There’s been discussion lately about whether we’ve already lost the war against malicious bots. Certainly things are looking fairly grim as the rise in the number of variants of IRC bots has grown by leaps and bounds over the last couple of years. Strictly using string-based detection against the unending tide certainly appears to be a lost cause.

On the other hand, there are some more promising developments in recent years:

• Most AV vendors at this point have gone to using some sort of generic detection or behavior-based heuristics against the most popular bot-families, which can proactively detect a certain amount of new bots
• Firewalls and IDS/IPS products are becoming more widely used, even by home users
• Many corporations are blocking IRC traffic
• ISPs are increasingly involved with security groups that have developed to shut down Command & Control channels used by bots

From my perspective, I see a few things being particularly important in solving the bot problem:

• Further cooperation of security companies and ISPs in order to get more C&Cs shut down
• Further cooperation of security companies, ISPs and Law Enforcement agencies in order to ensure more bot masters face legal action
• ISPs offering more security services than simply AV software (i.e. traffic filtering)
• More security information being available to novice users (i.e. http://pbskids.org/license/)
• More accountability for adware vendors who fund these malicious affiliates
• A paradigm shift, particularly in the home user area, to a security strategy of strategically allowing known-good traffic rather than strategically blocking known-bad traffic

What are your thoughts on the general state of things?

Have the Bot Wars been lost? What more could be done to ensure that Bot Masters don’t make the internet completely unusable?