Slashdot Mirror
Exposing Bots In Big Companies
CalicoPenny let us know about yet another "30 days" effort, this one to name the names of major companies infected with spam-spewing bots. Support Intelligence began the effort on March 28, out of frustration at not being able to attract the attention of anyone who could fix the problems at these companies. While they haven't named 30 companies over the ensuing month, they did name some prominent ones, such as Thompson Financial, Bank of America, and AIG. The scary part is that if a bot can spam it can capture keystrokes or troll for interesting documents.
The scary part is that if a bot can spam it can capture keystrokes or troll for interesting documents.
Or troll slashdot.
The opposite of progress is congress
AFLAC!
to "kicking bot and posting names."
Lacking <sarcasm> tags,
Aside from IT efforts to clean up (or at least keep their heads above water), the percentages would likely compare favorably with the home user population at large, methinks. Sometimes (like ferinstance the company I work for) can be outright anal about security (custom images, email that's filtered nine ways from Sunday, etc), and yet about once a month scans will pop up someone who has been bit with the latest variant of (insert malware here). To their credit, the guys here remove it often within minutes of detection- never seen one last more than a couple of hours. (not just saying that because I happen to be a sysadmin there, seriously... the user-end guys are anal about that sort of thing, and if they weren't the network guys would happily shut off the offending port @ the switch to get the user's attention).
Quo usque tandem abutere, Nimbus, patientia nostra?
I for one welcome our overlord poster hating overlords
But I know this guy. An without being graphic or verbose let me see if I can paint a picture. In a word, "Blowback" It's something to see. They play his videos on public access tv in berlin.
How long before some company tries to cover up the embarrassment by suing the people who disclose the fact that they have machines infected with bots? They might not succeed, but they might make life unpleasant for a short while for those who post the info.
No sig
Answer: they're usually the height of mediocrity. The best and brightest, if they're there, are often ignored.
The notion that lots of big companies have spam bots all over the place is not all that hard for me to believe. Their IT divisions are often poorly staffed with folks who were selected with more input from HR than from the actual manager. They look at the certificates and then decide if a person is OK for the job. Honestly, the certificates are not a good gatekeepers to ensure that people without a clue don't find themselves on the front line. They can't be.
We all have known people who were extremely good at passing tests, but for reasons unknown to the rest of us, are unable to use those very skills in a real application. Those are the people who all too frequently end up in big organizations, pretending to know what real IT is. There is no substitute for learning from experience.
And these corporations are about to have one of those learning experiences. It won't be pleasant.
Nearly fifty percent of all graduates come from the bottom half of the class!
...along with the deinfestation, a little education might go a long way. If employees could be paid to attend a (mandatory) presentation on just how a botnet gets set up, I bet this would reduce the instances of infections by an appreciable amount. (Yeah, not 100%, I know.)
Make it interesting. Start out asking for people's opinions on spam. Get 'em good and worked up. Then set up some network monitor with a nice, easy-to-see graphic interface (maybe write one) and demonstrate how a workstation gets infected by the user running a compromised app. Once it takes hold (pick a good one), pull out the stopwatch, tick off 5-10 seconds, then show how many mails it sent. Then do the math; multiply those ten seconds by 6 to get minutes, then 60, to get hours, then 24. I bet even the math-challenged will get the point quickly, looking at those really large numbers.
Paleotechnologist and connoisseur of pretty shiny things.
Maybe it is time some people who have been spammed or have had personal sensitive data exposed from infected Windows desktops in these organizations to enter into a series of class action lawsuits against those same organizations for using Microsoft's products. If switching to Linux or MacOSX based desktops would greatly reduce the risk of further intrusion why should not organizations be "encouraged" to make the move.
It scares me just how prevalent this type of software is.. not just the spam bots but the malware and other stuff meant to steal data. Locating+shutting down spambots is the easiest task. I'm pretty small time but I found something interesting once while working with a new client to get them fixed up with antivirus and internet monitoring software (squid+sarg). I'd locked down some things and I kept noticing one PC trying to connect to yahoo every week at about 2:00 am. Long story short it was apparently attempting to email a 500kb attachment... that was apparently a log of everything typed in the week before and some other stuff. That *almost* went unnoticed. That type of infection is downright scary.... who is going to notice a 500kb email going out through an https connection at yahoo? It didn't even seem to be part of a command+control network... just gathering info??
