Slashdot Mirror
Up To 9% of a Company's Machines Are Bot-Infected
ancientribe sends in a DarkReading piece on the expanding footprint of small, targeted botnets in enterprises. "Bot infections are on the rise in businesses, and most come from botnets you've never heard of nor ever will. Botnet researchers at Damballa have found that nearly 60 percent of bot infections in organizations are from bot armies with only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface. And more businesses are getting hit: 7 to 9 percent of an organization's machines are bot-infected, up from 5-to-7 percent last year, according to Damballa. ... [Damballa's] Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well. 'They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets,' he says. ... Ollmann says botnets of all sizes are also increasingly using more and different types of malware rather than one particular family in order to evade detection. 'Most botnets, even small ones, have hundreds of different pieces of malware and families in use..."
Any good bot scanner?
I can't call that English
And after reading the linked article, there's another 40% :-p
This is the reason traditional antivirus scanning will not work. If the specific malware is only inside your company or a few hundred PC's, there isn't signatures for them either. You have to educate your company's workers and restrict access in OS instead of blindly trusting your antivirus providers.
Now the same approach doesn't work in homes or educating those random users, but it should work inside your company.
For some reason - this made me think of Voltron. Not the lion voltron - but the crappy vehicle voltron. All the tiny botnets coming together to form a huge botnet...but it would probably be a ro-beast. Maybe then lion voltron could come destroy the evil bot-net ro-beast.
Great - now my day is ruined because I am going to be looking for an MP3 of the lion voltron assembly thing to put as a ring tone on my phone.
1331461 is only semiprime *sigh* Alas - I am just short of 1337.
It sounds like the company in question provides security services, so isn't this piece of 'research' an advertisement for their services?
This solution is egress filtering: stop all traffic going out to the internet from desktop computers. Then provide a proxy server (HTTP and SOCKS) users can use to get what they need on the net. The proxy server must be a filtering server--the sort that keeps a list of known malware sites and botnet controllers, so that it can automatically block them.
With this in place, users will still be able to get what they need from the net, but 99% of bots will be stopped.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
And the vast majority of these 'machine malware infections' run on Windows. machine malware infections.
Half of Fortune 100 companies compromised by new information stealing Trojan
"Security tool designed to stealthy run on winnt based systems (win2k to winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods.[sic]" The three spreaders are MSN, USB, and P2P. Listed P2P networks were "ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire.[sic]"
This, naturally, compromises other machines on the same network. If another machine on the same network is controlled by hackers, one thing they can do is run a packet sniffer and grab unencrypted passwords. Or read your email (unless you use Gmail and have things set up to always use SSL). Or try to control your computer; it's a lot easier to attack a computer when you're behind the firewall.
The good news is this: Since the computer is a company computer, there's a lot more we can do to find and remove the virus from the computer in question. Such as taking the computer off of the network, making a backup of all data files, and doing a complete reinstall of the OS and all company-approved applications. With or without the computer owner's consent. A corporate IT department has a lot more control over their computers than, say, Comcast.
So the question is this: What are good ways for a corporate IT network to know whether a given computer is a zombie? Analysis of the packets a given computer makes is one way.
MaraDNS is an open-source DNS server.
And more businesses are getting hit: 7 to 9 percent of an organization's machines are bot-infected, up from 5-to-7 percent last year, according to Damballa.
I think the bolded "an" is a typo, otherwise, this sentence makes little sense.
I thought it was only Apple fanboys who had to worry about getting their bots infected.
Why do people blame the company for this?
I worked deployment for several years at a company with about 13,000 servers and 96,000 workstations, as well as over 25,000 POS systems. I can safely say that size is not the problem. Policies are the problem. There is always that one employee that thinks that he can sneak iTunes onto the network and download some mp3s to a flash drive despite the "no pen drives policy". Disabling them doesn't really help -- they have physical access to the machine of course.
If you figure that there are 150,000 employees in your company, and the consumer market has a 5% infection rate, and 1% of your employees decide to bring a flash drive in... Then every five days, someone is plugging an infected flash drive into your network. All the network management in the world cannot control that many people -- I can't replicate myself to stand over each user and remind them of the risks. And since they don't see the consequences as they happen, there's no chance for them to learn.
But blaming corporations for this is stupid. And blaming employees for it isn't productive. The truth of the matter is, as far as the business world is concerned -- viruses, worms, malware, spyware, and the like are the cost of doing business. It would cost way more to fix the problem than to simply let it eat at the margins.
