For some time now Bots have been growing in importance. They have truly become the most serious infosec threat to networks today. They are insidious, common and borne by some of the easiest to exploit vulnerabilities in many client side applications.
In many cases, organizations have rampant Bot activity inside their networks, though more often than not, they have no idea it is happening until a serious event like a DDoS attack or the like rises to their radar levels. The sad thing is, this is often too late. The attackers may have already gathered tons of data from network scans, sniffing and keyboard logging. They may already have access to the most critical data on the corporate network.
Now it seems that Bot masters have even begun to implement cryptography to better secure the connections between their programs. This helps protect the Bot traffic from discovery, analysis and reverse engineering attempts. It also makes signature matching and other IDS/IPS techniques much more difficult.
As before, the best defense against Bot attacks remains a two fold process. Organizations must implement proper egress filtering, including port blocking, traffic monitoring and analysis and proxy use. User systems simply can not be permitted to directly access the Internet in an unfettered manner in most networks. It is simply too risky.
Secondly, organizations must employ awareness to combat Bot infections. They must teach users of the associated dangers with open surfing, email attachments, instant messaging and peer to peer networks. All of these technologies and behaviors pose significant risk to the network environment – be it small, mid-size or enterprise.
Of course, all of this assumes the basic steps of patching, network firewalling and typical anti-virus/anti-spyware are already in place and functioning. You are doing that, right?