Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Exposing Bots In Big Companies

Posted by kdawson on Mon Apr 30, 2007 09:24 PM
from the pwned dept.
Security
CalicoPenny let us know about yet another "30 days" effort, this one to name the names of major companies infected with spam-spewing bots. Support Intelligence began the effort on March 28, out of frustration at not being able to attract the attention of anyone who could fix the problems at these companies. While they haven't named 30 companies over the ensuing month, they did name some prominent ones, such as Thompson Financial, Bank of America, and AIG. The scary part is that if a bot can spam it can capture keystrokes or troll for interesting documents.
This discussion has been archived. No new comments can be posted.
Exposing Bots In Big Companies | Log In/Create an Account | Top | 113 comments | Search Discussion
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • The scary part is that if a bot can spam it can capture keystrokes or troll for interesting documents.


    Or troll slashdot.
    • Re:Really? by Meadowhog (Score:1) Monday April 30 2007, @10:44PM
    • Re:Really? by no1nose (Score:1) Tuesday May 01 2007, @12:03AM
    • 1 reply beneath your current threshold.

  • Gives a whole new meaning (Score:5, Funny)

    by overshoot (39700) on Monday April 30 2007, @09:35PM (#18936419)
    to "kicking bot and posting names."

  • Not surprising... (Score:5, Interesting)

    by Penguinisto (415985) on Monday April 30 2007, @09:35PM (#18936421)
    (Last Journal: Friday March 26 2004, @02:46PM)
    Big company == shedloads of workstations with shedloads of not-too-intelligent computer users.

    Aside from IT efforts to clean up (or at least keep their heads above water), the percentages would likely compare favorably with the home user population at large, methinks. Sometimes (like ferinstance the company I work for) can be outright anal about security (custom images, email that's filtered nine ways from Sunday, etc), and yet about once a month scans will pop up someone who has been bit with the latest variant of (insert malware here). To their credit, the guys here remove it often within minutes of detection- never seen one last more than a couple of hours. (not just saying that because I happen to be a sysadmin there, seriously... the user-end guys are anal about that sort of thing, and if they weren't the network guys would happily shut off the offending port @ the switch to get the user's attention).

    /P

    • Good to see the word getting out. by twitter (Score:3) Tuesday May 01 2007, @12:03AM

    • I think it is interesting that we see "report cards" that give government agencies low grades on security, but publicly-owned corporations get a pass.

      I seriously doubt that there are any botnets like this running on, say, the DoD network, yet they get a poor grade on security, while a frigging -bank- is pwned, and nobody is too bothered.

      [ Parent ]

      • Re:Compared to government agencies (Score:4, Insightful)

        by jc42 (318812) on Tuesday May 01 2007, @11:25AM (#18942357)
        (http://trillian.mit.edu/~jc/ | Last Journal: Saturday August 14 2004, @05:03PM)
        I think it is interesting that we see "report cards" that give government agencies low grades on security, but publicly-owned corporations get a pass.

        I'd suspect that this is mostly because info about government security problems is often available, while corporations (public or private) are generally very secretive about such problems. Journalists have a tendency to report news when they have information, and not report when they don't have information. People conclude that there are problems in government agencies, but not in corporations. But the correct conclusion is usually "We don't know whether the corporate world has these problems, because we can't get information from them."

        Maybe a better approach would be to surmise that, if an organization of any sort is hiding information, this means that it has something going on that it doesn't want us to know.

        (Applying this to the Bush Administration rapidly leads to a high degree of suspicion. ;-)

        [ Parent ]
      • Re:Compared to government agencies by businessnerd (Score:2) Tuesday May 01 2007, @02:21PM
      • 1 reply beneath your current threshold.
    • Re:Not surprising... by pe1chl (Score:3) Tuesday May 01 2007, @04:06AM

  • Send in the lawyers (Score:5, Interesting)

    by secolactico (519805) on Monday April 30 2007, @10:04PM (#18936597)
    (Last Journal: Wednesday March 27 2002, @09:26PM)
    How long before some company tries to cover up the embarrassment by suing the people who disclose the fact that they have machines infected with bots? They might not succeed, but they might make life unpleasant for a short while for those who post the info.
  • Answer: they're usually the height of mediocrity. The best and brightest, if they're there, are often ignored.

    The notion that lots of big companies have spam bots all over the place is not all that hard for me to believe. Their IT divisions are often poorly staffed with folks who were selected with more input from HR than from the actual manager. They look at the certificates and then decide if a person is OK for the job. Honestly, the certificates are not a good gatekeepers to ensure that people without a clue don't find themselves on the front line. They can't be.

