Wednesday, February 07, 2007 3:38 PM
cmosby
McAfee Avert Labs Blog - Bot Countermeasures
Bot Countermeasures
Wednesday February 7, 2007 at 6:32 am CST
Posted by Vinoo Thomas
Trackback
Malware authors have been at the cutting edge of incorporating exploit code into their creations for zero day vulnerabilities. Fueled by financial incentives and readily available source code, the bad guys of today aggressively pursue continued development of malware code. Over the years, the window between vulnerability discoveries to its incorporation into a worm or exploit candidate has shrunk from months, to weeks, to zero day. This leaves administrators with very little time to schedule and deploy patches to all servers and workstations on their networks. And during this vulnerable time frame if the network is hit with a bot that uses a zero-day vulnerability, an organization could be faced with a potential worm outbreak or large scale attack.
The chart below shows the time frame between the vulnerability being reported and how long it took for malware authors to incorporate it into a worm candidate.
| Patch | Malware | Patch Availability | Worm Attack Date | Number of days for worm to appear |
| MS01-020 | Nimda | Oct 17th, 2000 | Sept 18th, 2001 | 335 Days |
| MS02-061 | Slammer | July 24th, 2002 | Jan 25th, 2003 | 185 Days |
| MS03-026 | Blaster | July 16th, 2003 | Aug 11th, 2003 | 26 Days |
| MS04-011 | Sasser | Apr 13th, 2004 | Apr 30th, 2004 | 17 Days |
| MS05-039 | Zotob | Aug 9th, 2005 | Aug 14th, 2005 | 5 Days |
| MS06-040 | Mocbot | Aug 8th, 2006 | Aug 12th, 2006 | 4 Days |
The paper “Defeating bots on the internal network” from McAfee Avert Labs published in the Feb 2007 issue of Virus Bulletin describes setting up an IRC honeypot on a network using minimal resources and requiring little maintenance to be used as an early warning system to proactively alert botnet activity. Also discussed is using the internal IRC honeypot to gain control over infected machines and removing the bot from infected machines.
The paper “Defeating bots on the internal network” from McAfee Avert Labs published in the Feb 2007 issue of Virus Bulletin describes setting up an IRC honeypot on a network using minimal resources and requiring little maintenance to be used as an early warning system to proactively alert botnet activity. Also discussed is using the internal IRC honeypot to gain control over infected machines and removing the bot from infected machines.
Source: Computer Security Research - McAfee Avert Labs Blog
Filed under: SMS, Security and Anti-Virus, Patch Management, Microsoft Windows, AntiVirus Information, Microsoft Office, Internet Hacks