Your current Web browser may not display this site properly.

TrendSecure performs best when opened with the latest version of either Microsoft Internet Explorer or Mozilla Firefox .

Rinbot Provides a Friendly Reminder about Bot Protection

In today's business and consumer computing space, the use of botnets-networks of compromised machines infected with malicious programs-is a common tool for nefarious Web activity. Whether for the financial gain of cyber criminals, or claim to fame of computer hackers, botnets represent a tremendous amount of aggregate computing power that is frequently leveraged to launch large, coordinated attacks. In early March 2007, such an attack was levied against several well-known media outlets. While highly-publicized, the use of malicious bot software to hijack network systems and assume remote control of computers, is not new or unique.

Bots and Botnets Defined

A bot -sometimes referred to as a bot worm-is an automated software program that operates as an agent for a user or another program. While bots can be used to perform mundane tasks online (e.g., check stock quotes, compare prices, or collect and index documents), they are increasingly used for malicious purposes. Malicious bots are created covertly using a computer virus or worm to install a backdoor program-such as a Trojan horse (a malicious program disguised as, or embedded within, legitimate software) or a drive-by downloader (which exploits Web browsers, e-mail clients, or operating system bugs to download malware without requiring any user intervention)-that leaves a PC Internet port open. Controllers, or botmasters, search for PCs with open ports and use those ports to install their bot programs. Once infected, the bot software typically instructs the computer to connect to an IRC channel that enables communication with the botmaster. Security experts call these bot-loaded PCs "zombies", because the botmaster can wake them on command. When bots are installed on multiple PCs, the network of compromised machines (the botnet) is commanded to perform an extensive range of malicious activities, including spam distribution, phishing schemes, keystroke logging, and distributed denial of service (DDoS) attacks.

RINBOT Attacks Media Outlets

New vulnerabilities surface every month, and malware creators respond by adding fresh network-spreading capabilities to their arsenals. Bot worms have traditionally been the fastest to exploit newly published vulnerabilities, as demonstrated by the latest RINBOT variant-the bot worm behind recent attacks on U.S. media outlets. This RINBOT variant (a.k.a., NIRBOT, DELBOT and VANBOT) exploits a known vulnerability in Symantec antivirus software. Other exploits used by this particular strain include spreading through Windows file shares protected by weak passwords, the Microsoft Windows Server Service remote buffer overflow vulnerability, and weak passwords used to protect Microsoft SQL server. Once in, the RINBOT computer virus affects all systems that run on Microsoft Windows.

Effective Practices for Preventing Bot Attacks

Malware threats, such as bots, used to be distributed primarily through email. Increasingly prevalent, however, is the use of the Web and social engineering tactics to covertly propagate malicious code. Bots are typically technologically sophisticated and adapt to emerging technologies. Their goal is to remain undetected for as long as possible to serve the needs of the botmaster. It is important for both businesses and home users to understand how to protect themselves from these automated scourges. For enterprises, mid-size corporations, and small businesses, Trend Micro recommends:

  • Implement multi-pronged, multi-layered security. Bots utilize multiple vectors to enter the corporate network, including messaging and the Web. Multi-pronged, multi-layered security should include protection:
    1. In the cloud, or in the Internet, such as web reputation
    2. At the Internet gateway where the Internet connects to a corporate or Internet Service Provider network.
    3. At the endpoint, on a PC or server
  • Do not allow unnecessary protocols to enter the corporate network. The most dangerous of these are P2P communication protocols and IRC (chat). These two protocols are part of the bot arsenal of weapons used to propagate and communicate with their botmaster.
  • Deploy vulnerability scanning software in the network. Maintaining a consistently up-to-date operating system can minimize the impact of any new network vulnerabilities, and diminish the risk of being infected by bot worms.
  • Support training and user awareness campaigns. Teach users basic security measures including how to recognize crimeware tactics that use social engineering, for example, and how to react to typical attack scenarios.

For home users, Trend Micro recommends the following:

  • Do not allow new software installation from the browser. Allow new software installation from the browser only if it originates from a trusted Web page and software provider.
  • Update anti-virus and anti-spyware software regularly. Always have an antivirus real-time scan service. Scan any program downloaded via the Internet, including any downloads from P2P networks, through the Web, and by FTP server.
  • Beware of unexpected or strange-looking emails. Email remains the most prevalent means of propagating bots. Never open attachments or click on links contained in unexpected or unusual email messages.
  • Enable the "Automatic Update" feature in Windows operating system. Security automation, such as automatic updating, is key to staying ahead of evolving crimeware techniques.

If you suspect a malicious bot program has been installed on your computer, go to http://www.trendsecure.com/portal/en-US/free_security_tools/housecall_free_scan.php. Trend Micro HouseCall, a free Web-based solution designed to scan your PC, also detects system vulnerabilities and provides a link to easily download missing security patches.