Forgot your password?
typodupeerror
Businesses Security IT

Up To 9% of a Company's Machines Are Bot-Infected 146

Posted by kdawson
from the 9-percent-of-your-machine-are-belong-to-us-and-that's-enough dept.
ancientribe sends in a DarkReading piece on the expanding footprint of small, targeted botnets in enterprises. "Bot infections are on the rise in businesses, and most come from botnets you've never heard of nor ever will. Botnet researchers at Damballa have found that nearly 60 percent of bot infections in organizations are from bot armies with only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface. And more businesses are getting hit: 7 to 9 percent of an organization's machines are bot-infected, up from 5-to-7 percent last year, according to Damballa. ... [Damballa's] Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well. 'They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets,' he says. ... Ollmann says botnets of all sizes are also increasingly using more and different types of malware rather than one particular family in order to evade detection. 'Most botnets, even small ones, have hundreds of different pieces of malware and families in use..."
This discussion has been archived. No new comments can be posted.

Up To 9% of a Company's Machines Are Bot-Infected

Comments Filter:
  • Any good bot scanner?

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Any good bot scanner?

      your firewall logs...

      • Re: (Score:3, Insightful)

        by GerardAtJob (1245980)

        Any good firewall parser then ?
        I'm lazy and don't want to read logs or parse them manually...
        Anyway It's not even my job (I'm a programmer)! If they're a quick&dirty way to find out I'll try it once a week/month... but I wont read and parse this boring stuff...

        • by Traa (158207)

          I'm with parent on this. I'm a developer at a big company. Have 3 machines in front of me[*]. Don't have access to firewall logs, assuming IT is doing a decent job because none of my machines have ever gone down in last 3 years. Still, modern malware wouldn't take my machine down so I could very well be infected. How do I know? What do I scan?

          [*] Linux on one, WinXP on the others because that is what the job demands (don't argue).

    • by mcgrew (92797) *

      Any good bot scanner?

      I don't know of one, but there is good bot prevention. It's called "Linux".

      • Re: (Score:1, Funny)

        by Anonymous Coward
        Linux botnet of zombie servers [p2pnet.net]. I believe in the lingo the kids one would say: pwned!
      • Which also prevents you from being able to use most applications; ergo, prevents any actual work taking place. Sounds like a Win-Win.
        • That depends entirely on what your work involves. "Most applications" are not necessary for most work.

        • Flamebait.

        • by mcgrew (92797) *

          Actually, no. Most applications come with the OS. Now, if you mean "I can't run a spreadsheet in LINUX!" you CAN run a spreadsheet; just not Microsoft's. There are a few specialty apps that one might need that there are no Linux versions of, for these you can set your computer up dual-boot with networking disabled on the Windows side. When you're done with your nnon-linux app you can send the results over the net from Linux.

          But most people don't need programs that will only run in Windows. Most people the "

      • by dissy (172727)

        I don't know of one, but there is good bot prevention. It's called "Linux".

        So in other words, you want me to replace our Windows workstaions that run our ERP software which runs most of the business, over to Linux workstations that will not run ERP software worth anything, so that our business has to shut down?

        SmRT!

        I have made some Linux deployments here, but sadly there is just no way to fully switch over without seriously major and long interruptions in the business processes.

        Due to the ERP software using 'technologies' ranging from Access 2000 up to dotNET 3.0, this pretty much

    • Re: (Score:2, Insightful)

      by Kylock (608369)

      While some malware/botnet clients may escape anti-virus detection, the common trait is that they all have to connect to a command and control server. Many IDS products have signatures to detect this type of traffic.

      For example, many "botnet-kits" will connect using IRC on a random high port. IRC usage audit signatures are good for detecting the more common botnet c&c traffic.

      Prevention is key, but it's still not easy - trying to keep Joe User from playing that Michael Jackson video he got in his email

  • by navygeek (1044768) on Friday September 25, 2009 @09:51AM (#29538969)
    And after reading the linked article, there's another 40% :-p
  • Education (Score:5, Insightful)

    by sopssa (1498795) * <sopssa@email.com> on Friday September 25, 2009 @09:51AM (#29538977) Journal

    This is the reason traditional antivirus scanning will not work. If the specific malware is only inside your company or a few hundred PC's, there isn't signatures for them either. You have to educate your company's workers and restrict access in OS instead of blindly trusting your antivirus providers.

    Now the same approach doesn't work in homes or educating those random users, but it should work inside your company.

    • Re:Education (Score:4, Insightful)

      by spydabyte (1032538) on Friday September 25, 2009 @10:34AM (#29539429)
      How does this education in a company differ from the home? Payment? Fire them if they're not secure? They've tried that, it's called government. We all see how well that [slashdot.org] works out [slashdot.org].

