Recently, a new IRCbot known as Rinbot has been making the news. There are multiple variants of Rinbot (over 20 at the time of writing) and more variants are likely. However, to put Rinbot in perspective, the largest family of bots known as Spybot already has over 30,000 variants. In addition, Rinbot does not introduce any new functionality and, in fact, contains far less default functionality than the average Spybot. Based on the spread of previous variants, we don't foresee a large worldwide outbreak of Rinbot at this time. Nevertheless, just one bot infection on your network can pose trouble.
So, people shouldn't overreact to any threat posed by Rinbot itself, but instead use this opportunity to ensure they are taking proactive steps to address possible bot infections in their environment in general. Rinbot works as many other IRC bots by joining an IRC (Internet Relay Chat) server that originally was designed for chatting before the advent of instant messaging. However, instead of chatting, infected machines simply listen for commands from the hacker and perform them in unison.
Many of the bots we see today are used as staging platforms to deliver other executables such as affiliate pay-per-install adware applications and spam proxies. In addition, to infect more machines, authors instruct their bots to scan and exploit well-known vulnerabilities. Infected machines that aggressively scan a network and exploit unpatched machines often leads to the largest visible problem inside a corporate network as more machines become infected and network traffic comes to a crawl. Fortunately, bots mainly use well-known vulnerabilities and the use of previously unknown exploits are very rare.
Thus, the use of IDS/IPS (Intrusion Detection Systems/Intrusion Prevention Systems) within an environment is a good preventative measure in curtailing bot infections. For example, the Rinbot exploit spreading mechanisms are all detected by Symantec IDS/IPS products and can prevent endpoints from becoming infected.
In addition, bots generally do not act until receiving a command from their author, and since most corporations do not have a business need of using unknown IRC servers, this type of traffic can be blocked completely using IPS products or full-inspection proxy/firewalls. Furthermore, desktop firewalls can block such outbound connections.
Of course, many other security technologies and policies also play a role – from anti-virus to locked-down machines – reminding us of the mantra of security-in-depth. In the case of IRC bots, though, their reliance on an IRC server and remote exploits to spread give network aware security solutions (including those at the endpoint) an advantage at preventing further infections.