Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Exposing Bots In Big Companies 113

CalicoPenny let us know about yet another "30 days" effort, this one to name the names of major companies infected with spam-spewing bots. Support Intelligence began the effort on March 28, out of frustration at not being able to attract the attention of anyone who could fix the problems at these companies. While they haven't named 30 companies over the ensuing month, they did name some prominent ones, such as Thompson Financial, Bank of America, and AIG. The scary part is that if a bot can spam it can capture keystrokes or troll for interesting documents.
This discussion has been archived. No new comments can be posted.

Exposing Bots In Big Companies

Comments Filter:
  • Really? (Score:5, Funny)

    by baldass_newbie ( 136609 ) on Monday April 30, 2007 @09:31PM (#18936389) Homepage Journal
    The scary part is that if a bot can spam it can capture keystrokes or troll for interesting documents.


    Or troll slashdot.
  • by overshoot ( 39700 ) on Monday April 30, 2007 @09:35PM (#18936419)
    to "kicking bot and posting names."
  • Not surprising... (Score:5, Interesting)

    by Penguinisto ( 415985 ) on Monday April 30, 2007 @09:35PM (#18936421) Journal
    Big company == shedloads of workstations with shedloads of not-too-intelligent computer users.

    Aside from IT efforts to clean up (or at least keep their heads above water), the percentages would likely compare favorably with the home user population at large, methinks. Sometimes (like ferinstance the company I work for) can be outright anal about security (custom images, email that's filtered nine ways from Sunday, etc), and yet about once a month scans will pop up someone who has been bit with the latest variant of (insert malware here). To their credit, the guys here remove it often within minutes of detection- never seen one last more than a couple of hours. (not just saying that because I happen to be a sysadmin there, seriously... the user-end guys are anal about that sort of thing, and if they weren't the network guys would happily shut off the offending port @ the switch to get the user's attention).

    /P

    • The Register reported this about a month ago [slashdot.org] and I'm glad the issue is getting the attention it deserves. Having done some "upgrades" for a major bank and worked at a fortune 500 company, I can say that many supposedly secure corporate networks are owned by spammers. It's a big deal because it's hard to filter out.

      the percentages would likely compare favorably with the home user population at large, methinks.

      You would think that, seeing how much money these companies have to throw into manpower and so

      • by ewieling ( 90662 )
        I'd work on getting the bots shutdown, but I can't seem to find any information in actually FINDING the damn things. We don't have the budget hire a full time person to handle infected machines. If we could find the machines then we might be able to do something about them. As it is we filter out all outgoing SMTP.
        • Re: (Score:3, Informative)

          by Deagol ( 323173 )
          Just log all internal IPs trying to hit external IPs on port 25 (except your mail servers, of course). That's pretty much it. If it's an NT domain, you can search the authentication logs for the IP to get a pretty good idea of who sits at the machine. Proceed accordingly. Don't fart around with disinfecting -- wipe, reinstall, and lock down.
    • by pedestrian crossing ( 802349 ) on Tuesday May 01, 2007 @02:47AM (#18937959) Homepage Journal

      I think it is interesting that we see "report cards" that give government agencies low grades on security, but publicly-owned corporations get a pass.

      I seriously doubt that there are any botnets like this running on, say, the DoD network, yet they get a poor grade on security, while a frigging -bank- is pwned, and nobody is too bothered.

      • by jc42 ( 318812 ) on Tuesday May 01, 2007 @11:25AM (#18942357) Homepage Journal
        I think it is interesting that we see "report cards" that give government agencies low grades on security, but publicly-owned corporations get a pass.

        I'd suspect that this is mostly because info about government security problems is often available, while corporations (public or private) are generally very secretive about such problems. Journalists have a tendency to report news when they have information, and not report when they don't have information. People conclude that there are problems in government agencies, but not in corporations. But the correct conclusion is usually "We don't know whether the corporate world has these problems, because we can't get information from them."

        Maybe a better approach would be to surmise that, if an organization of any sort is hiding information, this means that it has something going on that it doesn't want us to know.

