Up To 9% of a Company's Machines Are Bot-Infected

ancientribe sends in a DarkReading piece on the expanding footprint of small, targeted botnets in enterprises. "Bot infections are on the rise in businesses, and most come from botnets you've never heard of nor ever will. Botnet researchers at Damballa have found that nearly 60 percent of bot infections in organizations are from bot armies with only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface. And more businesses are getting hit: 7 to 9 percent of an organization's machines are bot-infected, up from 5-to-7 percent last year, according to Damballa. ... [Damballa's] Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well. 'They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets,' he says. ... Ollmann says botnets of all sizes are also increasingly using more and different types of malware rather than one particular family in order to evade detection. 'Most botnets, even small ones, have hundreds of different pieces of malware and families in use..."

Education

[sopssa]

This is the reason traditional antivirus scanning will not work. If the specific malware is only inside your company or a few hundred PC's, there isn't signatures for them either. You have to educate your company's workers and restrict access in OS instead of blindly trusting your antivirus providers.

Now the same approach doesn't work in homes or educating those random users, but it should work inside your company.

Re:Education

[sopssa]

Moving to Linux does little to help in the situation the article explains. If its targeted at your company, it doesn't matter if you're running Windows or Linux or some other OS. The malware will be designed for it. If its purpose is to steal information or banking details, it runs just fine on user space too, no root required. It might even make the situation worse, since the system is new to almost everyone (and spotting a well hidden malware in Linux is hard)

Re:Corporate America

[ledow]

Because, physical access or not, you should be stopping it anyway.

And if someone plugs something in and pushes a virus onto the network - how different is that to pulling the fire alarm, or jamming the lifts in a skyscraper? The company should be dealing with it - first by basic prevention (no USB access or even no USB ports if they aren't needed), secondly by policies but most importantly by enforcement. With physical access, if an employee plugs in a USB stick and somehow "makes" it work when you've disabled it as an administrator, then it's not an accidental thing - not an unthinking "Oh, I can't send it over the network, I'll just plug in my personal USB and do it at home"... it's a deliberate, wilful act to insert an unauthorised device into the corporate network. No different to plugging in an unsecured wireless router, or anything else.

The *company* should be taking basic precautions with its customer's and its own business data - that means limiting access to the bare minimum required. Then any violation of that (because it *can* be worked around) is a clear attempt to do something deliberately that can damage the entire corporate network - i.e. bye bye, don't trip up on the tech who's rebuilding your machine from a clean image on the way out...

Pushing it onto "random employees do shit and we can't stop it" could cover all sorts of mistakes that the customers and business end up paying for - oops, the customer database was accidentally attached to that email (Demon Internet in the UK earlier this week)... oh well, too many employees to police *that*... ??? No... someone gets disciplined. And eventually that stops happening, especially if you have the right precautions in place to prevent it happening accidentally.

Mod parent up.

[khasim]

I'm having a lot of trouble believing some of the claims in that article.

In a three-month study of more than 600 different botnets found having infiltrated enterprise networks, researchers from Damballa discovered nearly 60 percent are botnets that contain only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface.

600 botnets

5% of 600 is 30. So only 30 out of 600 were "big-name"? That doesn't sound like those "big-name" ones are all that big.

60% of 600 is 360. So their tiny sample found 360 instances of NEW viruses/worms/trojans? I find it very difficult to believe that there are that many sites with custom infections.

Which leaves 210 infections that are not custom and not "big-name". How did those sites manage that? In my experience, if some site it getting infected by less virulent code, it's also infected by the more virulent code.

"Of all the enterprises where we've gone into who are customers or as proof-of-concept, 100 percent have had botnet infections," says Gunter Ollmann, vice president of research for Damballa.

Which makes me question how those sites are selected for them to investigate. NONE of them had decent anti-virus practices?

The bad guys are also finding that deploying a small botnet inside a targeted organization is a more efficient way of stealing information than deploying a traditional exploit on a specific machine.

Whoa! I'd think that they're using a different definition of "botnet" than the one I'm familiar with. Of course having more than one machine is more efficient. If nothing else, that one machine is a "single point of failure" than can be re-imaged at any time.

And Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well. "They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets," he says.

I don't see how those two statements support each other. What knowledge do they need? IP ranges, routers, gateways and servers.

If they remotely control four or five hosts, for instance, then they issue commands to the bots to navigate network shares, retrieve files, or access databases, he says.

Which they cannot possibly do if they controlled 40 or 50 hosts. Or 400 or 500. Etc. Bullshit.

"I suspect that a sizable percentage of small botnets are those developed by people who understand or are operating inside a business as employees who want to gain remote access to corporate systems, or by criminal entities that have dug deep and gotten insider information on the environment," Ollmann says.

Again there is nothing to support those statements.

"The reason why we know this is the way the malware is constructed -- how it's specific to the host being targeted -- and the types of command and control being used. Bot agents are often hard-coded with the command and control channel" so they can bypass network controls with a user's credentials.

How can it be "specific to the host being targeted"?

Aren't "bots" always hardcoded with the "command and control channel"? Such as "use IRC" and "connect to this generated list of sites for updates".

These mini-botnets tend to rely on popular DIY malware kids, like Ivy and Zeus, to infect their victim machines, he says.

Damn "malware kids". Get off my lawn!

And they are typically more automated than bots in the big botnets: "Some designed for the enterprise worm they way around the network and look for common protocols that are open in the enterprise" and infect files, and exploit other hosts in the network, Ollmann says.

Damn! Not only are they "more automated" but they also have " a lot of hands-on command and control".

Pure
Marketing
Fluff