Remove bots from your system -- a four-step process

Beware the bots Invasion of the bots Malware removal handbook

Several bots affect the Windows platform, including Rbot, Sdbot, Agobot, Wootbot and Mocbot. In action, bots are essentially backdoor Trojans. They're installed by an unsuspecting user, or automatically propagate to unpatched and vulnerable networked systems, providing a way for criminals to remotely control their victims' computers. With enough bot-infected systems accessible via a network or the Internet (referred to as a botnet), attackers have a very powerful tool at their disposal that's hard to stop.

Like most of the newer forms of malware, bots can be hard to detect and even more difficult to remove. I'm hearing more and more people say they've been infected by a bot and can't remove it. Many of the infections are on critical Web servers and domain controllers that they can't just take offline and/or reload on a whim.

Battling the bots

If you suspect an infection (such as a server that's running very slowly during production downtime or odd network traffic found in firewall logs), take these steps to figure out what's going on:

1. Use the Windows Task Manager -- or better yet, Sysinternals' Process Explorer -- to search for applications that don't seem to belong or appear to be consuming a large amount of system resources. Odds are you're not going to find a bot directly in this manner, but the information your system gives you can help point you in the right direction.

2. Your next step (as obvious as it may seem) is to make sure you've scanned your system with the latest antivirus signatures. I also highly recommend running anti-rootkit tools. Again, not a guaranteed solution, but you still need to do it. If you do find a bot or related malware at this point, you may be able to remove the code with the right tool. However, as with rootkits, the only definitive way to get a bot off your system is to backup, reformat and reload.

3. Next, scan your system(s) for open ports and vulnerabilities. You can kill both birds with one stone by using a vulnerability scanner like Nessus or QualysGuard, which shows you which ports are open and which vulnerabilities are present (for example, the MS05-039 Plug and Play vulnerability that facilitates Sdbot). In addition, you can use a vulnerability scanner as a proactive and preventive measure during your ongoing security scans. Make sure you scan all of your systems -- servers, workstations and all. Any Windows-based host is fair game for a bot infection.

4. Finally and foremost, test for a bot infection by watching the traffic entering and leaving the compromised host(s). The best way to view this traffic is to use a network analyzer like EtherPeek or Ethereal that is installed on the local host or, ideally, on another system that has access to the traffic stream via a mirror/span port on a managed Ethernet switch. Here I outline malicious Trojan behavior that a network analyzer can discover. At this point, if you detect malicious traffic entering or leaving your system(s), you need to try and block it at the network perimeter or via a personal firewall application that blocks both inbound and outbound traffic, such as BlackICE or Windows Live OneCare.

There are new emerging methods for thwarting bot infections and botnets, like the SenderIndex technology developed by Habeas Inc. and Simplicita Software Inc.

All in all, you're still on your own to keep your Windows environment safe from bot outbreaks. The most responsible proactive stance you can take against bots is to document the applications that are running on your systems (at least on your servers) so you'll know what's right and what's not when doing your initial assessment and troubleshooting. Get a good network baseline and document which hosts and protocols should be present. This will make it much easier to determine what doesn't belong when you have to fire up your network analyzer.

Also, find yourself a good malware protection vendor (or vendors) that you can count on to be a leader in bot, rootkit and other emerging malware protection. Follow that up by performing regular port and vulnerability scans, and follow up on any anomalies or weaknesses with patches as well as network firewall and personal firewall policy changes if needed. Finally, tell your users what to look out for, what not to do and so on, and encourage them to report strange computer and network behavior. However, never ever rely on your users to be a trusted line of defense against a bot infection. They're busy doing other things and are just too unreliable.

About the author: Kevin Beaver, an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC,has spent six long years obtaining his degree in computer engineering that included Blue Pill like bit and byte manipulation. He has more than 18 years of experience in IT and specializes in performing information security assessments for compliance and IT governance. He has written six books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchWindowsSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Spyware Cleansing How to use Microsoft's Malware Removal Starter Kit Rootkit and malware detection and removal guide Removing malware from your Windows system Pop-ups in IE are hijacking my homepage Are two antispywares better than one? Windows System Configuration Utility: An unexpected antispyware tool Malware removal: Four simple steps Security Bytes: Symantec fixes software flaw Is all spyware dangerous? E2G spyware infection after a hard drive rebuild? Spyware Cleansing Research Spyware protection and clean up Cool things about security, nothing about Britney Spears Removing malware from your Windows system What is malware? A look back at the malware tips and news of 2006 Use a GPO to defend against Trojan downloads Step-by-Step Guide: Finding and removing a rootkit Step 1: Is there a problem Step 3: Clean up the mess Step 2: Choose the right scanning tool Step 4: Bulletproof your efforts Spyware protection and clean up Research Malware and other Windows security threats Prevent malware infection with malware detection tools Does Vista mean the end of malware? Zero-day attack prevention Use patching to protect your network from threats Define server roles, counterattack zero-day threats Harden your network services and contain zero-day threats Step-by-Step Guide: Finding and removing a rootkit Step 1: Is there a problem Step 3: Clean up the mess Step 2: Choose the right scanning tool Malware and other Windows security threats Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by download  (SearchWindowsSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.