Defeating Irc Bots on the Internal Network

The rapid growth of botnets represents the greatest computer security threat facing individuals and corporations today. Fuelled by financial incentives and readily available source code, malware authors pursue aggressively the development of newer modules and the exploitation of code into these bots. For an organization, internal bot infections can have serious repercussions, including the loss of man hours and downtime. The average cost of such incidents runs into tens of thousands of dollars [1]. An early warning system that alerts on and captures bot-like activity in the internal network can be a big help in containing and isolating sources of infection. Having a controlled worm replication environment available in-house can also be helpful, allowing for the quick evaluation of captured worm samples and speedy implementation of countermeasures. This article describes the process of setting up an IRC honeypot on the network – using minimal resources and requiring little maintenance – which can then be used as an early warning system for botnet activity. We also discuss using the IRC honeypot to gain control of infected machines and remove bots from infected machines.