      If you want to be 100% secure, higher smart people and shut off your internet pipe.

      Now 99.999%? That's a different story.
    • Can you give more specifics? Like there may be no way to avoid this on an XP machine, that's what I'm getting at. A lot of corps still have that with computers 5 years old and it as godd a reason as any to use some other OS.

    • Re:Education (Score:4, Interesting)

      by fbwhrdpmtajg (1452033) on Friday September 25, 2009 @11:16AM (#29539921)

      Screw educating, this situation calls for whitelisting and non-administrator privileges.

    • by owlstead (636356)
      Insightful? Educating the users so they can prevent a botnet? Only people who can't educate themselve still propose such a thing as a solution. In all the 20 years of (semi-)professional IT I've never seen that work.
    • by gilgongo (57446)

      This is the reason traditional antivirus scanning will not work.

      I've come to realise that antivirus scanning of any kind does not, and has never - really - worked. A combination of human factors, poor design and general stupidity makes it so.

    • by Dan541 (1032000)

      I think I can safely say that educating users is a lost cause. Some people just CAN'T be educated.

  • by Zantac69 (1331461) on Friday September 25, 2009 @09:56AM (#29539027) Journal
    For some reason - this made me think of Voltron. Not the lion voltron - but the crappy vehicle voltron. All the tiny botnets coming together to form a huge botnet...but it would probably be a ro-beast. Maybe then lion voltron could come destroy the evil bot-net ro-beast.

    Great - now my day is ruined because I am going to be looking for an MP3 of the lion voltron assembly thing to put as a ring tone on my phone.
  • by Anonymous Coward

    It sounds like the company in question provides security services, so isn't this piece of 'research' an advertisement for their services?

    • Mod parent up. (Score:5, Interesting)

      by khasim (1285) <brandioch.conner@gmail.com> on Friday September 25, 2009 @11:25AM (#29540037)

      I'm having a lot of trouble believing some of the claims in that article.

      In a three-month study of more than 600 different botnets found having infiltrated enterprise networks, researchers from Damballa discovered nearly 60 percent are botnets that contain only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface.

      600 botnets

      5% of 600 is 30. So only 30 out of 600 were "big-name"? That doesn't sound like those "big-name" ones are all that big.

      60% of 600 is 360. So their tiny sample found 360 instances of NEW viruses/worms/trojans? I find it very difficult to believe that there are that many sites with custom infections.

      Which leaves 210 infections that are not custom and not "big-name". How did those sites manage that? In my experience, if some site it getting infected by less virulent code, it's also infected by the more virulent code.

      "Of all the enterprises where we've gone into who are customers or as proof-of-concept, 100 percent have had botnet infections," says Gunter Ollmann, vice president of research for Damballa.

      Which makes me question how those sites are selected for them to investigate. NONE of them had decent anti-virus practices?

      The bad guys are also finding that deploying a small botnet inside a targeted organization is a more efficient way of stealing information than deploying a traditional exploit on a specific machine.

      Whoa! I'd think that they're using a different definition of "botnet" than the one I'm familiar with. Of course having more than one machine is more efficient. If nothing else, that one machine is a "single point of failure" than can be re-imaged at any time.

      And Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well. "They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets," he says.

      I don't see how those two statements support each other. What knowledge do they need? IP ranges, routers, gateways and servers.

      If they remotely control four or five hosts, for instance, then they issue commands to the bots to navigate network shares, retrieve files, or access databases, he says.

      Which they cannot possibly do if they controlled 40 or 50 hosts. Or 400 or 500. Etc. Bullshit.

      "I suspect that a sizable percentage of small botnets are those developed by people who understand or are operating inside a business as employees who want to gain remote access to corporate systems, or by criminal entities that have dug deep and gotten insider information on the environment," Ollmann says.

      Again there is nothing to support those statements.

      "The reason why we know this is the way the malware is constructed -- how it's specific to the host being targeted -- and the types of command and control being used. Bot agents are often hard-coded with the command and control channel" so they can bypass network controls with a user's credentials.

      How can it be "specific to the host being targeted"?

      Aren't "bots" always hardcoded with the "command and control channel"? Such as "use IRC" and "connect to this generated list of sites for updates".

      These mini-botnets tend to rely on popular DIY malware kids, like Ivy and Zeus, to infect their victim machines, he says.

      Damn "malware kids". Get off my lawn!

      And they are typically more automated than bots in the big botnets: "Some designed for the enterprise worm they way around the network and look for common protocols that are open in the enterprise" and infect files, and exploit other hosts in the network, Ollmann says.