Sorry to say, but your data isn't worth those kinds of expenses.
#fuckbeta #iamslashdot #dicemustdie
It seems like educational institutions have some of the biggest problems with system tampering/hacking/infections, since they're exposed to thousands of students each year who have attitudes of "Who cares? Not MY computer anyway!" and who often think it's a challenge and *fun* trying to mess up the system in question. Unlike hackers trying to infect you with malware over the Internet from some other country, these people have full PHYSICAL access to the computers.
So how do they manage? Many schools I know have things configured so their workstations get re-imaged nightly from master images on a server. Any unauthorized changes made to the computer only last until that nightly maintenance runs, at the longest. (An admin might re-image a workstation even more quickly than that if he/she realizes it has an issue.)
I could see large businesses resorting to this, as well - if they're starting to encounter risks as aggressive as bots targeted to their particular businesses.
Free trial of my new, award-winning bot cleaner at www.no_more_botnets.com.
If I was a CTO and my department found a botnet like this, I'd be very tempted to play the disinformation game. Clean up some of them, but with others, just move the machines to an isolation area and start feeding them faked drafts of sales figures, annual reports, engineering drawings of dead-end designs, whatever else the botnet might be looking for. Alas there's probably some SEC regulation against that sort of thing.
So I've been doing what I can to keep things running smoothly. Recently we 'upgraded' our server with a dedicated line to the corporate network. When the company IT came in, their standard procedure was to image each of the machines with XP SP2, IE6, McAfee, and a few other outdated tools. When they left, half of my machines would hang on logout. A number of the machines wouldn't connect to their antivirus repositories. This story does not surprise me in the least. I asked a lot of questions about why they were using these old revisions, and their answer was "It hasn't been fully tested". It's a good thing I only make electricity and not something really important.
You can usually locate a zombie by its insatiable appetite for human flesh. Other indicators tend to be lack of comprehension regarding basic command like 'stop' or 'there's a tasty young blonde over there'.
"Lack of speed can be overcome. In the worst case by patience." --Znork
The main problem is that, for a system to be sure, at least one part of it has to be strict. Since Windows is fairly permissive, security requires a sysadmin to be something of a hardass- a position which is not often appreciated by users. At my office, for instance, people constantly complain that our sysadmin doesn't allow them to install *anything* on their PCs, assuming that they even have full PCs (about 1/2 of them are Citrix thin clients). On the other hand, as I explain to them, I've worked in IT for a long time, + I've never seen a network as securely-run as ours; much of this is due to our sysadmin's being a hardass. If, on the other hand, people are given the freedom to install their own s/w, they often wind up installing trojans and so forth.
-Z
You read the article? Please hand in your Slashdot membership on your way out.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
The other 91% are infected with users :(
Now I understand why my previous employer disconnected it's old network from the internet, and gave everyone a new computer (on a separate network) solely for internet work. This made life extremely complicated for everyone, as they make and published browser-based games.
When's the last time you saw a machine that rebooted from read-only storage* get an infection that lasted past a reboot?
*this means a BIOS that is, from a virus's perspective, read-only as well.
In some corporate environments, a commodity client computers that boot from a known-good, read-only boot disk with a writable "cache" portion that's flushed daily or weekly will do the trick. User data should be stored on the network anyways. Many VM environments offer this type of functionality, and it might be a good idea if bare-metal environments offered it as well.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Now I understand why my previous employer disconnected it's old network from the internet, and gave everyone a new computer (on a separate network) solely for internet work. This made life extremely complicated for everyone, as they make and published browser-based games.
sounds like that university who blocked game web sites and they have game programming classes.
I'm having a lot of trouble believing some of the claims in that article.
600 botnets
5% of 600 is 30. So only 30 out of 600 were "big-name"? That doesn't sound like those "big-name" ones are all that big.
60% of 600 is 360. So their tiny sample found 360 instances of NEW viruses/worms/trojans? I find it very difficult to believe that there are that many sites with custom infections.
Which leaves 210 infections that are not custom and not "big-name". How did those sites manage that? In my experience, if some site it getting infected by less virulent code, it's also infected by the more virulent code.
Which makes me question how those sites are selected for them to investigate. NONE of them had decent anti-virus practices?
Whoa! I'd think that they're using a different definition of "botnet" than the one I'm familiar with. Of course having more than one machine is more efficient. If nothing else, that one machine is a "single point of failure" than can be re-imaged at any time.
I don't see how those two statements support each other. What knowledge do they need? IP ranges, routers, gateways and servers.