        (Applying this to the Bush Administration rapidly leads to a high degree of suspicion. ;-)

      • In regards to Bank of America, they didn't get hit as bad as the summary implies. If you look at the description for the Bank of America "botnet", you'll find that it wasn't exactly a botnet. One machine popped up spewing some spam and it was shut down pretty quickly. Another server popped up about a week later and that one was shut down in a few hours. I wouldn't exactly call that pwnage. Even still, it is scary that anything like that is happening at a bank. Fortunately, it seems the admins over at
    • Re: (Score:3, Interesting)

      by pe1chl ( 90186 )
      In a properly administered network, the office users do not have administrator access to their workstation, and the PC cannot connect to random addresses on the Internet on port 25.
      So, the systems do not get easily infected and when they do, they cannot spam the outside world.

      But of course, there are too many users that think they need admin access (and worse: need it all the time). And the worst of those are the programmers. They think they need admin access and fail to test their products under a lesser
      • Re: (Score:1, Informative)

        by Anonymous Coward
        Admin access on a PC and getting out to the internet on port 25 are two completely different things.
        It comes down to a model of seperation and trust and applying policies at the proper place, not trust as in trust the users but trust the workstations and what is plugged into your network. Spyware, bots, viruses etc are the reason you should never trust a computer on the network, it does not matter whether you trust the user of that computer or not. The network engineer or a developer does not need port 25
  • Send in the lawyers (Score:5, Interesting)

    by secolactico ( 519805 ) on Monday April 30, 2007 @10:04PM (#18936597) Journal
    How long before some company tries to cover up the embarrassment by suing the people who disclose the fact that they have machines infected with bots? They might not succeed, but they might make life unpleasant for a short while for those who post the info.
    • Seriously, there is no difference.

      Instead of suing those who disclose the fact
      that machines on their lan are infected,
      they should sue Microsoft for allowing it.

      You don't know that Windows is not doing the
      same nasty spyware tricks that people accuse
      the bots of doing.

      Oh, that's right, there is a difference.

      The Microsoft EULA covers their ass, whereas
      the bot does not ask you for permission to spy.

      • by thogard ( 43403 )
        The only ones who can sue Microsoft are the ones who don't agree to their terms anymore. There are plenty of consumer product protection laws that are clear that Microsoft's failure to recall their buggy software is illegal. Its just going to take someone who wants to be the next the next Ralph Nader to take the case.

        A worm attacked my server through an exploit and M$ took care of my bandwidth bills.
    • Since March 28, the list identified more than a dozen corporations, including [...] Bank of America.

      "Army of Botness", to be aired May 2, 2007

      Bill - "Hey, what's going on here?"
      Larry - "Stop giving free checks for life Bill."
      Winston - "And free ATM cash withdrawals!"
      Charles - "Or we let these spam zombies eat our brains!"
      Bankers Pen - "Yeah!"
      Bill - "Whoah! Whoah! Guys. People love all the features of WAMU's spam free online checking."
      Larry - "Horse Pockey! V1a6rA l0ng D0ng che4p$$! Mmm. Braaaaaains..."

      [ L

    • by abb3w ( 696381 )

      How long before some company tries to cover up the embarrassment by suing the people who disclose the fact that they have machines infected with bots? They might not succeed, but they might make life unpleasant for a short while for those who post the info.

      Probably a little while, since it would be monumentally stupid. The obvious first step for the sued is talk to a lawyer (IAmNotALawyer). Then, have their lawyer to get a judge to order preservation of the current system state on each of the suspected

  • by AB3A ( 192265 ) on Monday April 30, 2007 @10:08PM (#18936615) Homepage Journal
    Answer: they're usually the height of mediocrity. The best and brightest, if they're there, are often ignored.

    The notion that lots of big companies have spam bots all over the place is not all that hard for me to believe. Their IT divisions are often poorly staffed with folks who were selected with more input from HR than from the actual manager. They look at the certificates and then decide if a person is OK for the job. Honestly, the certificates are not a good gatekeepers to ensure that people without a clue don't find themselves on the front line. They can't be.

