Should we worry about bot escalation?

Symantec reported a 15-fold increase in bot network incidences in the first half of this year. In January, the security firm identified less than 2,000 bot hosts per day. By June this year, the number had risen to 30,000 hosts per day.

Bots--short for robots--are computer programs sent to perform the tasks of a real person. Bot networks are a collection of systems infected by bots.

These nifty programs can be used, as always, with both good and bad intent. Internet Relay Chat (IRC) bots like the popular Eggdrop, for example, is used by IRC services to keep their chat channels open, as well as protect channels from being hijacked.

Bad use of bots? They can be covertly installed--usually by taking advantage of an unpatched system vulnerability on a host--in order to allow the bot owner to remotely control it. Thus commandeered, bot networks are then used to launch distributed denial of service (DDoS) attacks, send spam e-mail, capture screens, steal application serial numbers and even terminate antivirus software.

IRC bots can also be used as a means to co-ordinate and stage worm-attacks, as with the notorious Gaobot, Spybot and Agobot families.

Rise of bots
If the above sounds like a bad chapter from a new Godfather movie script, it could get much worse. If bot escalation follows the alarming trend reported by Symantec over the next few years, bots will definitely create more than a footnote in any security reports.

To get concurrence on the bot trend, I spoke Symantec rival McAfee. And concurred it did. According to Vincent Gulloto, vice-president of McAfee Anti-Virus Emergency Response Team (AVERT), significant bot incidences have intruded McAfee's radar this year--for the first time as well. AVERT, he said, now sees between 30 to 50 new bot-strains each day.

Are bots more dangerous than other known threats today? I asked Gulloto in a phone interview, and he did not sound overly alarmed.

"It depends," he said. How dangerous a bot is depends on what it is programmed to do.

Naturally. So are bots difficult to stop in their present guises? "A firewall can do that," he replied, adding that in most instances, most organizations won't have too much trouble keeping bots out--if they have firewalls installed and properly configured.

The Symantec camp echoed similar sentiments, although Joy Ghosh, Symantec's Asia enterprise sales director, prescribed two more measures: host-based intrusion detection systems and vulnerability scanner. The latter is to make sure your networks are bot-hardened at all times.

What about in future? Both Gulloto and Ghosh were even-handed in their assessments.

Gulloto felt that the bots themselves are not more dangerous, per se, compared to other known threats. He advised organizations to instead worry more about understanding and fixing the mechanisms that can let bots through, like OS vulnerabilities.

Ghosh rated bot escalation to be as serious as threats like phishing, spam, spyware and broadband router attacks. "Look," he said, "we don't want to create a hue and cry over this but users should take this seriously."

"Organizations should worry because bots have the power to upgrade themselves remotely and quickly spread. Users will find themselves having less time to react."

The window shrinks
Ghosh's last point is what I'm particularly worried about.

As more bots come knocking, any tardiness in patching your network will surely be punished swifter and in deadlier fashion in future.

Forget to update your firewall for one day two years from now? Bots could be crawling up your company's network like an ant swarm that chomps at everything in its sight.

And who knows how sophisticated bots will be in two years' time?

Consider what's already possible with bots today: they can appear on IRC as fake personalities to give automated responses; in virtual hangouts like online games as extra players; and they can team up with different viruses to launch hybrid attacks.

If we extrapolate the rate at which bot network-associated attacks have risen the last six months according to Symantec's count, the numbers can be pretty staggering in 24 months.

Now bear in mind Symantec's bot-incidence escalation rate starts from an almost zero base, so results can be wildly skewed. Still, it's fun--or terrifying, depending on your paranoia level--to do the Symantec math.

Here goes: a 1,500 percent rate of increase in six months from a base of 2,000 incidences per day is... 100 million bot-hosts, per day, by early 2006.

Like I said, my projection above is an extremely crude one. I invite readers to write in with your educated estimates, by clicking on the TalkBack link below.

While you do that, let me go check my firewall configuration.