      Damn! Not only are they "more automated" but they also have " a lot of hands-on command and control".

      Pure
      Marketing
      Fluff

  • egress filtering (Score:4, Interesting)

    by Lord Ender (156273) on Friday September 25, 2009 @09:59AM (#29539071) Homepage

    This solution is egress filtering: stop all traffic going out to the internet from desktop computers. Then provide a proxy server (HTTP and SOCKS) users can use to get what they need on the net. The proxy server must be a filtering server--the sort that keeps a list of known malware sites and botnet controllers, so that it can automatically block them.

    With this in place, users will still be able to get what they need from the net, but 99% of bots will be stopped.

    • Re:egress filtering (Score:4, Informative)

      by TorKlingberg (599697) on Friday September 25, 2009 @10:05AM (#29539127)

      Not the kind of bots that this article describes, that are targeted specifically to your company.

    • by Havokmon (89874)
      I did this for PCI Compliance. Add NTLM auth with Squid and only allow a small number of people to have unrestricted access. Have everyone else filtered down to only required business sites.
    • by mrdoogee (1179081)
      A squid [wikipedia.org] proxy server with Smartfilter works pretty well here at my office.
    • We have an eSafe gateway with the antimalware/antispam piece which does stop communications with known malware sites and botnet controllers. I point that out as a solution to this problem. There are others.

  • by viralMeme (1461143) on Friday September 25, 2009 @10:00AM (#29539077)
    And the vast majority of these 'machine malware infections' run on Windows. machine malware infections.

    Half of Fortune 100 companies compromised by new information stealing Trojan [blogspot.com]

    "Security tool designed to stealthy run on winnt based systems (win2k to winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods.[sic]" The three spreaders are MSN, USB, and P2P. Listed P2P networks were "ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire.[sic]"
  • by MaraDNS (1629201) on Friday September 25, 2009 @10:03AM (#29539107) Homepage Journal

    This, naturally, compromises other machines on the same network. If another machine on the same network is controlled by hackers, one thing they can do is run a packet sniffer and grab unencrypted passwords. Or read your email (unless you use Gmail and have things set up to always use SSL). Or try to control your computer; it's a lot easier to attack a computer when you're behind the firewall.

    The good news is this: Since the computer is a company computer, there's a lot more we can do to find and remove the virus from the computer in question. Such as taking the computer off of the network, making a backup of all data files, and doing a complete reinstall of the OS and all company-approved applications. With or without the computer owner's consent. A corporate IT department has a lot more control over their computers than, say, Comcast.

    So the question is this: What are good ways for a corporate IT network to know whether a given computer is a zombie? Analysis of the packets a given computer makes is one way.

    • by Talderas (1212466)

      You can usually locate a zombie by its insatiable appetite for human flesh. Other indicators tend to be lack of comprehension regarding basic command like 'stop' or 'there's a tasty young blonde over there'.

    • by khasim (1285) <brandioch.conner@gmail.com> on Friday September 25, 2009 @11:33AM (#29540125)

      Simply hook up a decent intrusion detection system (Snort is exceptionally decent in this regard) and look at the traffic patterns.

      Workstations contact servers for services provided by those servers. Services that you should be aware of.

      Workstations do not contact other workstations (except for IT support people).

      Then look at outbound traffic. Betsy in Accounting cannot spell IRC so why would she be using that protocol?

      This isn't much help if everything turns to https for command and control. But at least you'd see the sites that those were hitting. Why is someone hitting e3rt49io.cn at 3 in the morning?

    • This, naturally, compromises other machines on the same network... Or try to control your computer; it's a lot easier to attack a computer when you're behind the firewall.

      Most enterprises now segregate their internal networks with a series of firewalls as well.

      So the question is this: What are good ways for a corporate IT network to know whether a given computer is a zombie?

      There are a lot of tools designed for exactly this purpose. Some of the better ones integrate with your routers and will do more than give you a list of infected machines. They'll attempt to find them automatically and identify them and notify you and either automatically or on command quarantine the infected systems by filtering out traffic from them or from a chunk of your network using the routers. At least one tool

    • Re: (Score:2, Insightful)

      by orange47 (1519059)
      but, don't packet sniffers grab passwords only on hubs, not the switches that everyone uses nowadays? besides many use google POP3 server, that should be safe(r)?
      • by Anomalyst (742352)
        Most switches allow you to map a port to a another port for monitoring. you can also use a physical tap. I haven't done network forensics in quite awhile, I wonder if there is a plug-in for snort that would automatically step through the switch ports, moving to the next one every NN seconds in a round robin fashion using a SSH or console connection.
  • And more businesses are getting hit: 7 to 9 percent of an organization's machines are bot-infected, up from 5-to-7 percent last year, according to Damballa.