    We all have known people who were extremely good at passing tests, but for reasons unknown to the rest of us, are unable to use those very skills in a real application. Those are the people who all too frequently end up in big organizations, pretending to know what real IT is. There is no substitute for learning from experience.

    And these corporations are about to have one of those learning experiences. It won't be pleasant.
    • Re: (Score:3, Interesting)

      by Penguinisto ( 415985 )
      Depends on how its structured and where exactly you're at within the company.

      The folks I work for has roughly 100,000+ employees, but as the sysadmin for one of the R&D labs, I'm given some very wide latitude. In exchange, I have to be a lot more flexible on lots of aspects than the guys who keep the production servers/network/etc going. IT's a trade-off, but one that I truly enjoy.

      I can't hide behind policy to keep my schedule sane as a downside, in spite of working for a company whose production I

      • by bberens ( 965711 )
        No offense, but simply because you're allowed to thrive doesn't mean you have the foggiest idea what you're doing with respect to keeping your machines clean.
        • No offense, but simply because you're allowed to thrive doesn't mean you have the foggiest idea what you're doing with respect to keeping your machines clean.

          None taken - my own evaluation of proficiency is judged by the results of my work as audited on a periodic semi-random basis. Because of the nature of my specific duties, I cannot simply hand off localized email filtering duties to "the email guys", hand off local IOS patching and vigilance to "the network guys", the Oracle and MySQL patches to "the DB guys", and etc. In fact, if anything goes splat in the lab security-wise and spreads to the corp network? I daresay that I'm more responsible for the resu

          • by azrider ( 918631 )

            Because of the nature of my specific duties, I cannot simply hand off localized email filtering duties to "the email guys", hand off local IOS patching and vigilance to "the network guys", the Oracle and MySQL patches to "the DB guys", and etc

            Hear, Hear!! When I worked as a sysadm in classified labs, it was my job to keep the network and its attached systems secure. While the company I worked for had a network group, they were only allowed to make changes that my team approved. This meant that we (I) h

    • by Anonymous Coward
      I've been apart of small companies, AT&T and a large utility (heavily regulated).

      Every admin thinks they are better. Every IT guy thinks they KNOW how to run a network. Consider a company, a large one, with BRAZILLIONS of dollars like RIM. They screwed the pooch in a big way. Google did it too w/ their email/homepage disappearings.

      The reality is computers break. I still contract for a large company on a part time basis. The "best and brightest" have jobs that reflect their skills. They design the n
    • Re: (Score:1, Interesting)

      by Anonymous Coward
      I think parent keeps getting knocked back when s/he applies to big companies because s/he has no formal training.
      • Re: (Score:3, Insightful)

        by AB3A ( 192265 )
        Actually, I have lots of certificates. I have formal training. The thing is, I was technically proficient BEFORE I got those certificates. The certificates were simply a means to prove to my PHBB and the HR weenies that I really am worthy of the salary I have. Being relatively honest about such things, I don't usually bother to get certified for something unless I'm serious about using that certification. I'm not a certificate collector. My career is not some merit badge collection from the Boy Scouts
        • "I was technically proficient BEFORE I got those certificates."

          "I know many others who also have these certificates. Their capabilities range from extraordinarily adept, to blithering idiot."

          So how did you get technically proficient if you weren't a blithering idiot(but willing to learn) at some point? How did you learn without a few stumbles? As you pointed out, the certifications are often your way in the door. I think it's hard to become technically proficient with a large network without experience.

          "
          • Re: (Score:2, Interesting)

            by azrider ( 918631 )
            You said:

            So how did you get technically proficient if you weren't a blithering idiot(but willing to learn) at some point?

            Later on, you say:

            "Idiot" is an unfair characterization. I'd say "blundering novice".

            Trust me, there are some "blundering novices" in every organization. They tend to either learn from having their feet put to the fire, or they get out. That said, based on 30 years in the business, there are very definitely enough "blithering idiots" in the organization to make your life either int

          • There's a big difference between being ignorant (novice) and being stupid (idiot).

