Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Exposing Bots In Big Companies

Posted by kdawson on Mon Apr 30, 2007 09:24 PM
from the pwned dept.
Security
CalicoPenny let us know about yet another "30 days" effort, this one to name the names of major companies infected with spam-spewing bots. Support Intelligence began the effort on March 28, out of frustration at not being able to attract the attention of anyone who could fix the problems at these companies. While they haven't named 30 companies over the ensuing month, they did name some prominent ones, such as Thompson Financial, Bank of America, and AIG. The scary part is that if a bot can spam it can capture keystrokes or troll for interesting documents.
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Exposing Bots In Big Companies 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Really? (Score:5, Funny)

    by baldass_newbie (136609) on Monday April 30 2007, @09:31PM (#18936389) Homepage Journal
    The scary part is that if a bot can spam it can capture keystrokes or troll for interesting documents.


    Or troll slashdot.

  • Gives a whole new meaning (Score:5, Funny)

    by overshoot (39700) on Monday April 30 2007, @09:35PM (#18936419)
    to "kicking bot and posting names."

  • Not surprising... (Score:5, Interesting)

    by Penguinisto (415985) on Monday April 30 2007, @09:35PM (#18936421) Journal
    Big company == shedloads of workstations with shedloads of not-too-intelligent computer users.

    Aside from IT efforts to clean up (or at least keep their heads above water), the percentages would likely compare favorably with the home user population at large, methinks. Sometimes (like ferinstance the company I work for) can be outright anal about security (custom images, email that's filtered nine ways from Sunday, etc), and yet about once a month scans will pop up someone who has been bit with the latest variant of (insert malware here). To their credit, the guys here remove it often within minutes of detection- never seen one last more than a couple of hours. (not just saying that because I happen to be a sysadmin there, seriously... the user-end guys are anal about that sort of thing, and if they weren't the network guys would happily shut off the offending port @ the switch to get the user's attention).

    /P

    • The Register reported this about a month ago [slashdot.org] and I'm glad the issue is getting the attention it deserves. Having done some "upgrades" for a major bank and worked at a fortune 500 company, I can say that many supposedly secure corporate networks are owned by spammers. It's a big deal because it's hard to filter out.

      the percentages would likely compare favorably with the home user population at large, methinks.

      You would think that, seeing how much money these companies have to throw into manpower and so

        • Re: (Score:3, Informative)

          by Deagol (323173)
          Just log all internal IPs trying to hit external IPs on port 25 (except your mail servers, of course). That's pretty much it. If it's an NT domain, you can search the authentication logs for the IP to get a pretty good idea of who sits at the machine. Proceed accordingly. Don't fart around with disinfecting -- wipe, reinstall, and lock down.

    • I think it is interesting that we see "report cards" that give government agencies low grades on security, but publicly-owned corporations get a pass.

      I seriously doubt that there are any botnets like this running on, say, the DoD network, yet they get a poor grade on security, while a frigging -bank- is pwned, and nobody is too bothered.

      • Re:Compared to government agencies (Score:4, Insightful)

        by jc42 (318812) on Tuesday May 01 2007, @11:25AM (#18942357) Homepage Journal
        I think it is interesting that we see "report cards" that give government agencies low grades on security, but publicly-owned corporations get a pass.

        I'd suspect that this is mostly because info about government security problems is often available, while corporations (public or private) are generally very secretive about such problems. Journalists have a tendency to report news when they have information, and not report when they don't have information. People conclude that there are problems in government agencies, but not in corporations. But the correct conclusion is usually "We don't know whether the corporate world has these problems, because we can't get information from them."

        Maybe a better approach would be to surmise that, if an organization of any sort is hiding information, this means that it has something going on that it doesn't want us to know.

        (Applying this to the Bush Administration rapidly leads to a high degree of suspicion. ;-)

    • Re: (Score:3, Interesting)

      by pe1chl (90186)
      In a properly administered network, the office users do not have administrator access to their workstation, and the PC cannot connect to random addresses on the Internet on port 25.
      So, the systems do not get easily infected and when they do, they cannot spam the outside world.

      But of course, there are too many users that think they need admin access (and worse: need it all the time). And the worst of those are the programmers. They think they need admin access and fail to test their products under a lesser

  • Send in the lawyers (Score:5, Interesting)

    by secolactico (519805) on Monday April 30 2007, @10:04PM (#18936597) Journal
    How long before some company tries to cover up the embarrassment by suing the people who disclose the fact that they have machines infected with bots? They might not succeed, but they might make life unpleasant for a short while for those who post the info.

