo Thomas and Nitin Jyoti are Virus Researchers with McAfee Avert Labs, based in Bangalore, India.

1http://www.pwc.com/uk/eng/ins-sol/publ/pwc_dtifullsurveyresults06.pdf.

2http://vil.nai.com/vil/content/v_136637.htm.

3http://vil.nai.com/vil/content/v_132158.htm.

4http://vil.nai.com/vil/content/v_135433.htm.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Thomas, V., Jyoti, N. Bot countermeasures. J Comput Virol 3, 103–111 (2007). https://doi.org/10.1007/s11416-007-0043-3

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-007-0043-3

Keywords

Search

Navigation