            The ignorant person will still ask the right kinds of questions, and have a half a clue which direction they should be looking. The stupid person will either sit there and wait to be spoon-fed, or charge off randomly trying things that have no relevance to the issue at hand, mucking things up worse.

            It's all about the way the person thinks. A person with a sharp mind and good general troubleshooting skills can pick up the det
          • by AB3A ( 192265 )
            Please don't confuse education for experience. I know more educated idiots than I'd like to. They learn to regurgitate all sorts of things back on a test, but they somehow can't apply a damned thing they've "learned."

            That's why when I said idiot, I meant it. Some people learn from experience and some do not. The ones who can not learn from any experience whatsoever are the idiots. They are thankfully few, but they do exist. And in large companies, where education and certificates seem to be the curren
    • by Gary W. Longsine ( 124661 ) on Tuesday May 01, 2007 @01:35AM (#18937653) Homepage Journal
      My company, Intrinsic Security [intrinsicsecurity.com] generates as an artifact of product testing a certain amount of data about botnet and worm infestations on company and government networks. I have always tought that these kinds of public exposures would scare off clients, not only the companies named, but many other companies that would lose respect for a security company publically shaming potential clients. I definitely understand the frustation mentioned in the summary, as many people in IT consider themselves to be malware experts and they always think they have "solved" the "problem" by applying the latest antivirus definitions or tweaking their IDS rules. Most IT managers don't seem to really quite understand that the typical malware today is a radically different threat than they were five years ago. Keystroke logging is routine now, a drop-in module for malware authors.

      Am I wrong? Should I publish the list of companies that I know had bots on their networks in March?
      • 174 private corporations and government agencies
      • 48 schools & universities
      • 118 telecom companies (these are partly home DSL / cable modem circuits, partly private companies where the ARIN records are not delegated but rather managed by the ISP)
      • Yes. These companies aren't just exposing their information. These companies are exposing your families information.

        If you work your cards right, you could make them seem valiant for announcing such information, and attempting to resolve it.

        Or you might get canned.

        most likely canned.

        -Lemur
      • Re: (Score:2, Insightful)

        by InvisiBill ( 706958 )

        For the last year Waters and Support Intelligence CEO Rick Wesson called companies they found spamming, Waters says. But in big companies they had trouble connecting with people who had authority to clean up the networks. Waters thinks corporate upper management--CIO level and above--still don't appreciate the dangers of bots. "We'd talk to mid-level security people who understood botnets but had no buy-in from the CIO," he says. "Or the CEO had never heard about it."

        So they decided after "much soul searching" to name offending companies. Their goal is to clean up the Internet, not embarrass people or make money, although Support Intelligence has gained some new business. But most companies are grateful to be told they have a problem, Waters says.

        This public disclosure is a last ditch attempt to get someone to do something. They've tried to report the problem, but sometimes nothing will get done until someone with letters after their name sees the company's name in the headlines (where customers can see it and income is affected).

        Are you in the same situation with your list?

      • ..., but many other companies that would lose respect for a security company publically shaming potential clients.

        Let's do a thought experiment. For each of these "potential clients", estimate the potenitial that they might realistically become your client within a reasonable timeframe given your current advertising budget. Then estimate the percent of these potential clients that would have hired you, that won't. Compare that to the number of potential clients that don't even know your name, that migh

    • Re: (Score:3, Insightful)

      by DynaSoar ( 714234 ) *
      > Answer: they're usually the height of mediocrity. The best and brightest,
      > if they're there, are often ignored.

