How do bots get inside the firewall?

Good question. I didn't know the answer so I asked Doug Camplejohn, CEO of Mi5. His response:

John,

A few points:

1) Servers are just other computers on the network without direct human use. While this makes them less vulnerable to user errors (e.g. opening a malicious attachment or visiting a website with a drive-by download), the underlying OS is no less vulnerable than the equivalent desktop system, especially Windows-based servers.

2) Once a system is compromised inside the firewall, the chances to spread and reach an infected server are much greater. Servers are usually configured to allow internal hosts to access more data/ports/protocols than external ones, and we’ve seen UNIX servers get infected via such open ports.

3) We believe that most of the server infections we see come about this way – an individual PC becomes infected, and then spreads to the server via a bot/worm replication method. Some bots scan the network for specific kinds of machines (e.g. mail, database servers), and then can attack them with a type-specific attack (e.g. SQL vulnerabilities). Alternatively, a Remote Access Terminal slipped onto a PC can allow someone from the outside to crawl around the internal network remotely and bypass traditional firewall and IPS defenses.

4) Finally, while firewalls and IPS systems are must-haves for most enterprises, no security system is perfect, and infections can slip by those directly and infect a server from time to time as well.

Hope that helps.
Doug