Exposing Bots In Big Companies

CalicoPenny let us know about yet another "30 days" effort, this one to name the names of major companies infected with spam-spewing bots. Support Intelligence began the effort on March 28, out of frustration at not being able to attract the attention of anyone who could fix the problems at these companies. While they haven't named 30 companies over the ensuing month, they did name some prominent ones, such as Thompson Financial, Bank of America, and AIG. The scary part is that if a bot can spam it can capture keystrokes or troll for interesting documents.

Not surprising...

[Penguinisto]

Big company == shedloads of workstations with shedloads of not-too-intelligent computer users.

Aside from IT efforts to clean up (or at least keep their heads above water), the percentages would likely compare favorably with the home user population at large, methinks. Sometimes (like ferinstance the company I work for) can be outright anal about security (custom images, email that's filtered nine ways from Sunday, etc), and yet about once a month scans will pop up someone who has been bit with the latest variant of (insert malware here). To their credit, the guys here remove it often within minutes of detection- never seen one last more than a couple of hours. (not just saying that because I happen to be a sysadmin there, seriously... the user-end guys are anal about that sort of thing, and if they weren't the network guys would happily shut off the offending port @ the switch to get the user's attention).

/P

Re:Not surprising...

[pe1chl]

In a properly administered network, the office users do not have administrator access to their workstation, and the PC cannot connect to random addresses on the Internet on port 25.
So, the systems do not get easily infected and when they do, they cannot spam the outside world.

But of course, there are too many users that think they need admin access (and worse: need it all the time). And the worst of those are the programmers. They think they need admin access and fail to test their products under a lesser-privileged account.

Send in the lawyers

[secolactico]

How long before some company tries to cover up the embarrassment by suing the people who disclose the fact that they have machines infected with bots? They might not succeed, but they might make life unpleasant for a short while for those who post the info.

Class Action risk for using Microsoft's Products

[NZheretic]

In comparison to MacOSX or Linux based desktop, Microsoft's desktop operating systems and Microsoft's desktop applications face a disproportionally higher risk of being "infected" with hostile malware. Just relying on third party Antivirus software to prop up a Microsoft flagging security record in no way puts you any closer to the level of security that a switch to another vendors desktop platform can provide. ( Just updating to Vista is no guarantee of better security in comparison to another vendors platform )

Maybe it is time some people who have been spammed or have had personal sensitive data exposed from infected Windows desktops in these organizations to enter into a series of class action lawsuits against those same organizations for using Microsoft's products. If switching to Linux or MacOSX based desktops would greatly reduce the risk of further intrusion why should not organizations be "encouraged" to make the move.

Re:Who works for IT divisions in big companies?

[Penguinisto]

Depends on how its structured and where exactly you're at within the company.

The folks I work for has roughly 100,000+ employees, but as the sysadmin for one of the R&D labs, I'm given some very wide latitude. In exchange, I have to be a lot more flexible on lots of aspects than the guys who keep the production servers/network/etc going. IT's a trade-off, but one that I truly enjoy.

I can't hide behind policy to keep my schedule sane as a downside, in spite of working for a company whose production IT policies practically straddle the phrase "anal retentive". Then again, if I want to switch from one tech/protocol/etc to something else, as long as it doesn't disturb the developers and engineers, I'm free to do it (within reason, naturally - e.g. if it plugs into the corp network, it adheres to corp standards as seen from those interfaces, etc).

Even in the biggest, most soulless corporations, you can sometimes find yourself a place in it that not only lets you thrive, but a place where you are encouraged to.

/P

Shouldn't be too hard?

[hklingon]

It scares me just how prevalent this type of software is.. not just the spam bots but the malware and other stuff meant to steal data. Locating+shutting down spambots is the easiest task. I'm pretty small time but I found something interesting once while working with a new client to get them fixed up with antivirus and internet monitoring software (squid+sarg). I'd locked down some things and I kept noticing one PC trying to connect to yahoo every week at about 2:00 am. Long story short it was apparently attempting to email a 500kb attachment... that was apparently a log of everything typed in the week before and some other stuff. That *almost* went unnoticed. That type of infection is downright scary.... who is going to notice a 500kb email going out through an https connection at yahoo? It didn't even seem to be part of a command+control network... just gathering info??

The spambot infections is just the most visible symptom of a larger problem... they're talking about some "big name" companies apparently, but it is the smaller and medium sized businesses that really make the world tick... it is simply too complex, challenging and costly to really secure windows boxes without severely compromising functionality. It is also apparently not something that lends itself well to automation... I see big companies using enterprise software to "lock down" workstations and "reset" workstation images as their solution but there isn't really a small business answer here that I know of. If the tools were better/easier to use it might be easier to keep an eye on one's "flock" but it is a horrible pain both in setup and upkeep to really anticipate what might be happening. The entire stack one could use in windows to manage this stuff, from Event Logging to vb scripting automation, and all the way up to group policy is half-assed at best. This is the type of result you can expect.

this type of story is why I think that learning and/or heuristic scanners (both at the machine and router/firewall/proxy level) are pretty much the only way we can win. I'm not imagining something sentient, mind you, just something that will sift through all the event logs and point me toward things actually worth my attention instead of "every little thing".