      IT at big companies are kept busy just trying to keep the base OS and necessary apps puttering along, and resurrecting users' workstations that have melted down or upchucked. Their mediocrity is enforced by the needs and whims of the big suits and PHBs. Corporate budgeting for IT is on a need-to-go basis. If IT has any money left at the end of a fiscal year, rather than letting them put it
      • by drew ( 2081 )
        Even without any of the best and brightest, it should take about ten brain cells and a half hour's work to disable outbound port 25 traffic from your corporate network (minus the mail server, if you're not bright enough to put it on a seoarate network), and no legitimate use would ever know the difference.
  • Ya know... (Score:5, Insightful)

    by FlyByPC ( 841016 ) on Monday April 30, 2007 @10:12PM (#18936645) Homepage
    ...along with the deinfestation, a little education might go a long way. If employees could be paid to attend a (mandatory) presentation on just how a botnet gets set up, I bet this would reduce the instances of infections by an appreciable amount. (Yeah, not 100%, I know.)

    Make it interesting. Start out asking for people's opinions on spam. Get 'em good and worked up. Then set up some network monitor with a nice, easy-to-see graphic interface (maybe write one) and demonstrate how a workstation gets infected by the user running a compromised app. Once it takes hold (pick a good one), pull out the stopwatch, tick off 5-10 seconds, then show how many mails it sent. Then do the math; multiply those ten seconds by 6 to get minutes, then 60, to get hours, then 24. I bet even the math-challenged will get the point quickly, looking at those really large numbers.
    • by StikyPad ( 445176 ) on Monday April 30, 2007 @10:38PM (#18936811) Homepage
      Then do the math.

      Then, to ensure you reach 100% of your target audience, convert the presentation to an animated .gif and e-mail it to everyone on your contact list, instructing them to do the same.
    • I think you really need to add some consequences to the situation for them to really understand. Unfortunately, the IT department and upper management has to be competent enough to understand when the employee was in at fault or they were at fault or it will just be finger pointing game to the easiest target.
    • by bl8n8r ( 649187 )
      That's a noble idea, but unfortunately I think most people don't really care. Ever see that glassed-over look just explaining how pop3 works (even when they ask)? "What I do is click this and then that window pops up with the blahblahblah but it's not working. And my internet is slow." Not saying people are stupid, most are just not interested and don't feel they have to be. I'd say the malware is succesful due in a large part to widespread apathy. Technical issues are second.
  • In comparison to MacOSX or Linux based desktop, Microsoft's desktop operating systems and Microsoft's desktop applications face a disproportionally higher risk of being "infected" with hostile malware. Just relying on third party Antivirus software to prop up a Microsoft flagging security record in no way puts you any closer to the level of security that a switch to another vendors desktop platform can provide. ( Just updating to Vista is no guarantee of better security in comparison to another vendors plat
    • The real point is malware is currently only MS Windows compatible. Other platforms have other problems but there's no way to compare things and no point pretending it's a contest about what is better. For a variety of reasons it can be a good idea to run MS software, but so long as you avoid the hobby versions intended to be used at home and keep the things isolated and monitored they can work well. Fdisk it from orbit and restore from a known good backup - it's the only way to be sure.

      A lot of the MS Wi

      • by ozbon ( 99708 )
        "Fdisk it from orbit and restore from a known good backup - it's the only way to be sure."

        Brilliant! I may have to change my sig...
  • by hklingon ( 109185 ) on Monday April 30, 2007 @10:34PM (#18936793) Homepage

    It scares me just how prevalent this type of software is.. not just the spam bots but the malware and other stuff meant to steal data. Locating+shutting down spambots is the easiest task. I'm pretty small time but I found something interesting once while working with a new client to get them fixed up with antivirus and internet monitoring software (squid+sarg). I'd locked down some things and I kept noticing one PC trying to connect to yahoo every week at about 2:00 am. Long story short it was apparently attempting to email a 500kb attachment... that was apparently a log of everything typed in the week before and some other stuff. That *almost* went unnoticed. That type of infection is downright scary.... who is going to notice a 500kb email going out through an https connection at yahoo? It didn't even seem to be part of a command+control network... just gathering info??


