Up To 9% of a Company's Machines Are Bot-Infected

ancientribe sends in a DarkReading piece on the expanding footprint of small, targeted botnets in enterprises. "Bot infections are on the rise in businesses, and most come from botnets you've never heard of nor ever will. Botnet researchers at Damballa have found that nearly 60 percent of bot infections in organizations are from bot armies with only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface. And more businesses are getting hit: 7 to 9 percent of an organization's machines are bot-infected, up from 5-to-7 percent last year, according to Damballa. ... [Damballa's] Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well. 'They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets,' he says. ... Ollmann says botnets of all sizes are also increasingly using more and different types of malware rather than one particular family in order to evade detection. 'Most botnets, even small ones, have hundreds of different pieces of malware and families in use..."

Up To 9% of a Company's Machines Are Bot-Infected

[navygeek]

And after reading the linked article, there's another 40% :-p

Education

[sopssa]

This is the reason traditional antivirus scanning will not work. If the specific malware is only inside your company or a few hundred PC's, there isn't signatures for them either. You have to educate your company's workers and restrict access in OS instead of blindly trusting your antivirus providers.

Now the same approach doesn't work in homes or educating those random users, but it should work inside your company.

Re:Education

[sopssa]

Moving to Linux does little to help in the situation the article explains. If its targeted at your company, it doesn't matter if you're running Windows or Linux or some other OS. The malware will be designed for it. If its purpose is to steal information or banking details, it runs just fine on user space too, no root required. It might even make the situation worse, since the system is new to almost everyone (and spotting a well hidden malware in Linux is hard)

Re:Education

[spydabyte]

How does this education in a company differ from the home? Payment? Fire them if they're not secure? They've tried that, it's called government. We all see how well that works out.

If you want to be 100% secure, higher smart people and shut off your internet pipe.

Now 99.999%? That's a different story.

Re:Education

[snowraver1]

***Irony alert** Title : Education. Text: "If you want to be 100% secure, higher smart people and shut off your internet pipe."

Re:Education

[fbwhrdpmtajg]

Screw educating, this situation calls for whitelisting and non-administrator privileges.

Voltron Anyone?

[Zantac69]

For some reason - this made me think of Voltron. Not the lion voltron - but the crappy vehicle voltron. All the tiny botnets coming together to form a huge botnet...but it would probably be a ro-beast. Maybe then lion voltron could come destroy the evil bot-net ro-beast.

Great - now my day is ruined because I am going to be looking for an MP3 of the lion voltron assembly thing to put as a ring tone on my phone.

egress filtering

[Lord+Ender]

This solution is egress filtering: stop all traffic going out to the internet from desktop computers. Then provide a proxy server (HTTP and SOCKS) users can use to get what they need on the net. The proxy server must be a filtering server--the sort that keeps a list of known malware sites and botnet controllers, so that it can automatically block them.

With this in place, users will still be able to get what they need from the net, but 99% of bots will be stopped.

Re:egress filtering

[TorKlingberg]

Not the kind of bots that this article describes, that are targeted specifically to your company.

machine malware infections

[viralMeme]

And the vast majority of these 'machine malware infections' run on Windows. machine malware infections.

Half of Fortune 100 companies compromised by new information stealing Trojan

"Security tool designed to stealthy run on winnt based systems (win2k to winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods.[sic]" The three spreaders are MSN, USB, and P2P. Listed P2P networks were "ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire.[sic]"

Re:Bot scanner?

Any good bot scanner?

your firewall logs...

This compromises other machine on the same network

[MaraDNS]

This, naturally, compromises other machines on the same network. If another machine on the same network is controlled by hackers, one thing they can do is run a packet sniffer and grab unencrypted passwords. Or read your email (unless you use Gmail and have things set up to always use SSL). Or try to control your computer; it's a lot easier to attack a computer when you're behind the firewall.

The good news is this: Since the computer is a company computer, there's a lot more we can do to find and remove the virus from the computer in question. Such as taking the computer off of the network, making a backup of all data files, and doing a complete reinstall of the OS and all company-approved applications. With or without the computer owner's consent. A corporate IT department has a lot more control over their computers than, say, Comcast.

So the question is this: What are good ways for a corporate IT network to know whether a given computer is a zombie? Analysis of the packets a given computer makes is one way.

Apple fanboys

[Chrisq]

I thought it was only Apple fanboys who had to worry about getting their bots infected.

Corporate America

[girlintraining]

Why do people blame the company for this?

I worked deployment for several years at a company with about 13,000 servers and 96,000 workstations, as well as over 25,000 POS systems. I can safely say that size is not the problem. Policies are the problem. There is always that one employee that thinks that he can sneak iTunes onto the network and download some mp3s to a flash drive despite the "no pen drives policy". Disabling them doesn't really help -- they have physical access to the machine of course.

If you figure that there are 150,000 employees in your company, and the consumer market has a 5% infection rate, and 1% of your employees decide to bring a flash drive in... Then every five days, someone is plugging an infected flash drive into your network. All the network management in the world cannot control that many people -- I can't replicate myself to stand over each user and remind them of the risks. And since they don't see the consequences as they happen, there's no chance for them to learn.

