Up To 9% of a Company's Machines Are Bot-Infected

ancientribe sends in a DarkReading piece on the expanding footprint of small, targeted botnets in enterprises. "Bot infections are on the rise in businesses, and most come from botnets you've never heard of nor ever will. Botnet researchers at Damballa have found that nearly 60 percent of bot infections in organizations are from bot armies with only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface. And more businesses are getting hit: 7 to 9 percent of an organization's machines are bot-infected, up from 5-to-7 percent last year, according to Damballa. ... [Damballa's] Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well. 'They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets,' he says. ... Ollmann says botnets of all sizes are also increasingly using more and different types of malware rather than one particular family in order to evade detection. 'Most botnets, even small ones, have hundreds of different pieces of malware and families in use..."

Education

[sopssa]

This is the reason traditional antivirus scanning will not work. If the specific malware is only inside your company or a few hundred PC's, there isn't signatures for them either. You have to educate your company's workers and restrict access in OS instead of blindly trusting your antivirus providers.

Now the same approach doesn't work in homes or educating those random users, but it should work inside your company.

Re:Education

[sopssa]

Moving to Linux does little to help in the situation the article explains. If its targeted at your company, it doesn't matter if you're running Windows or Linux or some other OS. The malware will be designed for it. If its purpose is to steal information or banking details, it runs just fine on user space too, no root required. It might even make the situation worse, since the system is new to almost everyone (and spotting a well hidden malware in Linux is hard)

Re:Education

[spydabyte]

How does this education in a company differ from the home? Payment? Fire them if they're not secure? They've tried that, it's called government. We all see how well that works out.

If you want to be 100% secure, higher smart people and shut off your internet pipe.

Now 99.999%? That's a different story.

This compromises other machine on the same network

[MaraDNS]

This, naturally, compromises other machines on the same network. If another machine on the same network is controlled by hackers, one thing they can do is run a packet sniffer and grab unencrypted passwords. Or read your email (unless you use Gmail and have things set up to always use SSL). Or try to control your computer; it's a lot easier to attack a computer when you're behind the firewall.

The good news is this: Since the computer is a company computer, there's a lot more we can do to find and remove the virus from the computer in question. Such as taking the computer off of the network, making a backup of all data files, and doing a complete reinstall of the OS and all company-approved applications. With or without the computer owner's consent. A corporate IT department has a lot more control over their computers than, say, Comcast.

So the question is this: What are good ways for a corporate IT network to know whether a given computer is a zombie? Analysis of the packets a given computer makes is one way.

Corporate America

[girlintraining]

Why do people blame the company for this?

I worked deployment for several years at a company with about 13,000 servers and 96,000 workstations, as well as over 25,000 POS systems. I can safely say that size is not the problem. Policies are the problem. There is always that one employee that thinks that he can sneak iTunes onto the network and download some mp3s to a flash drive despite the "no pen drives policy". Disabling them doesn't really help -- they have physical access to the machine of course.

If you figure that there are 150,000 employees in your company, and the consumer market has a 5% infection rate, and 1% of your employees decide to bring a flash drive in... Then every five days, someone is plugging an infected flash drive into your network. All the network management in the world cannot control that many people -- I can't replicate myself to stand over each user and remind them of the risks. And since they don't see the consequences as they happen, there's no chance for them to learn.

But blaming corporations for this is stupid. And blaming employees for it isn't productive. The truth of the matter is, as far as the business world is concerned -- viruses, worms, malware, spyware, and the like are the cost of doing business. It would cost way more to fix the problem than to simply let it eat at the margins.

Sorry to say, but your data isn't worth those kinds of expenses.

Re:Corporate America

[ledow]

Because, physical access or not, you should be stopping it anyway.

And if someone plugs something in and pushes a virus onto the network - how different is that to pulling the fire alarm, or jamming the lifts in a skyscraper? The company should be dealing with it - first by basic prevention (no USB access or even no USB ports if they aren't needed), secondly by policies but most importantly by enforcement. With physical access, if an employee plugs in a USB stick and somehow "makes" it work when you've disabled it as an administrator, then it's not an accidental thing - not an unthinking "Oh, I can't send it over the network, I'll just plug in my personal USB and do it at home"... it's a deliberate, wilful act to insert an unauthorised device into the corporate network. No different to plugging in an unsecured wireless router, or anything else.

The *company* should be taking basic precautions with its customer's and its own business data - that means limiting access to the bare minimum required. Then any violation of that (because it *can* be worked around) is a clear attempt to do something deliberately that can damage the entire corporate network - i.e. bye bye, don't trip up on the tech who's rebuilding your machine from a clean image on the way out...

Pushing it onto "random employees do shit and we can't stop it" could cover all sorts of mistakes that the customers and business end up paying for - oops, the customer database was accidentally attached to that email (Demon Internet in the UK earlier this week)... oh well, too many employees to police *that*... ??? No... someone gets disciplined. And eventually that stops happening, especially if you have the right precautions in place to prevent it happening accidentally.

Re:Bot scanner?

[GerardAtJob]

Any good firewall parser then ?
I'm lazy and don't want to read logs or parse them manually...
Anyway It's not even my job (I'm a programmer)! If they're a quick&dirty way to find out I'll try it once a week/month... but I wont read and parse this boring stuff...