  • Who works for IT divisions in big companies? (Score:4, Insightful)

    by AB3A (192265) on Monday April 30 2007, @10:08PM (#18936615) Homepage Journal
    Answer: they're usually the height of mediocrity. The best and brightest, if they're there, are often ignored.

    The notion that lots of big companies have spam bots all over the place is not all that hard for me to believe. Their IT divisions are often poorly staffed with folks who were selected with more input from HR than from the actual manager. They look at the certificates and then decide if a person is OK for the job. Honestly, the certificates are not a good gatekeepers to ensure that people without a clue don't find themselves on the front line. They can't be.

    We all have known people who were extremely good at passing tests, but for reasons unknown to the rest of us, are unable to use those very skills in a real application. Those are the people who all too frequently end up in big organizations, pretending to know what real IT is. There is no substitute for learning from experience.

    And these corporations are about to have one of those learning experiences. It won't be pleasant.

    • Re: (Score:3, Interesting)

      by Penguinisto (415985)
      Depends on how its structured and where exactly you're at within the company.

      The folks I work for has roughly 100,000+ employees, but as the sysadmin for one of the R&D labs, I'm given some very wide latitude. In exchange, I have to be a lot more flexible on lots of aspects than the guys who keep the production servers/network/etc going. IT's a trade-off, but one that I truly enjoy.

      I can't hide behind policy to keep my schedule sane as a downside, in spite of working for a company whose production I

      • No offense, but simply because you're allowed to thrive doesn't mean you have the foggiest idea what you're doing with respect to keeping your machines clean.

        • No offense, but simply because you're allowed to thrive doesn't mean you have the foggiest idea what you're doing with respect to keeping your machines clean.

          None taken - my own evaluation of proficiency is judged by the results of my work as audited on a periodic semi-random basis. Because of the nature of my specific duties, I cannot simply hand off localized email filtering duties to "the email guys", hand off local IOS patching and vigilance to "the network guys", the Oracle and MySQL patches to "the DB guys", and etc. In fact, if anything goes splat in the lab security-wise and spreads to the corp network? I daresay that I'm more responsible for the resu

    • My company, Intrinsic Security [intrinsicsecurity.com] generates as an artifact of product testing a certain amount of data about botnet and worm infestations on company and government networks. I have always tought that these kinds of public exposures would scare off clients, not only the companies named, but many other companies that would lose respect for a security company publically shaming potential clients. I definitely understand the frustation mentioned in the summary, as many people in IT consider themselves to be malware experts and they always think they have "solved" the "problem" by applying the latest antivirus definitions or tweaking their IDS rules. Most IT managers don't seem to really quite understand that the typical malware today is a radically different threat than they were five years ago. Keystroke logging is routine now, a drop-in module for malware authors.

      Am I wrong? Should I publish the list of companies that I know had bots on their networks in March?
      • 174 private corporations and government agencies
      • 48 schools & universities
      • 118 telecom companies (these are partly home DSL / cable modem circuits, partly private companies where the ARIN records are not delegated but rather managed by the ISP)

    • Re: (Score:3, Insightful)

      by DynaSoar (714234) *
      > Answer: they're usually the height of mediocrity. The best and brightest,
      > if they're there, are often ignored.

      IT at big companies are kept busy just trying to keep the base OS and necessary apps puttering along, and resurrecting users' workstations that have melted down or upchucked. Their mediocrity is enforced by the needs and whims of the big suits and PHBs. Corporate budgeting for IT is on a need-to-go basis. If IT has any money left at the end of a fiscal year, rather than letting them put it

      • Re: (Score:3, Insightful)

        by AB3A (192265)
        Actually, I have lots of certificates. I have formal training. The thing is, I was technically proficient BEFORE I got those certificates. The certificates were simply a means to prove to my PHBB and the HR weenies that I really am worthy of the salary I have. Being relatively honest about such things, I don't usually bother to get certified for something unless I'm serious about using that certification. I'm not a certificate collector. My career is not some merit badge collection from the Boy Scouts
        • "I was technically proficient BEFORE I got those certificates."

          "I know many others who also have these certificates. Their capabilities range from extraordinarily adept, to blithering idiot."