The spambot infections is just the most visible symptom of a larger problem... they're talking about some "big name" companies apparently, but it is the smaller and medium sized businesses that really make the world tick... it is simply too complex, challenging and costly to really secure windows boxes without severely compromising functionality. It is also apparently not something that lends itself well to automation... I see big companies using enterprise software to "lock down" workstations and "reset" workstation images as their solution but there isn't really a small business answer here that I know of. If the tools were better/easier to use it might be easier to keep an eye on one's "flock" but it is a horrible pain both in setup and upkeep to really anticipate what might be happening. The entire stack one could use in windows to manage this stuff, from Event Logging to vb scripting automation, and all the way up to group policy is half-assed at best. This is the type of result you can expect.
this type of story is why I think that learning and/or heuristic scanners (both at the machine and router/firewall/proxy level) are pretty much the only way we can win. I'm not imagining something sentient, mind you, just something that will sift through all the event logs and point me toward things actually worth my attention instead of "every little thing".
Seriously, there is no difference.
Instead of suing those who disclose the fact
that machines on their lan are infected,
they should sue Microsoft for allowing it.
You don't know that Windows is not doing the
same nasty spyware tricks that people accuse
the bots of doing.
Oh, that's right, there is a difference.
The Microsoft EULA covers their ass, whereas
the bot does not ask you for permission to spy.
You are being MICROattacked, from various angles, in a SOFT manner.
Bill - "Hey, what's going on here?"
Larry - "Stop giving free checks for life Bill."
Winston - "And free ATM cash withdrawals!"
Charles - "Or we let these spam zombies eat our brains!"
Bankers Pen - "Yeah!"
Bill - "Whoah! Whoah! Guys. People love all the features of WAMU's spam free online checking."
Larry - "Horse Pockey! V1a6rA l0ng D0ng che4p$$! Mmm. Braaaaaains..."
[ Larry, wearing a BOA pin on his collar, begins nibbling on Charles' hairpiece as others join in on the feeding frenzy... ]
[ Bill repeatedly cocks his Remington as the penguin suits start dropping behind the velvet ropes... ]
Bill - "Key log this EFT, baby! Groooovy..."
I hope, when they die, cartoon characters have to answer for their sins.
Surely, these large companies could block outgoing port 25 traffic, except for their own email servers. Then the traffic can easily be monitored and spam zombies detected.
Why is this not "best practice"?
The real "Libtards" are the Libertarians!
I've been apart of small companies, AT&T and a large utility (heavily regulated).
Every admin thinks they are better. Every IT guy thinks they KNOW how to run a network. Consider a company, a large one, with BRAZILLIONS of dollars like RIM. They screwed the pooch in a big way. Google did it too w/ their email/homepage disappearings.
The reality is computers break. I still contract for a large company on a part time basis. The "best and brightest" have jobs that reflect their skills. They design the network, implement processes and "fix" systems that fail. The rest of the company simply resets passwords and updates user info. Not the brightest bunch but they don't need them, there anyway.
The scary part is that if a bot can spam it can capture keystrokes or troll for interesting documents.
Uh, yeah, that's why, like, some of us actually run a secure operating system instead of freaking Windows.
I look forward to the day when proposing a Windows SOE is a firing offence. As for the state of American IT... Aren't you guys supposed to have landed on the moon, way back before Microshit was founded? WHAT HAPPENED TO Y'ALL?
you had me at #!
Exposing bots in big companies? That's easy. I see 'em every day. We even have a nickname for them here..."Middle Management."
In Soviet Russia, Chuck Norris will still kick your ass.
Major companies infected with spam spewing bots?? No way. This is just to ground breaking to be true. Next thing they are going to tell us is that government machines are also infected. Since we all know that major companies and government machines are impenetrable because their users are so smart, savvy, and technologically secure. Oh wait, the users at these places are the same people that use AOL dial up at home. OK.. so maybe it is true *and* unsurprising. :P
A lot of the MS Windows advocates I know are in the situation where they have never purchased the software and do not have the ability to make good backups (has anyone ever got a flawless restore back from NTbackup? Ok so I exagerrate, but it has problems and that is all a lot of people use). These people tend to stuff about with flawed spyware removers and registry editors and are sometimes confident that their machine is no longer compromised (um, how do you know - they rooted your machine and could have changed any file?).
This is actually pretty big news.