    We all have known people who were extremely good at passing tests, but for reasons unknown to the rest of us, are unable to use those very skills in a real application. Those are the people who all too frequently end up in big organizations, pretending to know what real IT is. There is no substitute for learning from experience.

    And these corporations are about to have one of those learning experiences. It won't be pleasant.

  • Ya know... (Score:5, Insightful)

    by FlyByPC (841016) on Monday April 30 2007, @10:12PM (#18936645)
    (http://127.0.0.1/)
    ...along with the deinfestation, a little education might go a long way. If employees could be paid to attend a (mandatory) presentation on just how a botnet gets set up, I bet this would reduce the instances of infections by an appreciable amount. (Yeah, not 100%, I know.)

    Make it interesting. Start out asking for people's opinions on spam. Get 'em good and worked up. Then set up some network monitor with a nice, easy-to-see graphic interface (maybe write one) and demonstrate how a workstation gets infected by the user running a compromised app. Once it takes hold (pick a good one), pull out the stopwatch, tick off 5-10 seconds, then show how many mails it sent. Then do the math; multiply those ten seconds by 6 to get minutes, then 60, to get hours, then 24. I bet even the math-challenged will get the point quickly, looking at those really large numbers.

    • Re:Ya know... (Score:5, Funny)

      by StikyPad (445176) on Monday April 30 2007, @10:38PM (#18936811)
      (http://slashdot.org/)
      Then do the math.

      Then, to ensure you reach 100% of your target audience, convert the presentation to an animated .gif and e-mail it to everyone on your contact list, instructing them to do the same.
      [ Parent ]
    • Re:Ya know... by dunezone (Score:2) Monday April 30 2007, @10:42PM
    • Re:Ya know... by bl8n8r (Score:2) Tuesday May 01 2007, @06:29AM
  • In comparison to MacOSX or Linux based desktop, Microsoft's desktop operating systems and Microsoft's desktop applications face a disproportionally higher risk of being "infected" with hostile malware. Just relying on third party Antivirus software to prop up a Microsoft flagging security record in no way puts you any closer to the level of security that a switch to another vendors desktop platform can provide. ( Just updating to Vista is no guarantee of better security in comparison to another vendors platform )

    Maybe it is time some people who have been spammed or have had personal sensitive data exposed from infected Windows desktops in these organizations to enter into a series of class action lawsuits against those same organizations for using Microsoft's products. If switching to Linux or MacOSX based desktops would greatly reduce the risk of further intrusion why should not organizations be "encouraged" to make the move.

  • Shouldn't be too hard? (Score:5, Interesting)

    by hklingon (109185) on Monday April 30 2007, @10:34PM (#18936793)
    (http://www.ubuyky.com/)

    It scares me just how prevalent this type of software is.. not just the spam bots but the malware and other stuff meant to steal data. Locating+shutting down spambots is the easiest task. I'm pretty small time but I found something interesting once while working with a new client to get them fixed up with antivirus and internet monitoring software (squid+sarg). I'd locked down some things and I kept noticing one PC trying to connect to yahoo every week at about 2:00 am. Long story short it was apparently attempting to email a 500kb attachment... that was apparently a log of everything typed in the week before and some other stuff. That *almost* went unnoticed. That type of infection is downright scary.... who is going to notice a 500kb email going out through an https connection at yahoo? It didn't even seem to be part of a command+control network... just gathering info??


    The spambot infections is just the most visible symptom of a larger problem... they're talking about some "big name" companies apparently, but it is the smaller and medium sized businesses that really make the world tick... it is simply too complex, challenging and costly to really secure windows boxes without severely compromising functionality. It is also apparently not something that lends itself well to automation... I see big companies using enterprise software to "lock down" workstations and "reset" workstation images as their solution but there isn't really a small business answer here that I know of. If the tools were better/easier to use it might be easier to keep an eye on one's "flock" but it is a horrible pain both in setup and upkeep to really anticipate what might be happening. The entire stack one could use in windows to manage this stuff, from Event Logging to vb scripting automation, and all the way up to group policy is half-assed at best. This is the type of result you can expect.


    this type of story is why I think that learning and/or heuristic scanners (both at the machine and router/firewall/proxy level) are pretty much the only way we can win. I'm not imagining something sentient, mind you, just something that will sift through all the event logs and point me toward things actually worth my attention instead of "every little thing".



  • Why don't they block outgoing smtp traffic? (Score:5, Insightful)

    by whoever57 (658626) on Monday April 30 2007, @10:51PM (#18936925)
    (Last Journal: Thursday September 30 2004, @01:33AM)
    Surely, these large companies could block outgoing port 25 traffic, except for their own email servers. Then the traffic can easily be monitored and spam zombies detected.