          So how did you get technically proficient if you weren't a blithering idiot(but willing to learn) at some point? How did you learn without a few stumbles? As you pointed out, the certifications are often your way in the door. I think it's hard to become technically proficient with a large network without experience.

          "

  • Ya know... (Score:5, Insightful)

    by FlyByPC (841016) on Monday April 30 2007, @10:12PM (#18936645) Homepage
    ...along with the deinfestation, a little education might go a long way. If employees could be paid to attend a (mandatory) presentation on just how a botnet gets set up, I bet this would reduce the instances of infections by an appreciable amount. (Yeah, not 100%, I know.)

    Make it interesting. Start out asking for people's opinions on spam. Get 'em good and worked up. Then set up some network monitor with a nice, easy-to-see graphic interface (maybe write one) and demonstrate how a workstation gets infected by the user running a compromised app. Once it takes hold (pick a good one), pull out the stopwatch, tick off 5-10 seconds, then show how many mails it sent. Then do the math; multiply those ten seconds by 6 to get minutes, then 60, to get hours, then 24. I bet even the math-challenged will get the point quickly, looking at those really large numbers.

    • Re:Ya know... (Score:5, Funny)

      by StikyPad (445176) on Monday April 30 2007, @10:38PM (#18936811) Homepage
      Then do the math.

      Then, to ensure you reach 100% of your target audience, convert the presentation to an animated .gif and e-mail it to everyone on your contact list, instructing them to do the same.
    • I think you really need to add some consequences to the situation for them to really understand. Unfortunately, the IT department and upper management has to be competent enough to understand when the employee was in at fault or they were at fault or it will just be finger pointing game to the easiest target.
  • In comparison to MacOSX or Linux based desktop, Microsoft's desktop operating systems and Microsoft's desktop applications face a disproportionally higher risk of being "infected" with hostile malware. Just relying on third party Antivirus software to prop up a Microsoft flagging security record in no way puts you any closer to the level of security that a switch to another vendors desktop platform can provide. ( Just updating to Vista is no guarantee of better security in comparison to another vendors plat
    • The real point is malware is currently only MS Windows compatible. Other platforms have other problems but there's no way to compare things and no point pretending it's a contest about what is better. For a variety of reasons it can be a good idea to run MS software, but so long as you avoid the hobby versions intended to be used at home and keep the things isolated and monitored they can work well. Fdisk it from orbit and restore from a known good backup - it's the only way to be sure.

      A lot of the MS Wi

      • Some Linux distros have automatic online updating. Unlike Microsoft, they put out updates as soon as they have them instead of waiting for a monthly cycle. I remember one afternoon my system downloaded about a dozen updates, then, just after the updater finished, it checked again and found four more. If your company is using one of those distros, those 100,000 desktops will patch themselves within a few hours after it becomes available.

  • Shouldn't be too hard? (Score:5, Interesting)

    by hklingon (109185) on Monday April 30 2007, @10:34PM (#18936793) Homepage

    It scares me just how prevalent this type of software is.. not just the spam bots but the malware and other stuff meant to steal data. Locating+shutting down spambots is the easiest task. I'm pretty small time but I found something interesting once while working with a new client to get them fixed up with antivirus and internet monitoring software (squid+sarg). I'd locked down some things and I kept noticing one PC trying to connect to yahoo every week at about 2:00 am. Long story short it was apparently attempting to email a 500kb attachment... that was apparently a log of everything typed in the week before and some other stuff. That *almost* went unnoticed. That type of infection is downright scary.... who is going to notice a 500kb email going out through an https connection at yahoo? It didn't even seem to be part of a command+control network... just gathering info??


    The spambot infections is just the most visible symptom of a larger problem... they're talking about some "big name" companies apparently, but it is the smaller and medium sized businesses that really make the world tick... it is simply too complex, challenging and costly to really secure windows boxes without severely compromising functionality. It is also apparently not something that lends itself well to automation... I see big companies using enterprise software to "lock down" workstations and "reset" workstation images as their solution but there isn't really a small business answer here that I know of. If the tools were better/easier to use it might be easier to keep an eye on one's "flock" but it is a horrible pain both in setup and upkeep to really anticipate what might be happening. The entire stack one could use in windows to manage this stuff, from Event Logging to vb scripting automation, and all the way up to group policy is half-assed at best. This is the type of result you can expect.


    this type of story is why I think that learning and/or heuristic scanners (both at the machine and router/firewall/proxy level) are pretty much the only way we can win. I'm not imagining something sentient, mind you, just something that will sift through all the event logs and point me toward things actually worth my attention instead of "every little thing".



