We do see more and more bots that use port 80 for their C&C channel. This will make these bots harder to detect. However, these are IRC servers, so its not that hard to distinguish them from HTTP traffic.

Couple tricks that may help:

• Implement a proxy server to filter outbound port 80 traffic. This is a good idea anyway as it may help you to implement additional filtering for web traffic as well.
• If you suspect an IRC server on port 80 in your own network, a quick scan with nmap (version 4 and later) can help:

nmap -A -p 80 10.0.0.0/24   (The '-A' option will look for service banners)

Interesting ports on 10.0.0.a:
PORT   STATE SERVICE    VERSION
80/tcp open  tcpwrapped            <--- expect this from devices 
                                        using web admin interfaces.

Interesting ports on 10.0.0.b:
PORT   STATE SERVICE VERSION
80/tcp open  http?                 <--- this server is running apache
                                        with customized headers.

Interesting ports on 10.0.0.c:
PORT   STATE SERVICE VERSION
80/tcp open  irc     ircu ircd     <--- this server is running IRC!
Service Info: Host: megaserver

• implement a snort rule to look for IRC traffic on port 80. Snorts 'chat.rules' has a number of rules to detect IRC, but they are limited to port 6666:7000 by default. Make sure you get the latest version. You need to use the "registration required but free" rules.
  

If you don't want to deal with the legal issues of Sourcefire's "VRT" rules, use the  Bleedingthreats rules: IRC Policy Rules, Trojan/Bot IRC rules.