My understanding is that Sarbanes-Oxley imposes strict IT standards for public companies.
If the companies involved are indeed Fortune 500 companies then they are exposing themselves to massive lawsuits.
In the big company that I work in this couldn't happen: we have good firewalls, machines are locked down in terms of downloads, machines are regularly tested/audited and we have a great IT department.
If I were a CEO of one of these companies I'd be looking to fire the CIO...
The Register reported this about a month ago and I'm glad the issue is getting the attention it deserves. Having done some "upgrades" for a major bank and worked at a fortune 500 company, I can say that many supposedly secure corporate networks are owned by spammers. It's a big deal because it's hard to filter out.
the percentages would likely compare favorably with the home user population at large, methinks.
You would think that, seeing how much money these companies have to throw into manpower and software, but it's not always so. I'd really like to know what kind of Voodoo the few successful companies are employing.
Sometimes (like ferinstance the company I work for) can be outright anal about security (custom images, email that's filtered nine ways from Sunday, etc
At some companies, this is no more than an inconvenience to the user. Just think about companies that ban cell phones with cameras while allowing actual cameras. The dumber the company, the less effective and more annoying their "security" measures will be.
The problem with a bot net infection at a major company is filtering the email downstream. What ISP is going to blacklist Bank of America IP address? ISP's have to take and filter each and every mail from major companies or risk shafting mail from a real mail server they don't know about in the same IP range. By contrast, mail from home PCs gets little to no respect. ISPs feel free to reject, block and limit it all at the same time, so the home user can only send some piddling number of mails each day and only through the ISP's smtp. The botnet people can and do compensate for this by owning more machines but corporate networks are much better for them.
The root cause, of course, is M$'s easy to abuse desktop.
Friends don't help friends install M$ junk.
Thompson Financial, Bank of America, and AIG.
So you mean that some of those Bank of America SPAMs are actually coming from Bank of America computers? Woh...
ZuluPad, the wiki notepad on crack
Surely, these large companies could block outgoing port 25 traffic, except for their own email servers. Then the traffic can easily be monitored and spam zombies detected.
Surely, the bot net operators have already gotten around that on cable networks and those companies that do this. All they have to do is make the bot mail through the company smtp.
Your idea is a variation on the "blame the user" theme. The problem is M$ on the desktop. Big dumb companies fork over all sorts of money, do what they are told and get slammed anyway. What will be funny is when M$ themselves end up on this list. Who will they blame then?
Friends don't help friends install M$ junk.
The school district I work for is about 80% macs and 20% PCs (running XP) - total number of machines disctrict wide is about 6000. I've asked if I could set up a Linux server and some diskless work stations as a usage test case ... by the response you would think I asked to install an open wireless node in the schools cafeteria. On the other hand if I'd just announced that I'd just installed 35 PCs that would be no problem and everyone would assume they're up to date + antivirus + etc.
I could lock down that Linux box pretty tight etc. but Linux is not on their radar
Its not the years, its the mileage
Am I wrong? Should I publish the list of companies that I know had bots on their networks in March?
If you mod me down, I shall become more powerful than you could possibly imagine.
Oh what a fucking idiotic statement. Ok. The world switches to Linux. You think the malware creators are going to just fall off the face of the earth or continue developing for Windows? You think that if an exploit is found in Linux, and even if it is corrected in 24 hours that a company with 100,000 desktops is going to apply that fix immediately?
Fantasy is that way--->
I thought the article was about stuff like this.
-- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
Some Linux distros have automatic online updating. Unlike Microsoft, they put out updates as soon as they have them instead of waiting for a monthly cycle. I remember one afternoon my system downloaded about a dozen updates, then, just after the updater finished, it checked again and found four more. If your company is using one of those distros, those 100,000 desktops will patch themselves within a few hours after it becomes available.
Good, inexpensive web hosting
I think it is interesting that we see "report cards" that give government agencies low grades on security, but publicly-owned corporations get a pass.
I seriously doubt that there are any botnets like this running on, say, the DoD network, yet they get a poor grade on security, while a frigging -bank- is pwned, and nobody is too bothered.
A house divided against itself cannot stand.
I would be far more interested in a list of companies buying spam and profiting from spam. Names, addresses, phone/fax/email. Having reported this stuff and been hit once recently myself and not recovered from it yet, that is the only thing I want to see now. Get those blasted bankers, insurance and real estate agents into some concrete confinement!