  • Why don't they block outgoing smtp traffic? (Score:5, Insightful)

    by whoever57 (658626) on Monday April 30 2007, @10:51PM (#18936925) Journal
    Surely, these large companies could block outgoing port 25 traffic, except for their own email servers. Then the traffic can easily be monitored and spam zombies detected.

    Why is this not "best practice"?
    • I'd love to do this in my org... a large company.

      But our department doesn't have the clout to override the other VPs desire to keep that functionality.

      In fact, I think part of the argument is that we can't respond to their needs quickly enough, partly because we're running around dealing with stuff we wouldn't have to if we were allowed to do things right =-/
      • All the bot needs to do is find out what the user's SMTP server is and use that. That way it doesn't care which outbound ports are open and which are blocked.

        But by then we are dealing with a known quantity at a central location. These companies should be blocking everything their users don't need first and foremost, then they can look at the traffic from their mail server and use standard off the shelf pattern analysis to find the spammer bots.

        It's simple security.
        • I'm not disagreeing with you. What I'm saying is that blocking outbound port 25 isn't going to stop cleverly-written spambots.

          • Canary (Score:5, Insightful)

            by pedestrian crossing (802349) on Tuesday May 01 2007, @03:13AM (#18938045) Homepage Journal

            What I'm saying is that blocking outbound port 25 isn't going to stop cleverly-written spambots.

            Absolutely. But -if you are monitoring your FW logs-, you will see the not so cleverly-written ones, and they can be your "canary in the coalmine". If you are seeing any denied outbound attempts, you know that either someone (or some software) is going against policy, or you have a workstation weakness that is being exploited, and you follow up on it.

            Sure, this doesn't guarantee that you don't have a problem (ie., cleverly-written malware). You must take a layered approach to security strategy to be effective. Discounting a layer because it doesn't take every single possibility into account is ridiculous. That's why you have depth built into your security strategy, because no single layer works for everything.

            That is the problem with most "security solutions" that are being peddled to CIOs, they claim to be a single magic bullet when real security solutions are more about correlation and follow-up from different layers. Not sexy, but very effective.

      • Re: (Score:3, Insightful)

        by Mr. Roadkill (731328)

        All the bot needs to do is find out what the user's SMTP server is and use that. That way it doesn't care which outbound ports are open and which are blocked.

        Indeed. But it's still a good idea to block port 25 on business or educational networks unless it's absolutely needed - as it prevents one class of abusers, i.e. direct-to-mx sending malware, making use of that particular method on your network. There still seems to be a lot of direct-to-mx stuff in circulation, if the evidence in our logfiles is any

      • Re: (Score:3, Interesting)

        by init100 (915886)

        All the bot needs to do is find out what the user's SMTP server is and use that. That way it doesn't care which outbound ports are open and which are blocked.

        There are ways to block that behaviour. You could use SMTP AUTH to authenticate connections to the SMTP server and SSL/TLS to encrypt the connection. That way the bots won't be able to use the SMTP server to send their spam.

      • The problem is M$ on the desktop. Big dumb companies fork over all sorts of money, do what they are told and get slammed anyway. What will be funny is when M$ themselves end up on this list. Who will they blame then?

        How to think like a manager 101: You are presented with two answers to a single problem. One; is to "task" the network/email admins to fix a problem. Two; involves blaming a large vendor. One of these answers actually lets you accomplish something, while the other doesn't. Which do you choo

      • Surely, the bot net operators have already gotten around that on cable networks and those companies that do this. All they have to do is make the bot mail through the company smtp.

        It means you have logs, however. And company mail servers can be run in a far more ``shoot first, ask questions afterwards'' mode because there are far fewer reasons for `abnormal' traffic: for example, a user sending high volumes of messages has fewer legitimate reasns.

        I run the whole internal network on RFC1918, with acce

      • ftp? No way! sftp/ssh2/scp. Sure, it doesn't come installed with Windows. But there are free solutions for that. Port 22, port 80, port 443. That's it. End of story.

  • This wins the DUH award (Score:3, Insightful)

    by toby (759) * on Monday April 30 2007, @10:59PM (#18936975) Homepage Journal
    The scary part is that if a bot can spam it can capture keystrokes or troll for interesting documents.