    Why is this not "best practice"?

  • This wins the DUH award (Score:3, Insightful)

    by toby (759) * on Monday April 30 2007, @10:59PM (#18936975)
    (http://www.telegraphics.com.au/ | Last Journal: Tuesday November 06, @03:35PM)
    The scary part is that if a bot can spam it can capture keystrokes or troll for interesting documents.

    Uh, yeah, that's why, like, some of us actually run a secure operating system instead of freaking Windows.

    I look forward to the day when proposing a Windows SOE is a firing offence. As for the state of American IT... Aren't you guys supposed to have landed on the moon, way back before Microshit was founded? WHAT HAPPENED TO Y'ALL?

  • Exposing Bots in Big Companies (Score:4, Funny)

    by errxn (108621) on Monday April 30 2007, @11:22PM (#18937095)
    (http://slashdot.org/ | Last Journal: Friday January 24 2003, @07:59PM)
    Exposing bots in big companies? That's easy. I see 'em every day. We even have a nickname for them here..."Middle Management."

  • No way (Score:3, Insightful)

    by madsheep (984404) on Monday April 30 2007, @11:24PM (#18937111)
    (http://www.securityzone.org/)
    Major companies infected with spam spewing bots?? No way. This is just to ground breaking to be true. Next thing they are going to tell us is that government machines are also infected. Since we all know that major companies and government machines are impenetrable because their users are so smart, savvy, and technologically secure. Oh wait, the users at these places are the same people that use AOL dial up at home. OK.. so maybe it is true *and* unsurprising. :P
    • Re:No way by Inverted Intellect (Score:2) Tuesday May 01 2007, @05:18AM

  • Sarbanes-Oxley (Score:3, Interesting)

    by thatjavaguy (306073) on Tuesday May 01 2007, @12:02AM (#18937291)
    This is actually pretty big news.

    My understanding is that Sarbanes-Oxley imposes strict IT standards for public companies.
    If the companies involved are indeed Fortune 500 companies then they are exposing themselves to massive lawsuits.

    In the big company that I work in this couldn't happen: we have good firewalls, machines are locked down in terms of downloads, machines are regularly tested/audited and we have a great IT department.

    If I were a CEO of one of these companies I'd be looking to fire the CIO...

  • Bank of America (Score:3, Interesting)

    by omeomi (675045) on Tuesday May 01 2007, @12:05AM (#18937313)
    (http://zulupad.gersic.com/)
    Thompson Financial, Bank of America, and AIG.

    So you mean that some of those Bank of America SPAMs are actually coming from Bank of America computers? Woh...

  • IT jitters (Score:2, Insightful)

    by HW_Hack (1031622) on Tuesday May 01 2007, @12:24AM (#18937405)
    The school district I work for is about 80% macs and 20% PCs (running XP) - total number of machines disctrict wide is about 6000. I've asked if I could set up a Linux server and some diskless work stations as a usage test case ... by the response you would think I asked to install an open wireless node in the schools cafeteria. On the other hand if I'd just announced that I'd just installed 35 PCs that would be no problem and everyone would assume they're up to date + antivirus + etc.

    I could lock down that Linux box pretty tight etc. but Linux is not on their radar

  • I misunderstood... (Score:2)

    by cLive ;-) (132299) on Tuesday May 01 2007, @01:58AM (#18937747)
    (http://cliveholloway.net/ | Last Journal: Saturday February 28 2004, @05:54PM)
    I thought the article was about stuff like this [shoutfile.com].
  • I would be far more interested in a list of companies buying spam and profiting from spam. Names, addresses, phone/fax/email. Having reported this stuff and been hit once recently myself and not recovered from it yet, that is the only thing I want to see now. Get those blasted bankers, insurance and real estate agents into some concrete confinement!
  • Headline and/or summary should state clearly that this is limited to MICROSOFT WINDOWS desktops.

    Eliminate those, and you're a good deal closer to solving the problem.

  • More companies (Score:1)

    by tooz (740833) on Tuesday May 01 2007, @05:05PM (#18948203)
    CRN's got some more info on this story [crn.com], including a list of compromised companies that are slated to be posted on that blog, but aren't up yet. They've also got a list of "good" companies that haven't (yet) been spotted generating any spam.

  • Re:Aflac (Score:2)

    by Archangel Michael (180766) on Monday April 30 2007, @10:55PM (#18936955)
    (Last Journal: Wednesday September 22 2004, @11:13AM)
    Ben or Casey?
    [ Parent ]
  • 6 replies beneath your current threshold.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 SourceForge, Inc.