To protect your small or midsize company's network against bots, you've first got to understand what bots do and how they do it. Cisco's Jimmy Ray Purser unveils the dark side of network bots
Looking back at how good things can be turned into bad things is the true study of network security. There never really was an "In-law" protocol or design that was intended to be for negative use right out of the gate. All of the "bad stuff" is simply "good stuff" modified to serve the dark side of the force.
For example, Simple Network Management Protocol (SNMP) is great for managing our devices. On the dark side, it is great for getting tons of information about a device so I can hack it later on. A multitude of such examples exist.
Way back in the computing Stone Age, the 1980s Ah, yes, remember the good old '80s? Hair bands, IROC Camaros, and an odd fascination with all things Australian: It was into this era that the bot was born. Bots started out being helpful little code critters that kept Internet relay channels (IRCs) open. They looked for online games and even answered questions to help out new users (noobs) out in this brave new world. But then, mix a little money, organized crime, and imperial code jockeys, and you have one of the least known yet largest problems on any network, be it home or work: the bot.
A Bot By Any Other Name Is Still A Bot
Bots can be confusing because each antivirus vendor names the same bot something different. The bot writer gives the bot a name like Agobot. Then the antivirus vendors call it something like w32-aEUR-11-v1a. So the problem looks like this: "Did you apply the patch for w32-aEUR-11-v1a or the latest one, w32-aEUR-12-d44?" You just want to fix the problem, not get your Ph.D. in naming conventions. So let me try to take a little bit of the guesswork out of this bot thing and give you a Web site or two to track bot activity and what we can do about it.
Let's Get the Terms Right
- Virus: A virus is not a bot. A virus is normally self-propagating and needs no central command to tell it what to do. It is programmed for a course of action.
- Bot: A bot is not a virus. A bot is a very small piece of modular code that must be controlled somewhere by someone. Because the code is modular, a bot herder can add and remove functionality as needed. Bots are very well coded and normally cannot be detected by drops in system performance.
- Hacker: A hacker normally breaks into a system for the purpose of controlling or owning (hacker speak: 0wn3d) a system. Sometimes for fun or meanness, but normally hackers want total control of your network.
- Botnet: A collection of bots controlled by a bot herder to form a network, a pain for all of us. This is usually in the thousands of bots all over the world.
- Bot herder: Bot herders control a large number of systems (mainly PCs) by a bot. They normally have very poor coding skills and are using the modularity of bots to design their own creation. A bot herder is not a hacker. Bot herders control botnets.
- Bot creator: These folks are supergood code jockeys. They think outside of the box and really can do a whole lot with very little. They actually design the original bot (base bot). They are rarely caught or known.
- Spyware: Typically, spyware is not a bot per se, in that it does not have a central command and control. Spyware gathers info and reports back. Normally very poorly coded and can be detected by watching system performance drop.
In the wild, there are only about 10 to 20 actual base bots. Those bots have names like AgoBot, XTbot, SDbot, Storm, and Dataspy Network X. However, out of those 10 to 20 base bots, more than 8,000 variants exist. For example, AgoBot has more than 1,500 variants alone. Those are called Goabot, Phatbot, Forbot, XtrmBot, and a few others. AgoBot itself is very easy to build a custom bot for because it has a GUI configuration interface that allows someone with zero coding skills to build and deploy his own custom bot.
Next Page: What Do Network Bots Actually Do?