But blaming corporations for this is stupid. And blaming employees for it isn't productive. The truth of the matter is, as far as the business world is concerned -- viruses, worms, malware, spyware, and the like are the cost of doing business. It would cost way more to fix the problem than to simply let it eat at the margins.

Sorry to say, but your data isn't worth those kinds of expenses.

Re:Corporate America

[ledow]

Because, physical access or not, you should be stopping it anyway.

And if someone plugs something in and pushes a virus onto the network - how different is that to pulling the fire alarm, or jamming the lifts in a skyscraper? The company should be dealing with it - first by basic prevention (no USB access or even no USB ports if they aren't needed), secondly by policies but most importantly by enforcement. With physical access, if an employee plugs in a USB stick and somehow "makes" it work when you've disabled it as an administrator, then it's not an accidental thing - not an unthinking "Oh, I can't send it over the network, I'll just plug in my personal USB and do it at home"... it's a deliberate, wilful act to insert an unauthorised device into the corporate network. No different to plugging in an unsecured wireless router, or anything else.

The *company* should be taking basic precautions with its customer's and its own business data - that means limiting access to the bare minimum required. Then any violation of that (because it *can* be worked around) is a clear attempt to do something deliberately that can damage the entire corporate network - i.e. bye bye, don't trip up on the tech who's rebuilding your machine from a clean image on the way out...

Pushing it onto "random employees do shit and we can't stop it" could cover all sorts of mistakes that the customers and business end up paying for - oops, the customer database was accidentally attached to that email (Demon Internet in the UK earlier this week)... oh well, too many employees to police *that*... ??? No... someone gets disciplined. And eventually that stops happening, especially if you have the right precautions in place to prevent it happening accidentally.

Re:Corporate America

[giorgiofr]

Yeah right. My boss only hears "blah blah" and thinks "don't care - wanna play golf" when I say "unauthorised device into the corporate network". Tentative policies trying to deal with this stuff make executives cry bloody murder and are promptly removed. And even if anybody cared, there would be legislative obstacles to firing an employee over here: read, it's basically impossible unless they've got some CP on their boxes.

Re:Corporate America

[BenEnglishAtHome]

That's interesting. Where I work, inserting a personally-owned pen drive to a computer on the network that gets caught in a scan results in a suspension. Inserting a personally-owned pen drive that pushes malware out onto the network gets you fired. Inadverdently attaching a spreadsheet with customer data to an email and sending it outside the organization gets you fired, everyone in your area subjected to additional training, and an executive or two dragged before a congressional subcommittee to fall on their swords. Deliberately accessing customer data to which you have no right gets you all of the above, plus you go to jail.

Other places don't take security as seriously?

Re:Corporate America

[Strange+Ranger]

(no USB access or even no USB ports if they aren't needed)

This sort of mentality drives me up a wall. Let's pretend we're the Pentagon and take half the usefulness out of modern technology before we let our users us it.
No thanks. You're a cost center. I make the company money. If I want to plug a cordless mouse into my laptop to make my 60 hour week easier than I'm going to do that. If you can't figure out a way to let me then F@(% YOU. Sorry but that's how most of us feel. This is the laptop I carry with me everywhere and use all the time. It's the one I take on vacation so I can WORK from vacation. So of course I'm going to want to plug a camera into it and use it for personal use. If you want me to treat it like I don't own it then I'll start leaving it at the office and you can take 15-20 hours of my work every week and shove it. You can't have it both ways. The chance that somebody is targeting the company with a non-scan-able customized piece of malware through the jpegs on my camera's SD card is close enough to NIL. Create a white list of file types, scan the thumbdrive or memory card, do whatever you need to do short of turning into Mordac - Preventer of Information Services. And let me get on with my life. And while you're at it take the 95 things in my system tray that slow my machine down to a crawl and send them to oblivion.

The company has unsecured trash dumpsters, unsecured phone lines, an unsecured fax machine sitting in every hallway, and people in the mailroom that make 8 bucks an hour. How about addressing those things and getting some perspective before turning my laptop into a 60-hour per week jail sentence. Thanks.

Might have to resort to what many schools do?

[King_TJ]

It seems like educational institutions have some of the biggest problems with system tampering/hacking/infections, since they're exposed to thousands of students each year who have attitudes of "Who cares? Not MY computer anyway!" and who often think it's a challenge and *fun* trying to mess up the system in question. Unlike hackers trying to infect you with malware over the Internet from some other country, these people have full PHYSICAL access to the computers.

So how do they manage? Many schools I know have things configured so their workstations get re-imaged nightly from master images on a server. Any unauthorized changes made to the computer only last until that nightly maintenance runs, at the longest. (An admin might re-image a workstation even more quickly than that if he/she realizes it has an issue.)

I could see large businesses resorting to this, as well - if they're starting to encounter risks as aggressive as bots targeted to their particular businesses.