    The spambot infections is just the most visible symptom of a larger problem... they're talking about some "big name" companies apparently, but it is the smaller and medium sized businesses that really make the world tick... it is simply too complex, challenging and costly to really secure windows boxes without severely compromising functionality. It is also apparently not something that lends itself well to automation... I see big companies using enterprise software to "lock down" workstations and "reset" workstation images as their solution but there isn't really a small business answer here that I know of. If the tools were better/easier to use it might be easier to keep an eye on one's "flock" but it is a horrible pain both in setup and upkeep to really anticipate what might be happening. The entire stack one could use in windows to manage this stuff, from Event Logging to vb scripting automation, and all the way up to group policy is half-assed at best. This is the type of result you can expect.


    this type of story is why I think that learning and/or heuristic scanners (both at the machine and router/firewall/proxy level) are pretty much the only way we can win. I'm not imagining something sentient, mind you, just something that will sift through all the event logs and point me toward things actually worth my attention instead of "every little thing".



    • But then wouldn't the spammers aim under the bar of "important"? I mean sure 3 million e-mails a second is annoying but what if they cut it down to 1 a minute? Lets say you have 500 zombies, that is still a lot of spam and we know 500 is a drop in the ocean compared to what these guys have.
  • by whoever57 ( 658626 ) on Monday April 30, 2007 @10:51PM (#18936925) Journal
    Surely, these large companies could block outgoing port 25 traffic, except for their own email servers. Then the traffic can easily be monitored and spam zombies detected.

    Why is this not "best practice"?
    • All the bot needs to do is find out what the user's SMTP server is and use that. That way it doesn't care which outbound ports are open and which are blocked.
      • All the bot needs to do is find out what the user's SMTP server is and use that. That way it doesn't care which outbound ports are open and which are blocked.

        But by then we are dealing with a known quantity at a central location. These companies should be blocking everything their users don't need first and foremost, then they can look at the traffic from their mail server and use standard off the shelf pattern analysis to find the spammer bots.

        It's simple security.
        • I'm not disagreeing with you. What I'm saying is that blocking outbound port 25 isn't going to stop cleverly-written spambots.
          • Canary (Score:5, Insightful)

            by pedestrian crossing ( 802349 ) on Tuesday May 01, 2007 @03:13AM (#18938045) Homepage Journal

            What I'm saying is that blocking outbound port 25 isn't going to stop cleverly-written spambots.

            Absolutely. But -if you are monitoring your FW logs-, you will see the not so cleverly-written ones, and they can be your "canary in the coalmine". If you are seeing any denied outbound attempts, you know that either someone (or some software) is going against policy, or you have a workstation weakness that is being exploited, and you follow up on it.

            Sure, this doesn't guarantee that you don't have a problem (ie., cleverly-written malware). You must take a layered approach to security strategy to be effective. Discounting a layer because it doesn't take every single possibility into account is ridiculous. That's why you have depth built into your security strategy, because no single layer works for everything.

            That is the problem with most "security solutions" that are being peddled to CIOs, they claim to be a single magic bullet when real security solutions are more about correlation and follow-up from different layers. Not sexy, but very effective.

      • Re: (Score:3, Insightful)

        All the bot needs to do is find out what the user's SMTP server is and use that. That way it doesn't care which outbound ports are open and which are blocked.

        Indeed. But it's still a good idea to block port 25 on business or educational networks unless it's absolutely needed - as it prevents one class of abusers, i.e. direct-to-mx sending malware, making use of that particular method on your network. There still seems to be a lot of direct-to-mx stuff in circulation, if the evidence in our logfiles is any

      • Re: (Score:3, Interesting)

        by init100 ( 915886 )

        All the bot needs to do is find out what the user's SMTP server is and use that. That way it doesn't care which outbound ports are open and which are blocked.

        There are ways to block that behaviour. You could use SMTP AUTH to authenticate connections to the SMTP server and SSL/TLS to encrypt the connection. That way the bots won't be able to use the SMTP server to send their spam.

    • Surely, these large companies could block outgoing port 25 traffic, except for their own email servers. Then the traffic can easily be monitored and spam zombies detected.

      Surely, the bot net operators have already gotten around that on cable networks and those companies that do this. All they have to do is make the bot mail through the company smtp.