Everyone thinks they are better.

I've been apart of small companies, AT&T and a large utility (heavily regulated).

Every admin thinks they are better. Every IT guy thinks they KNOW how to run a network. Consider a company, a large one, with BRAZILLIONS of dollars like RIM. They screwed the pooch in a big way. Google did it too w/ their email/homepage disappearings.

The reality is computers break. I still contract for a large company on a part time basis. The "best and brightest" have jobs that reflect their skills. They design the network, implement processes and "fix" systems that fail. The rest of the company simply resets passwords and updates user info. Not the brightest bunch but they don't need them, there anyway.

Re:Who works for IT divisions in big companies?

I think parent keeps getting knocked back when s/he applies to big companies because s/he has no formal training.

Sarbanes-Oxley

[thatjavaguy]

This is actually pretty big news.

My understanding is that Sarbanes-Oxley imposes strict IT standards for public companies.
If the companies involved are indeed Fortune 500 companies then they are exposing themselves to massive lawsuits.

In the big company that I work in this couldn't happen: we have good firewalls, machines are locked down in terms of downloads, machines are regularly tested/audited and we have a great IT department.

If I were a CEO of one of these companies I'd be looking to fire the CIO...

Bank of America

[omeomi]

Thompson Financial, Bank of America, and AIG.

So you mean that some of those Bank of America SPAMs are actually coming from Bank of America computers? Woh...

exposing == alienating potential clients?

[Gary+W.+Longsine]

My company, Intrinsic Security generates as an artifact of product testing a certain amount of data about botnet and worm infestations on company and government networks. I have always tought that these kinds of public exposures would scare off clients, not only the companies named, but many other companies that would lose respect for a security company publically shaming potential clients. I definitely understand the frustation mentioned in the summary, as many people in IT consider themselves to be malware experts and they always think they have "solved" the "problem" by applying the latest antivirus definitions or tweaking their IDS rules. Most IT managers don't seem to really quite understand that the typical malware today is a radically different threat than they were five years ago. Keystroke logging is routine now, a drop-in module for malware authors.

Am I wrong? Should I publish the list of companies that I know had bots on their networks in March?

• 174 private corporations and government agencies
• 48 schools & universities
• 118 telecom companies (these are partly home DSL / cable modem circuits, partly private companies where the ARIN records are not delegated but rather managed by the ISP)

Would prefer outing spam buyers

[mattr]

I would be far more interested in a list of companies buying spam and profiting from spam. Names, addresses, phone/fax/email. Having reported this stuff and been hit once recently myself and not recovered from it yet, that is the only thing I want to see now. Get those blasted bankers, insurance and real estate agents into some concrete confinement!

Re:Why don't they block outgoing smtp traffic?

[init100]

All the bot needs to do is find out what the user's SMTP server is and use that. That way it doesn't care which outbound ports are open and which are blocked.

There are ways to block that behaviour. You could use SMTP AUTH to authenticate connections to the SMTP server and SSL/TLS to encrypt the connection. That way the bots won't be able to use the SMTP server to send their spam.

IT divisions in big companies?

[moeinvt]

"I was technically proficient BEFORE I got those certificates."

"I know many others who also have these certificates. Their capabilities range from extraordinarily adept, to blithering idiot."

So how did you get technically proficient if you weren't a blithering idiot(but willing to learn) at some point? How did you learn without a few stumbles? As you pointed out, the certifications are often your way in the door. I think it's hard to become technically proficient with a large network without experience.

"there is a very wide gulf between [training] and someone who really performs well on the job."

My career has diverged from administrative work, but very early on I was supporting the windows environment of a telemarketing group with ~150 PCs. "Idiot" is an unfair characterization. I'd say "blundering novice". A lot of things went wrong, but can you blame me for taking the job? Unfortunately, companies don't advertise "Wanted: blithering idiot with certifications".

I'm not lumping you into this group, but your tone is eerily similar to a category of "proficient" people who smugly take delight in the ineptitude of others.

Re:IT divisions in big companies?

[azrider]

You said:

So how did you get technically proficient if you weren't a blithering idiot(but willing to learn) at some point?

Later on, you say:

"Idiot" is an unfair characterization. I'd say "blundering novice".

Trust me, there are some "blundering novices" in every organization. They tend to either learn from having their feet put to the fire, or they get out. That said, based on 30 years in the business, there are very definitely enough "blithering idiots" in the organization to make your life either interesting (best case) or damned miserable (normal case).