Re:Bot scanner?

[GerardAtJob]

Any good firewall parser then ?
I'm lazy and don't want to read logs or parse them manually...
Anyway It's not even my job (I'm a programmer)! If they're a quick&dirty way to find out I'll try it once a week/month... but I wont read and parse this boring stuff...

My site has no dedicated IT

[__aaqvdr516]

So I've been doing what I can to keep things running smoothly. Recently we 'upgraded' our server with a dedicated line to the corporate network. When the company IT came in, their standard procedure was to image each of the machines with XP SP2, IE6, McAfee, and a few other outdated tools. When they left, half of my machines would hang on logout. A number of the machines wouldn't connect to their antivirus repositories. This story does not surprise me in the least. I asked a lot of questions about why they were using these old revisions, and their answer was "It hasn't been fully tested". It's a good thing I only make electricity and not something really important.

Mod parent up.

[khasim]

I'm having a lot of trouble believing some of the claims in that article.

In a three-month study of more than 600 different botnets found having infiltrated enterprise networks, researchers from Damballa discovered nearly 60 percent are botnets that contain only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface.

600 botnets

5% of 600 is 30. So only 30 out of 600 were "big-name"? That doesn't sound like those "big-name" ones are all that big.

60% of 600 is 360. So their tiny sample found 360 instances of NEW viruses/worms/trojans? I find it very difficult to believe that there are that many sites with custom infections.

Which leaves 210 infections that are not custom and not "big-name". How did those sites manage that? In my experience, if some site it getting infected by less virulent code, it's also infected by the more virulent code.

"Of all the enterprises where we've gone into who are customers or as proof-of-concept, 100 percent have had botnet infections," says Gunter Ollmann, vice president of research for Damballa.

Which makes me question how those sites are selected for them to investigate. NONE of them had decent anti-virus practices?

The bad guys are also finding that deploying a small botnet inside a targeted organization is a more efficient way of stealing information than deploying a traditional exploit on a specific machine.

Whoa! I'd think that they're using a different definition of "botnet" than the one I'm familiar with. Of course having more than one machine is more efficient. If nothing else, that one machine is a "single point of failure" than can be re-imaged at any time.

And Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well. "They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets," he says.

I don't see how those two statements support each other. What knowledge do they need? IP ranges, routers, gateways and servers.

If they remotely control four or five hosts, for instance, then they issue commands to the bots to navigate network shares, retrieve files, or access databases, he says.

Which they cannot possibly do if they controlled 40 or 50 hosts. Or 400 or 500. Etc. Bullshit.

"I suspect that a sizable percentage of small botnets are those developed by people who understand or are operating inside a business as employees who want to gain remote access to corporate systems, or by criminal entities that have dug deep and gotten insider information on the environment," Ollmann says.

Again there is nothing to support those statements.

"The reason why we know this is the way the malware is constructed -- how it's specific to the host being targeted -- and the types of command and control being used. Bot agents are often hard-coded with the command and control channel" so they can bypass network controls with a user's credentials.

How can it be "specific to the host being targeted"?

Aren't "bots" always hardcoded with the "command and control channel"? Such as "use IRC" and "connect to this generated list of sites for updates".

These mini-botnets tend to rely on popular DIY malware kids, like Ivy and Zeus, to infect their victim machines, he says.

Damn "malware kids". Get off my lawn!

And they are typically more automated than bots in the big botnets: "Some designed for the enterprise worm they way around the network and look for common protocols that are open in the enterprise" and infect files, and exploit other hosts in the network, Ollmann says.

Damn! Not only are they "more automated" but they also have " a lot of hands-on command and control".

Pure
Marketing
Fluff

The best way ... Snort.

[khasim]

Simply hook up a decent intrusion detection system (Snort is exceptionally decent in this regard) and look at the traffic patterns.

Workstations contact servers for services provided by those servers. Services that you should be aware of.

Workstations do not contact other workstations (except for IT support people).

Then look at outbound traffic. Betsy in Accounting cannot spell IRC so why would she be using that protocol?

This isn't much help if everything turns to https for command and control. But at least you'd see the sites that those were hitting. Why is someone hitting e3rt49io.cn at 3 in the morning?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Bot scanner?

[Kylock]

While some malware/botnet clients may escape anti-virus detection, the common trait is that they all have to connect to a command and control server. Many IDS products have signatures to detect this type of traffic.

For example, many "botnet-kits" will connect using IRC on a random high port. IRC usage audit signatures are good for detecting the more common botnet c&c traffic.

Prevention is key, but it's still not easy - trying to keep Joe User from playing that Michael Jackson video he got in his email from an unknown sender is quite a challenge.

Re:This compromises other machine on the same netw

[orange47]

but, don't packet sniffers grab passwords only on hubs, not the switches that everyone uses nowadays? besides many use google POP3 server, that should be safe(r)?

Re:Bot scanner?

OTOH, Windows has its vulnerabilities baked right in, as shipped.

Apparently so does Linux.