      Your idea is a variation on the "blame the user" theme. The problem is M$ on the desktop. Big dumb companies fork over all sorts of money, do what they a

      • The problem is M$ on the desktop. Big dumb companies fork over all sorts of money, do what they are told and get slammed anyway. What will be funny is when M$ themselves end up on this list. Who will they blame then?

        How to think like a manager 101: You are presented with two answers to a single problem. One; is to "task" the network/email admins to fix a problem. Two; involves blaming a large vendor. One of these answers actually lets you accomplish something, while the other doesn't. Which do you choo
        • by BVis ( 267028 )

          How to think like a manager 101: You are presented with two answers to a single problem. One; is to "task" the network/email admins to fix a problem. Two; involves blaming a large vendor. One of these answers actually lets you accomplish something, while the other doesn't. Which do you choose?

          Two. One requires work from your own people (who no doubt already have enough work for three people each), while the other involves forcing a big vendor to try to do something. If they don't, your ass is covered, sin

      • by igb ( 28052 )

        Surely, the bot net operators have already gotten around that on cable networks and those companies that do this. All they have to do is make the bot mail through the company smtp.

        It means you have logs, however. And company mail servers can be run in a far more ``shoot first, ask questions afterwards'' mode because there are far fewer reasons for `abnormal' traffic: for example, a user sending high volumes of messages has fewer legitimate reasns.

        I run the whole internal network on RFC1918, with acce

    • I'd love to do this in my org... a large company.

      But our department doesn't have the clout to override the other VPs desire to keep that functionality.

      In fact, I think part of the argument is that we can't respond to their needs quickly enough, partly because we're running around dealing with stuff we wouldn't have to if we were allowed to do things right =-/
      • by drew ( 2081 )
        What possible reason could he have for wanting to keep that functionality. It seems to me to be one of the very few security practices that one could implement with a "no exceptions" policy without catching innocent users.
        • Developers who just want things to work... and they know a server "x" that does what they want.

          When you get an organization large enough to have hundreds of VPs, you also have the other flotsam that comes with them.
  • by toby ( 759 ) * on Monday April 30, 2007 @10:59PM (#18936975) Homepage Journal
    The scary part is that if a bot can spam it can capture keystrokes or troll for interesting documents.

    Uh, yeah, that's why, like, some of us actually run a secure operating system instead of freaking Windows.

    I look forward to the day when proposing a Windows SOE is a firing offence. As for the state of American IT... Aren't you guys supposed to have landed on the moon, way back before Microshit was founded? WHAT HAPPENED TO Y'ALL?
    • by Stormie ( 708 )
      Always a delight to see a 3-digit user ID maintaining the True Spirit of Slashdot.
    • I look forward to the day when proposing a Windows SOE is a firing offence. As for the state of American IT... Aren't you guys supposed to have landed on the moon, way back before Microshit was founded? WHAT HAPPENED TO Y'ALL?

      Well first Microsoft Windows is the most widely used OS in the world. So if "Y'ALL" is referring to the people of the U.S., it looks like we made the most popular OS in the world, which you are probably running. On top of that a large number of the developers of open sources systems are from the U.S. as well. Then of all these "major companies" that are infected (think Fortune 500 or Fortune 100), a large portion [majority?] are U.S. companies. So it doesn't look like a whole lot happened besides a lot

    • And soon to be myspace.

      All these bots use common resources like yahoo/geocities for either mailing out or storing online content/payloads.

      Seriously, yahoo etc... should have an active role with at least 10-30 people constantly scanning their networks/servers for bot hosters/emailers.

      Is it that hard?

  • by errxn ( 108621 ) on Monday April 30, 2007 @11:22PM (#18937095) Homepage Journal
    Exposing bots in big companies? That's easy. I see 'em every day. We even have a nickname for them here..."Middle Management."
    • by weighn ( 578357 )
      We even have a nickname for them here..."Middle Management."

      Nah, they're the "dolts".

