Botnets: Who Really ''Owns'' Your Computers?
With the survival time of a fresh Windows install sometimes measured in seconds, knowing a little about some of the more pervasive bits of malware out there and how to ferret them out on your network can't hurt.
Except, perhaps, when they're not.
A ''botnet'' is a collection of computers that have been infected with remote-control software. An IRC ''bot'' is the software that gets installed by a virus, which in turn connects to an IRC (Internet Relay Chat) server -- the control plane for sending commands to the bots.
A typical botnet scenario involves thousands of compromised Windows machines and a single ''attack'' command issued by the owner of the botnet, resulting in once innocent computers executing an attack on an unsuspecting Web site. This article will explore common methods of infection and the capabilities the bots have, for the sake of better understanding these perils.
When an unpatched Windows computer connects to the Internet, survival is an unlikely prospect. Within minutes, the computer can become infected with a trojan or virus that installs an IRC bot. The bot will immediately ''phone home'' by connecting to an IRC server then stand by, awaiting commands. SANS has cited 24 minutes as the average amount of time a freshly installed Windows XP computer can last on the internet before infection. If you're running a fresh install of MS-SQL server, the time is considerably shorter. Some have cited sub-minute survival times for new, unpatched SQL servers.
What Can They Do?
Botnets have various capabilities, including denial of service attacks, spam relays, theft of personal information, and they even start web servers on infected computers to aid in phishing attacks. These are all illegal activities, and definitely not something you want coming from your computer. There's nothing worse than receiving e-mail from a different company's security officer with evidence you've been attacking them or sending spam.