Which they cannot possibly do if they controlled 40 or 50 hosts. Or 400 or 500. Etc. Bullshit.
Again there is nothing to support those statements.
How can it be "specific to the host being targeted"?
Aren't "bots" always hardcoded with the "command and control channel"? Such as "use IRC" and "connect to this generated list of sites for updates".
Damn "malware kids". Get off my lawn!
Damn! Not only are they "more automated" but they also have " a lot of hands-on command and control".
Pure
Marketing
Fluff
Simply hook up a decent intrusion detection system (Snort is exceptionally decent in this regard) and look at the traffic patterns.
Workstations contact servers for services provided by those servers. Services that you should be aware of.
Workstations do not contact other workstations (except for IT support people).
Then look at outbound traffic. Betsy in Accounting cannot spell IRC so why would she be using that protocol?
This isn't much help if everything turns to https for command and control. But at least you'd see the sites that those were hitting. Why is someone hitting e3rt49io.cn at 3 in the morning?
This, naturally, compromises other machines on the same network... Or try to control your computer; it's a lot easier to attack a computer when you're behind the firewall.
Most enterprises now segregate their internal networks with a series of firewalls as well.
So the question is this: What are good ways for a corporate IT network to know whether a given computer is a zombie?
There are a lot of tools designed for exactly this purpose. Some of the better ones integrate with your routers and will do more than give you a list of infected machines. They'll attempt to find them automatically and identify them and notify you and either automatically or on command quarantine the infected systems by filtering out traffic from them or from a chunk of your network using the routers. At least one tool can quarantine a particular network section, while still whitelisting the normal, critical traffic in and out of that subsection, so if a branch office is infected, the machines' traffic to the rest of the world and to the rest of your network is blackholed, with the exception of the server they host which uploads payroll. That server is limited to it's normal connections though, so it can only talk to the other payroll server and only on the same port at the normal time.
*hangs head and sadly says* Okay, my bad...I'll go... :(
Up To 9% of a Company's Machines Are Bot-Infected
Excellent. If I infect those 9% myself then no more can be infected. Easy life.
[Intentionally left blank]
What tools exist to diagnose this nowadays? I would think that sticking a proxy between your modem and router (assuming you're not using a built-in) would let you do some pretty quick and dirty traffic analysis. I would also think that open source router firmwares could do the same.
Heck, I would like to know for my own purposes at my home office to occasionally verify my PCs and friends laptops aren't acting like botnet zombies.
And you could probably turn it into a fairly interesting consulting gig.
It is more productive to voice thoughtful opinions (reply) than to judge (moderate) others.
Did the article mention which company?
Comment removed based on user account deletion
Comment removed based on user account deletion
An infection rate of 7 to 9 percent of IP addresses? That's a very narrow range. Too narrow to be credible. None of the enterprises had, say, 4 or 12 percent compromised?
These folks are statistically impaired. They probably are sitting on a lot of really useful data, but they don't know what it means. Certainly, they haven't released enough information for anyone to draw conclusions from it.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
but, don't packet sniffers grab passwords only on hubs, not the switches that everyone uses nowadays? besides many use google POP3 server, that should be safe(r)?
"Botnets, spammer's botnets!
What kind of boxes are on botnets?
Compaq, HP, Dell and Sony, true!
Gateway, Packard Bell, maybe even Asus, too!
Are boxes, found on botnets.
All running Windows, FOO!"
I'm running Mac OS X 10.5.8, here.
Why, yes. Yes I AM a smug bastard!
Thanks for asking.
Guaranteed! This comment 100% Anthrax free!
Whether you make the company money or not, is completely irrelevant. You get PAID to do what you do; you are owed nothing beyond your check and whatever else is listed on your stub, baby.
The fact that you get paid, means that you likely have the means to purchase YOUR OWN laptop, on which to conduct your personal business, but no.......fuck them, right?
The fact is, they CAN have it both ways, not YOU. Most professionals work from a sense of personal pride, and do what they feel is necessary to get the job done, not as barter for perks.
My guess, is that you are probably no where near as successful as you think you are, but if you would like to find out, why not post your screed on your Linked In page, and see how many employers (including your current one) are enamored with your attitude.
Here is a clue; NOBODY successful gives a shit about 60 hours, because they dont count them. They just get things done, and look for more to do.
