Combating Spyware in the Enterprise

Botnets can be difficult to detect on a compromised host, but recently, Portland State University s Jim Binkley, a PSU professor and network security engineer, modified a tool called Ourmon to detect the presence of botnets using network traffic analysis. Other similar tools are beginning to emerge.
Prevention is your best defense against botnets. According to Kapil Kumar Singh of Georgia Tech University, 80 percent of all bot clients are unpatched Windows machines. Ensure that your patches and antivirus software and datafiles are up-to-date. Turn off any services that are enabled but are not being used. Use Sysinternals Autoruns (www.sysinternals.com) to examine the programs that execute at boot time. On your enterprise firewall, permit only the ports you know you need. One of most effective protections is to ensure that no IRC programs and IRC ports are permitted. This may not be possible in your environment, but if it is, you can eliminate many of the current botnet codebases. To be comprehensive at blocking IRC traffic you need an intrusion detection or prevention tool that recognizes IRC traffic, regardless of the port chosen.
Detecting bots on a host can be a significant problem. For starters, a search of the McAfee threat library as I was writing this yielded 132 entries containing the word Bot. One entry alone reported more than 500 variants. Some forms of bot software employ deception mechanisms, such as rootkits. The rootkits may kill off antivirus software packages, check for...