Absolutely. But -if you are monitoring your FW logs-, you will see the not so cleverly-written ones, and they can be your "canary in the coalmine". If you are seeing any denied outbound attempts, you know that either someone (or some software) is going against policy, or you have a workstation weakness that is being exploited, and you follow up on it.
Sure, this doesn't guarantee that you don't have a problem (ie., cleverly-written malware). You must take a layered approach to security strategy to be effective. Discounting a layer because it doesn't take every single possibility into account is ridiculous. That's why you have depth built into your security strategy, because no single layer works for everything.
That is the problem with most "security solutions" that are being peddled to CIOs, they claim to be a single magic bullet when real security solutions are more about correlation and follow-up from different layers. Not sexy, but very effective.
A house divided against itself cannot stand.
"Fdisk it from orbit and restore from a known good backup - it's the only way to be sure."
Brilliant! I may have to change my sig...
I say we take off and nuke it from orbit. It's the only way to be sure...
There is still a week or more of a delay to test the patches. If the security patch is a major overall, it could take months. Where I work didn't upgrade from Windows 2000 until last year. We still haven't installed IE7. There is a week to 2 week delay between MS releasing a patch and it getting deployed. Programmers need to test their systems to make sure the patch doesn't blow anything up. I can't see any corporation relying on Linux's automatic updates and just keeping it at that.
A windows botnet can cost as little as $.10 a host. A Solaris botnet can be worth hundreds of dollars per machine because the compromised systems are tend to be better connected and if the initial controller hasn't woken up the sysadmin, there is a good chance the machine might have a good long run. I expect that an os x botnet will be worth several dollars per machines since mac users are more likely to have fast unlimited broadband than your average window users. Linux users are harder to fit into the demographic slots but they are just as likely to have a machine on a 100 meg connection as a dailup connection. Since there is more money in hacking the other systems and less competition, why aren't more of them attacked?
And soon to be myspace.
All these bots use common resources like yahoo/geocities for either mailing out or storing online content/payloads.
Seriously, yahoo etc... should have an active role with at least 10-30 people constantly scanning their networks/servers for bot hosters/emailers.
Is it that hard?
Liberty freedom are no1, not dicks in suits.
There is this one guy in my office who is covered head to clothes, looks really, really
big, and sounds like a trashcan when walking by. He also sounds like Soundwave whenever
he talks.
The fact that criminals will always continue to attack networks does not mean that these attacks will always be equally successful. If we make a crime more difficult and less profitable, it will occur less; that's economics.
Nobody is suggesting that better systems will make botnets completely disappear, and it's asinine of you to pretend that they are.
"I was technically proficient BEFORE I got those certificates."
"I know many others who also have these certificates. Their capabilities range from extraordinarily adept, to blithering idiot."
So how did you get technically proficient if you weren't a blithering idiot(but willing to learn) at some point? How did you learn without a few stumbles? As you pointed out, the certifications are often your way in the door. I think it's hard to become technically proficient with a large network without experience.
"there is a very wide gulf between [training] and someone who really performs well on the job."
My career has diverged from administrative work, but very early on I was supporting the windows environment of a telemarketing group with ~150 PCs. "Idiot" is an unfair characterization. I'd say "blundering novice". A lot of things went wrong, but can you blame me for taking the job? Unfortunately, companies don't advertise "Wanted: blithering idiot with certifications".
I'm not lumping you into this group, but your tone is eerily similar to a category of "proficient" people who smugly take delight in the ineptitude of others.
In any company that's running 100,000 desktops, there's not a snowball's chance in hell that automatic patching is enabled on them - Corporate IT better damn well be reviewing those patches in a controlled environment and then rolling them out after they've been shown to conform to corporate standards and are safe in that network context.
I laughed, I cried, I wished I had mod points to shower upon you.
If you mod me down, I shall become more powerful than you could possibly imagine.
Headline and/or summary should state clearly that this is limited to MICROSOFT WINDOWS desktops.
Eliminate those, and you're a good deal closer to solving the problem.
you had me at #!
CRN's got some more info on this story, including a list of compromised companies that are slated to be posted on that blog, but aren't up yet. They've also got a list of "good" companies that haven't (yet) been spotted generating any spam.
I rarely read replies. But thanks for yours, it made me smile.
you had me at #!