Security Alert: When Bots Attack - 'ZIFFPAGE TITLEThe Fallout '

The Fallout

The government continues to investigate leads related to Ancheta case. As Resili3nt and other online aliases, Ancheta admitted conducting more than 30 transactions with 10 people, all unindicted co-conspirators. Indeed, Ancheta is the type of criminal the FBI expects to see more of, McGuire says: "One of those profit-motivated individuals ... who exploited the latest in tech."

Companies fighting bot attacks shouldn't feel secure just because the government has nailed a few botmasters. Like law enforcers, corporate and government technology managers are struggling to stay ahead of bot crimes. Despite Microsoft's monthly Patch Tuesday—a day that has been marked by a steady stream of security patches issuing from Redmond—companies still take an average of 19 days, or almost three weeks, to fix critical vulnerabilities on just half of the externally facing systems on their networks, according to security vendor Qualys. Fixing half of their internally facing systems takes more than twice as long—nearly seven weeks. Botmasters have lots of time to exploit them.

At Auburn University, stamping out the infection took about three weeks. That's because some PCs were cleaned with antivirus software that didn't remove the bot code, so they reinfected the network once they were allowed back on. Ultimately, all of the PCs' hard drives had to be wiped clean by Wilson's staff. "That's the only foolproof way to get this crap off," he says.

Eighteen months later, Auburn is still educating students, faculty and administrators not to click on links or open attachments in e-mails or instant messages. Students are required to watch a streaming video on cybersecurity when they sign up for Internet services. They must also enter the university's network through a Cisco portal that checks their PCs to see if their antivirus software and the patches on their Microsoft software are up to date. If not, their PCs are updated on the spot. Auburn also blocked inbound and outbound access to Internet Relay Chat on the university's firewall.

Auburn has had no more major bot attacks, Wilson says. But that's no guarantee that Auburn will remain bot-free. Different colleges within the university have different rules on what users can do with computers, although discussions on how to enforce computer security have begun. "We're not corporate," he says. "We'll take computing rights away, but the school of engineering may be stricter than arts and sciences."

Likewise, corporations probably will never be fully inoculated against bots, according to Kris Palmer, chief information security officer at The Mosaic Co., a

$4.5 billion agriculture company in Plymouth, Minn. "There are so many points of insecurity that you have to pick your battles where you are weakest," she says.

Every company should run as much security technology as it can at each level of computing—desktop, server, internal network and external Internet connections, advises TransUnion's Lines. That includes firewalls, antivirus software, automated patching programs, intrusion detection systems, e-mail protection gateways and anti-adware applications, he says.

More specific steps include closing ports that aren't used in particular applications. For example, consider closing ports 6666 and 6667, which communicate with Internet Relay Chat, as Auburn did. Microsoft also recommends blocking certain ports at the firewall level, including ports 135, 137, 138 and 139, which allow applications on different computers to communicate; port 593, which allows computers to talk to each other over the Web; and port 445, an entry point for some worms and bots such as Sasser, Agobot and Zotob and the vehicle for spreading the infection at Auburn. In addition, block all unsolicited inbound traffic on ports with numbers higher than 1024, Microsoft advises.

Also, the experts say, understand the typical ebb and flow of traffic on the corporate network so that you'll recognize unusual patterns early. Look at network logs regularly, McGraw, the software quality expert, says. "Wonder why your machine is doing stuff when you're not actually using it," he says.

Corporate network administrators should learn how to disrupt a botnet attack, Palmer advises. Isolate an infected machine from the internal network, as Wilson did at Auburn, then study the bot code inside it. Identify the vulnerability it used to get into your system and fix it. Palmer plans to put her technology staff through "ethical hacking" training so that they can know the enemy, she says.

"Not that we want to teach anyone to hack, but knowing what it is to hack. What it looks like. What to look for," she says.

But despite all efforts, Lines, for one, doesn't think botnets will be eradicated, merely mitigated. "The preventions you have in place today won't prevent the attacks of tomorrow," he points out. "It's an arms race."