The company versus botmaster battle continues to rage, with neither side clearly winning, says Phyllis Schneck, chairman of the InfraGard National Members Alliance, a coalition of law enforcement and technology professionals and academic researchers that was formed to fight cybercrime. "Viruses have been with us since the mid-1980s. They're still around and creating havoc," she says. "I don't anticipate that botnets will go away anytime soon."
Still, Schneck and other security experts beat the drum about what corporations can do to try to prevent, detect and derail bot attacks. Here is some of their advice:
Run a full set of security technology at each level of computing desktop, server, internal network and external Internet connections. Include firewalls, antivirus software, automated patching programs, intrusion detection and prevention systems, e-mail protection gateways and anti-adware applications.
Patch early and often.
Educate users not to open attachments or Web links in e-mail or instant messages, even if the sender's name is familiar. Cybertrust, a computer security company in Herndon, Va., that tracks hacker activity, says organizations that train users "performed significantly better than those relying mainly on technical antivirus controls."
Close portspathways in and out of the operating system to move data and filesnot used by particular applications. Consider closing ports 6666 and 6667, which are used for Internet Relay Chat. Block certain ports at the firewall level, including 135, 137, 138 and 139, which allow applications on different computers to communicate; port 593, which allows computers to talk to each other over the Web; and port 445, used for file sharing and through which some worms and bots enter, including Sasser, Agobot and Zotob.
Partially close ports with numbers higher than 1024 by blocking unsolicited inbound traffic on them.
Know the typical ebb and flow of traffic on the corporate network to recognize unusual patterns early.
Learn how to disrupt a botnet attack. Isolate an infected machine from the internal network and study the bot code inside it. Identify the vulnerability the bot used to enter the machine, and fix the flaw. K.S.N.