Most switches allow you to map a port to a another port for monitoring. you can also use a physical tap. I haven't done network forensics in quite awhile, I wonder if there is a plug-in for snort that would automatically step through the switch ports, moving to the next one every NN seconds in a round robin fashion using a SSH or console connection.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
A little irrelevant, but I have noticed my entire adult life, from the 70's onward since I've been paying attention to stuff like this, that educated estimates of something in the general population are amazingly often about 10%. This cannot be a coincidence.
I've often thought that 10% was a figure that these researchers come to because single digits are insignificant but still small enough that no one can easily disprove it. Or there is some natural law that correlates an anomaly in the general population to hover predictably around 10% to give the full benefit of the doubt.
But when a researcher announces a percentage for something that they're estimating in the general population, watch how often it will be about 10%.
And I really think it will be much more than about 10% of the time, btw.
rd
If the botnet operators are clever enough, they could really get the scoop on CareerBuilder, Monster, Classifieds, etc. Imagine the job placement assistance service they could provide if they had direct access to various corporate HR databases. Why wait months for a reply (if one ever comes) if a hacker could assist in moving you up the queue such that you get to talk to a real person and perhaps even an interview if not the job. If only I knew a botnet operator, I'd even give my first paycheck provided the "service" was sucessful.
I'm not sure what that makes worse though: the crap economy, pointed haired management, stingy businesses unwilling to consider new hires, or myself willing to dispose of some ethics because I'm desparate due to my savings running out and knowing I could really use the work.
I wrote a special software program that actually let's you see the bots in action and posted it on YouTube. Here it is: http://www.youtube.com/watch?v=lLYD_-A_X5E
L'esperienza de questa dolce vita (The experience of this sweet life) - Dante Alighieri, The Divine Comedy
That's the "gen-X" problem of not understanding that you can't treat the work computer as your own. When you enforce strict policies they just think you are going too far, treating them unfairly, and think that as a cost centre IT people shouldn't be allowed to tell those that are making money for the company what to do in the first place. Leave social change to the management or you'll just be wasting a lot of time arguing and developing a reputation as a BOFH. That will eventually hurt the pay packet or get your name put first in the list of redundancies especially since people will not want to talk to you about real problems so you'll get blamed for not fixing long running problems that nobody told you about.
The answer is to assume that their machines will get a pile of malware and be ready to do something about it. It actually can be amusing, one employee managed to get a pile of malware on Win4Lin by downloading something to crack encrypted PDF files. It took less than two minutes to fix that one. If it's a real MS Windows machine life is much more difficult but that's why you keep the retired machines around as spares.
When every program on the system, from Solitaire.exe to the MP3 player has complete access to read, write or delete all of the user's files, connect to any computer on the internet, etc, its no wonder malware thrives.
To achieve 0% we have yet to only to find and execute or castrate botnet owners. This is a matter of international importance and should be made a televised sport.
Prizes for the most excruciating demise of adult bot owners and points toward prizes for sterilization of underage botnet owners. Fox would televise it .
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
"This is the reason traditional antivirus scanning will not work. If the specific malware is only inside your company or a few hundred PC's, there isn't signatures for them either. You have to educate your company's workers and restrict access in OS instead of blindly trusting your antivirus providers. Now the same approach doesn't work in homes or educating those random users, but it should work inside your company. - by sopssa (1498795) * on Friday September 25, @09:51AM (#29538977)
See my subject-line, & IF/WHEN you add in the domainnames/hostnames of the "command & control" servers that botnets use? Then, the workstation with said newly amended HOSTS file CANNOT EVEN REACH THEM FOR NEW "ORDERS", period.
Same thing would work on servers also, no questions asked.
(There are plenty of GOOD reliable & reputable sources for that kind of information, & my personal favs are SpyBot "Search & Destroy" via its "immunize" feature, ZDNet's Mr. Dancho Danchev's blogspot here -> http://ddanchev.blogspot.com/ & also SRI, here -> http://mtc.sri.com/ as well as other reputable & kept-up-to-date HOSTS files listed here @ wikipedia -> http://en.wikipedia.org/wiki/Hosts_file )
This technique, works... & on a VERY simple principle:
"IF YOU CAN'T GO INTO THE KITCHEN, YOU CAN'T GET BURNED..."
APK
P.S.=> This can also be done via DENY commands in a routers' routing tables also, as an alternate to HOSTS file usage, but personally, I'd recommend doing it in BOTH places, for added "layered security" (if not also adding these to various browsers' "block lists", such as IE's "restricted zones" &/or Opera's urlfilter.ini-filter.ini files as well as FireFox's too)... apk
Comment removed based on user account deletion