    Uh, yeah, that's why, like, some of us actually run a secure operating system instead of freaking Windows.

    I look forward to the day when proposing a Windows SOE is a firing offence. As for the state of American IT... Aren't you guys supposed to have landed on the moon, way back before Microshit was founded? WHAT HAPPENED TO Y'ALL?
    • Always a delight to see a 3-digit user ID maintaining the True Spirit of Slashdot.

    • I look forward to the day when proposing a Windows SOE is a firing offence. As for the state of American IT... Aren't you guys supposed to have landed on the moon, way back before Microshit was founded? WHAT HAPPENED TO Y'ALL?

      Well first Microsoft Windows is the most widely used OS in the world. So if "Y'ALL" is referring to the people of the U.S., it looks like we made the most popular OS in the world, which you are probably running. On top of that a large number of the developers of open sources systems are from the U.S. as well. Then of all these "major companies" that are infected (think Fortune 500 or Fortune 100), a large portion [majority?] are U.S. companies. So it doesn't look like a whole lot happened besides a lot

  • Exposing Bots in Big Companies (Score:4, Funny)

    by errxn (108621) on Monday April 30 2007, @11:22PM (#18937095) Homepage Journal
    Exposing bots in big companies? That's easy. I see 'em every day. We even have a nickname for them here..."Middle Management."
    • We even have a nickname for them here..."Middle Management."

      Nah, they're the "dolts".

      Another term people often confuse with "bots" is "bods" who tend to work in HR and Marketing. Unfortunately they also tend to have Middle-Management-like qualities.

  • No way (Score:3, Insightful)

    by madsheep (984404) on Monday April 30 2007, @11:24PM (#18937111) Homepage
    Major companies infected with spam spewing bots?? No way. This is just to ground breaking to be true. Next thing they are going to tell us is that government machines are also infected. Since we all know that major companies and government machines are impenetrable because their users are so smart, savvy, and technologically secure. Oh wait, the users at these places are the same people that use AOL dial up at home. OK.. so maybe it is true *and* unsurprising. :P

  • Sarbanes-Oxley (Score:3, Interesting)

    by thatjavaguy (306073) on Tuesday May 01 2007, @12:02AM (#18937291)
    This is actually pretty big news.

    My understanding is that Sarbanes-Oxley imposes strict IT standards for public companies.
    If the companies involved are indeed Fortune 500 companies then they are exposing themselves to massive lawsuits.

    In the big company that I work in this couldn't happen: we have good firewalls, machines are locked down in terms of downloads, machines are regularly tested/audited and we have a great IT department.

    If I were a CEO of one of these companies I'd be looking to fire the CIO...

    • If I were a CEO of one of these companies I'd be looking to fire the CIO...

      If I were a shareholder, I'd be asking for the resignation of the CEO... the buck stops with him...

  • Bank of America (Score:3, Interesting)

    by omeomi (675045) on Tuesday May 01 2007, @12:05AM (#18937313) Homepage
    Thompson Financial, Bank of America, and AIG.

    So you mean that some of those Bank of America SPAMs are actually coming from Bank of America computers? Woh...
  • The school district I work for is about 80% macs and 20% PCs (running XP) - total number of machines disctrict wide is about 6000. I've asked if I could set up a Linux server and some diskless work stations as a usage test case ... by the response you would think I asked to install an open wireless node in the schools cafeteria. On the other hand if I'd just announced that I'd just installed 35 PCs that would be no problem and everyone would assume they're up to date + antivirus + etc.

    I could lock down that
  • I thought the article was about stuff like this [shoutfile.com].

  • Would prefer outing spam buyers (Score:3, Interesting)

    by mattr (78516) <mattr&telebody,com> on Tuesday May 01 2007, @02:59AM (#18937995) Homepage Journal
    I would be far more interested in a list of companies buying spam and profiting from spam. Names, addresses, phone/fax/email. Having reported this stuff and been hit once recently myself and not recovered from it yet, that is the only thing I want to see now. Get those blasted bankers, insurance and real estate agents into some concrete confinement!
    • Incidentally the crackers who ruined my server were trying to run a Bank of America phishing scam. Is there something about BoA that makes them an easy target? I can guess all sorts of lousy things but I'd like to know if anyone has real info.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.