Close Window

A bot is a compromised computer which is running software that allows a remote computer to control it. The software is usually installed by someone breaking into the computer, but can also be installed by a user who thinks they're installing a game or other software which they have downloaded from a website or received via Instant Messenger [IM].

A botnet is a large collection of compromised computers [bots] which are controlled by a very small number of remote computers. Communication is often done using Internet Relay Chat [IRC, an older instant messaging protocol]. a Wikipedia definition of botnet.

Botnets are often used to send spam [both E-mail and IM], compromise other computers, and launch distributed denial of service [DDOS] attacks. In some cases, DDOS attacks are used to threaten commercial entities, or even damage their online websites by flooding them with a large amount of traffic.

It is often difficult to detect a bot infected computer without looking at the network traffic it is generating. There are many different kinds of bot software [and most bots can update themselves automatically], new versions are always being created, and the bot software itself can take steps to avoid being detected, so frequently the bot software cannot be detected when a computer is scanned for viruses and spyware.

Unless you can determine specifically what you need to do to clean up the system [either because you found a disinfection program that does a good job and detects the bot software or because you've managed to find all the services, files and registry keys that have been changed or installed], your only course of action to secure your system is to rebuild it from scratch.

IT-Expert on Call generally recommends a complete system rebuild [low level hard disk format, OS/applications reinstall, etc.] even if you are using a good disinfection program or think you know what you need to do, since it is extremely difficult to be certain that you've found everything. You may find some things but not others because they've been hidden by Rootkit [a Wikipedia definition of rootkit]. Even if you do manage to clean everything up, you need to be aware of the fact that the intruder may have disabled anti-virus and anti-spyware software, disabled automatic updates, or made other changes to the system that will compromise its security and allow the intruder to get back in quickly.

Rebuilding a system in an insecure way can lead to trouble quickly. If you rebuild a computer while it is attached to an insecure network or attach it to the net before security related patches have been applied, it will almost certainly be compromised before you even get the patches installed.

You should also determine how the computer was compromised in the first place and fix that [if possible], since otherwise it will just be infected again eventually. In some cases this may require changing unsafe behavior.

In recent bot cases, IT-Expert on Call determined that many of the bots are spreading through MSN Messenger or AOL IM [in principle they could do this through any of the various messenger services]. A bot infected computer often will send a URL through messages to everyone on the buddy list. When the recipients click on the link to see what it is, they are infected.

In some cases the computer is probably compromised through unpatched vulnerabilities in Internet Explorer. In other cases this is through insecure Internet Explorer zone settings, or the user gives permission for Internet Explorer to run a program or install something by clicking "OK" in the dialogue boxes that appear.

It is vitally important that users should not click on unknown links [received in E-mail or through messaging services like IM and MSN Messenger]. In addition, installing peer to peer [P2P] file sharing software or unknown programs received through web pages, IM or E-mail is dangerous. Much of the P2P software includes spyware which may send your credit card, SSN, and other personal information to unknown people. In addition, P2P programs and unknown programs also can contain viruses which may infect your computer and cause your machine to be blocked.

Study of 300,000 PCs showed 15% contained unwanted programs

One in Five PCs Infected With Rootkits

Close Window