Botnets have penetrated most Fortune 500 companies, and the United States leads the world in PCs infected with bots.

And Mac users beware—a new Trojan variant attacks Mac OS systems via social networking sites. If you see a message on a social network like Facebook that says "Is this you in the video?" clicking the item could deliver your computer to a botnet—a network of hijacked machines deployed to steal content and launch distributed denial of service (DDoS) attacks on other sites.

So how do we stop these nefarious campaigns? Shortly after we ran a piece on Japan's national anti-botnet strategy, we had the chance to hear a set of security presentations on botnets. The most comprehensive of these came from Fabian Rothschild and Peter Greko of the HackMiami nonprofit and Tom Murphy from the Bit9 security group. The two outfits laid out different strategies for fighting botnets—data obfuscation (making it harder for botnets to read computer content) and "white lists" (carefully restricting what kinds of apps can be used on an enterprise or institutional network).

The essential difference between the two approaches are instructive. Bit9 focuses (PDF) on fighting bots before they get onto a system, while HackMiami hones in (PDF) on what to do afterward.

After a computer is compromised

Most botmasters, Greko and Rothschild note, aren't technically sophisticated. While Mr. Big may not even know what the word "protocol" means, he can hire others to do the dirty work and focus on collecting and selling stolen data to various illegal markets. The "carders" buy credit card numbers; extortionists want corporate employee logins and administration accounts; spammers want email logins; and creepiest of all, pornographers buy Facebook logins.

Tom Murphy observes that a huge amount of compromise takes place via social networks.

"The profile of advanced threats that we see today, is a lot of it is through social media," he explained. "It's trusted relationships. People get e-mails, and it might be something specific, something from Amazon, or something that establishes some trust. People click on links, and it installs software in a trusted directory, that is sometimes overlooked, and the software resides in the form of something that's legitimate."

The question for Greko and Rothschild is how to protect a computer after it has already been penetrated by a Trojan like Zeus or SpyEye. How do you protect sensitive HTML form data streams or keystroke logs—especially those that include password and financial account information?

These developers divide the "obfuscation" techniques they outline into four categories: basic, medium, hard, and "nightmare." The examples they offer "do not prevent identity theft, just makes it harder for identity theft to happen to your customers."

Basic techniques include the deployment of "extraneous post parameters." Typical bots scour their keystroke logs for names and phrases that are easily recognizable. So deploying phony or incongruous HTML form variable values is one way to make bot log data less usable.

"Medium" methods involve using javascript for "data mangling"—adding extra numbers to POST values; using regular expression switches that turn, say, integers into upper case characters; or creating functions that send data as a hidden parameter.

Harder techniques include Base 64 encoding, which turns the input of 24-bit groups (three bytes) into an output of four ASCII characters. The method is best appreciated visually. Thus a line from Thoreau's Walden like "Our inventions are wont to be pretty toys" is turned into encoded Base 64:

"T3VyIGludmVudGlvbnMgYXJlIHdvbnQgdG8gYmUgcHJldHR5IHRveXM=."

Finally, the "nightmare" methods include RC4 encryption, an array-generating algorithm that programmers can deploy using javascript (we're not going to outline the technique any further than that, because we don't want to give Ars readers nightmares).

Before the bot appears

Bit9's Murphy, on the other hand, describes himself as an evangelist for "application whitelisting."

"You focus on good applications and what you trust versus trying to chase the infinite list of bad software," he explained.

And the list does seem to be infinite. As Verizon's 2010 data breach report noted, 97 percent of the compromised data that the carrier and the United States Secret Service evaluated appeared to be attacked by customized malware—much of that "repackaged" versions of existing botnet code (revised to avoid anti-virus detection).

So Bit9 continuously monitors all components of an enterprise or institution's infrastructure and collects performance information.

"And then what we do is we build out a white list," Murphy continued. "And a white list would be trusted sources of software. So ultimately on step three, we built out this recognition that when I see software in my environment, no longer am I going to look at it as if it meets my blacklist criteria, the only way it can run is if it meets my whitelist criteria."

Bit9 leverages a global software registry of approximately eight billion records to help identify and confirm software integrity. So if a bot like Conficker appears and it doesn't meet the institution's "trust criteria," it doesn't run.

"We define the policy," he concluded. "Software comes in from any direction. We basically confirm that it's something you trust. If it meets the criteria for trust, it's allowed execution. If it's not, again, down to botnets, all the way down. This could even be Skype. It could be Instant Messenger. Anything that's not authorized doesn't run in the environment."

There you have it—two very different approaches to the great war against botnets, which show no sign of withdrawing from the field. Plenty of Ars readers work in corporate IT; what general techniques have you found most effective at mitigating botnet infiltration and damage?