The Nirbot family is based on relatively new code and spreads after receiving instructions from the botmaster inside an IRC channel, said Jose Nazario, senior security and software engineer at Arbor Networks.
"These guys, the botmasters and the bot-writers, are very competitive with each other," Nazario told SCMagazine.com. "Part of it is pride and ego and part of it is business. By writing their own code base, the guy or these people are showing they want to keep everyone else out."
The bot attempts to exploit patched vulnerabilities in Symantec anti-virus programs and the Microsoft server service function. More dangerous for enterprises, though, is that the bot preys on password weaknesses in Windows file-sharing networks, researchers said.
"This is harder to deal with unless you audit passwords," Nazario said.
Once launched, the bot joins the IRC server and can download arbitrary code, unleash DDoS attacks or launch an HTTP or FTP server to browse an infected PC for sensitive files, he said.
Still, the bot family – which Symantec has dubbed Rinbot – should not cause much panic because it is limited to about 20 variants at this time, researcher Eric Chien said Monday on Symantec’s Security Response Weblog.
"So, people shouldn’t overact to any threat posed by Rinbot itself, but instead use this opportunity to ensure they are taking proactive steps to address possible bot infections in their environment in general," he said. "Nevertheless, just one bot infection on your network can pose trouble."
He suggested organisations deploy intrusion detection and prevention systems and block access to IRC servers.
IRC bots such as Nirbot are common, but security experts are starting to see web-based and peer-to-peer bots developing, Nazario said. This could affect researchers’ ability to follow the progress of the bot and enterprises’ ability to defend against it.
"It’s very easy for researchers such as ourselves to join [the IRC network] not as a bot but as a person to watch everything going on," he said.
IRC bot a growing threat to enterprise networks
By Dan Kaplan on Mar 8, 2007 12:44AM