      Another term people often confuse with "bots" is "bods" who tend to work in HR and Marketing. Unfortunately they also tend to have Middle-Management-like qualities.

  • No way (Score:3, Insightful)

    by madsheep ( 984404 ) on Monday April 30, 2007 @11:24PM (#18937111) Homepage
    Major companies infected with spam spewing bots?? No way. This is just to ground breaking to be true. Next thing they are going to tell us is that government machines are also infected. Since we all know that major companies and government machines are impenetrable because their users are so smart, savvy, and technologically secure. Oh wait, the users at these places are the same people that use AOL dial up at home. OK.. so maybe it is true *and* unsurprising. :P
    • Indeed you are right that this should not be news. Sadly, however, it is to some of these corporations. That's the entire point of the operation.
  • Sarbanes-Oxley (Score:3, Interesting)

    by thatjavaguy ( 306073 ) on Tuesday May 01, 2007 @12:02AM (#18937291)
    This is actually pretty big news.

    My understanding is that Sarbanes-Oxley imposes strict IT standards for public companies.
    If the companies involved are indeed Fortune 500 companies then they are exposing themselves to massive lawsuits.

    In the big company that I work in this couldn't happen: we have good firewalls, machines are locked down in terms of downloads, machines are regularly tested/audited and we have a great IT department.

    If I were a CEO of one of these companies I'd be looking to fire the CIO...

    • If I were a CEO of one of these companies I'd be looking to fire the CIO...

      If I were a shareholder, I'd be asking for the resignation of the CEO... the buck stops with him...

    • Re: (Score:2, Insightful)

      by TooMuchToDo ( 882796 )

      In the big company that I work in this couldn't happen: we have good firewalls, machines are locked down in terms of downloads, machines are regularly tested/audited and we have a great IT department.

      Bullshit. If a box is on a network, the possibility of an exploit exists. The only secure desktop/server is the one buried in concrete 6 feet underground.

    • Re: (Score:2, Funny)

      by mattoo ( 909891 )

      In the big company that I work in this couldn't happen
      Let's file this under 'famous last words' :)
  • Bank of America (Score:3, Interesting)

    by omeomi ( 675045 ) on Tuesday May 01, 2007 @12:05AM (#18937313) Homepage
    Thompson Financial, Bank of America, and AIG.

    So you mean that some of those Bank of America SPAMs are actually coming from Bank of America computers? Woh...
  • IT jitters (Score:2, Insightful)

    by HW_Hack ( 1031622 )
    The school district I work for is about 80% macs and 20% PCs (running XP) - total number of machines disctrict wide is about 6000. I've asked if I could set up a Linux server and some diskless work stations as a usage test case ... by the response you would think I asked to install an open wireless node in the schools cafeteria. On the other hand if I'd just announced that I'd just installed 35 PCs that would be no problem and everyone would assume they're up to date + antivirus + etc.

    I could lock down that
  • I thought the article was about stuff like this [shoutfile.com].
  • by mattr ( 78516 ) <`moc.ydobelet' `ta' `rttam'> on Tuesday May 01, 2007 @02:59AM (#18937995) Homepage Journal
    I would be far more interested in a list of companies buying spam and profiting from spam. Names, addresses, phone/fax/email. Having reported this stuff and been hit once recently myself and not recovered from it yet, that is the only thing I want to see now. Get those blasted bankers, insurance and real estate agents into some concrete confinement!
    • by mattr ( 78516 )
      Incidentally the crackers who ruined my server were trying to run a Bank of America phishing scam. Is there something about BoA that makes them an easy target? I can guess all sorts of lousy things but I'd like to know if anyone has real info.
  • Headline and/or summary should state clearly that this is limited to MICROSOFT WINDOWS desktops.

    Eliminate those, and you're a good deal closer to solving the problem.
  • CRN's got some more info on this story [crn.com], including a list of compromised companies that are slated to be posted on that blog, but aren't up yet. They've also got a list of "good" companies that haven't (yet) been spotted generating any spam.

There are three kinds of people: men, women, and unix.

Working...