Exposing Bots In Big Companies

CalicoPenny let us know about yet another "30 days" effort, this one to name the names of major companies infected with spam-spewing bots. Support Intelligence began the effort on March 28, out of frustration at not being able to attract the attention of anyone who could fix the problems at these companies. While they haven't named 30 companies over the ensuing month, they did name some prominent ones, such as Thompson Financial, Bank of America, and AIG. The scary part is that if a bot can spam it can capture keystrokes or troll for interesting documents.

Who works for IT divisions in big companies?

[AB3A]

Answer: they're usually the height of mediocrity. The best and brightest, if they're there, are often ignored.

The notion that lots of big companies have spam bots all over the place is not all that hard for me to believe. Their IT divisions are often poorly staffed with folks who were selected with more input from HR than from the actual manager. They look at the certificates and then decide if a person is OK for the job. Honestly, the certificates are not a good gatekeepers to ensure that people without a clue don't find themselves on the front line. They can't be.

We all have known people who were extremely good at passing tests, but for reasons unknown to the rest of us, are unable to use those very skills in a real application. Those are the people who all too frequently end up in big organizations, pretending to know what real IT is. There is no substitute for learning from experience.

And these corporations are about to have one of those learning experiences. It won't be pleasant.

Ya know...

[FlyByPC]

...along with the deinfestation, a little education might go a long way. If employees could be paid to attend a (mandatory) presentation on just how a botnet gets set up, I bet this would reduce the instances of infections by an appreciable amount. (Yeah, not 100%, I know.)

Make it interesting. Start out asking for people's opinions on spam. Get 'em good and worked up. Then set up some network monitor with a nice, easy-to-see graphic interface (maybe write one) and demonstrate how a workstation gets infected by the user running a compromised app. Once it takes hold (pick a good one), pull out the stopwatch, tick off 5-10 seconds, then show how many mails it sent. Then do the math; multiply those ten seconds by 6 to get minutes, then 60, to get hours, then 24. I bet even the math-challenged will get the point quickly, looking at those really large numbers.

Why don't they block outgoing smtp traffic?

[whoever57]

Surely, these large companies could block outgoing port 25 traffic, except for their own email servers. Then the traffic can easily be monitored and spam zombies detected.

Why is this not "best practice"?

This wins the DUH award

[toby]

The scary part is that if a bot can spam it can capture keystrokes or troll for interesting documents.

Uh, yeah, that's why, like, some of us actually run a secure operating system instead of freaking Windows.

I look forward to the day when proposing a Windows SOE is a firing offence. As for the state of American IT... Aren't you guys supposed to have landed on the moon, way back before Microshit was founded? WHAT HAPPENED TO Y'ALL?

Re:This wins the DUH award

[kir]

Yeah... you'd think he'd have grown up by now.

Compared to government agencies

[pedestrian+crossing]

I think it is interesting that we see "report cards" that give government agencies low grades on security, but publicly-owned corporations get a pass.

I seriously doubt that there are any botnets like this running on, say, the DoD network, yet they get a poor grade on security, while a frigging -bank- is pwned, and nobody is too bothered.

Re:Compared to government agencies

[jc42]

I think it is interesting that we see "report cards" that give government agencies low grades on security, but publicly-owned corporations get a pass.

I'd suspect that this is mostly because info about government security problems is often available, while corporations (public or private) are generally very secretive about such problems. Journalists have a tendency to report news when they have information, and not report when they don't have information. People conclude that there are problems in government agencies, but not in corporations. But the correct conclusion is usually "We don't know whether the corporate world has these problems, because we can't get information from them."

Maybe a better approach would be to surmise that, if an organization of any sort is hiding information, this means that it has something going on that it doesn't want us to know.

(Applying this to the Bush Administration rapidly leads to a high degree of suspicion. ;-)

Canary

[pedestrian+crossing]

What I'm saying is that blocking outbound port 25 isn't going to stop cleverly-written spambots.

Absolutely. But -if you are monitoring your FW logs-, you will see the not so cleverly-written ones, and they can be your "canary in the coalmine". If you are seeing any denied outbound attempts, you know that either someone (or some software) is going against policy, or you have a workstation weakness that is being exploited, and you follow up on it.

Sure, this doesn't guarantee that you don't have a problem (ie., cleverly-written malware). You must take a layered approach to security strategy to be effective. Discounting a layer because it doesn't take every single possibility into account is ridiculous. That's why you have depth built into your security strategy, because no single layer works for everything.

That is the problem with most "security solutions" that are being peddled to CIOs, they claim to be a single magic bullet when real security solutions are more about correlation and follow-up from different layers. Not sexy, but very effective.