    I think the bolded "an" is a typo, otherwise, this sentence makes little sense.

  • by Chrisq (894406) on Friday September 25, 2009 @10:09AM (#29539179)
    I thought it was only Apple fanboys who had to worry about getting their bots infected.
  • Corporate America (Score:3, Insightful)

    by girlintraining (1395911) on Friday September 25, 2009 @10:15AM (#29539231)

    Why do people blame the company for this?

    I worked deployment for several years at a company with about 13,000 servers and 96,000 workstations, as well as over 25,000 POS systems. I can safely say that size is not the problem. Policies are the problem. There is always that one employee that thinks that he can sneak iTunes onto the network and download some mp3s to a flash drive despite the "no pen drives policy". Disabling them doesn't really help -- they have physical access to the machine of course.

    If you figure that there are 150,000 employees in your company, and the consumer market has a 5% infection rate, and 1% of your employees decide to bring a flash drive in... Then every five days, someone is plugging an infected flash drive into your network. All the network management in the world cannot control that many people -- I can't replicate myself to stand over each user and remind them of the risks. And since they don't see the consequences as they happen, there's no chance for them to learn.

    But blaming corporations for this is stupid. And blaming employees for it isn't productive. The truth of the matter is, as far as the business world is concerned -- viruses, worms, malware, spyware, and the like are the cost of doing business. It would cost way more to fix the problem than to simply let it eat at the margins.

    Sorry to say, but your data isn't worth those kinds of expenses.

    • by ledow (319597) on Friday September 25, 2009 @10:23AM (#29539321) Homepage

      Because, physical access or not, you should be stopping it anyway.

      And if someone plugs something in and pushes a virus onto the network - how different is that to pulling the fire alarm, or jamming the lifts in a skyscraper? The company should be dealing with it - first by basic prevention (no USB access or even no USB ports if they aren't needed), secondly by policies but most importantly by enforcement. With physical access, if an employee plugs in a USB stick and somehow "makes" it work when you've disabled it as an administrator, then it's not an accidental thing - not an unthinking "Oh, I can't send it over the network, I'll just plug in my personal USB and do it at home"... it's a deliberate, wilful act to insert an unauthorised device into the corporate network. No different to plugging in an unsecured wireless router, or anything else.

      The *company* should be taking basic precautions with its customer's and its own business data - that means limiting access to the bare minimum required. Then any violation of that (because it *can* be worked around) is a clear attempt to do something deliberately that can damage the entire corporate network - i.e. bye bye, don't trip up on the tech who's rebuilding your machine from a clean image on the way out...

      Pushing it onto "random employees do shit and we can't stop it" could cover all sorts of mistakes that the customers and business end up paying for - oops, the customer database was accidentally attached to that email (Demon Internet in the UK earlier this week)... oh well, too many employees to police *that*... ??? No... someone gets disciplined. And eventually that stops happening, especially if you have the right precautions in place to prevent it happening accidentally.

      • Re: (Score:1, Insightful)

        And if someone plugs something in and pushes a virus onto the network - how different is that to pulling the fire alarm, or jamming the lifts in a skyscraper? The company should be dealing with it - first by basic prevention (no USB access or even no USB ports if they aren't needed), secondly by policies but most importantly by enforcement.

        Pulling fire alarms generally lead to jail time. I don't think there are many courts that would view dismissing an employee every five days for using a computer kindly, let alone jailing them for years.

        The *company* should be taking basic precautions with its customer's and its own business data - that means limiting access to the bare minimum required.

        Which drives the costs up. Hey -- $50 for a bag of chips. $120 dollars a gallon for gas. You want perfect security? Pay for it.

        especially if you have the right precautions in place to prevent it happening accidentally.

        There is no precaution that can outsmart human stupidity. If you had more than a year of experience in the field, you'd know this. Damn armchair network admins...

      • Re: (Score:3, Insightful)

        by giorgiofr (887762)
        Yeah right. My boss only hears "blah blah" and thinks "don't care - wanna play golf" when I say "unauthorised device into the corporate network". Tentative policies trying to deal with this stuff make executives cry bloody murder and are promptly removed. And even if anybody cared, there would be legislative obstacles to firing an employee over here: read, it's basically impossible unless they've got some CP on their boxes.
      • but you are talking about preventing users to do one of the most convenient and basic things they need for their job: transferring bunch of data via USB key (moving gigabytes any other way is painful). You can't treat users as idiots. They want permanent internet/e-mail access and this is far bigger problem. Meybe you can sacrifice MS Office instead. Then it would be possible to replace Windows with anything else and make your whole network much safer then by trying to enforce impossible stuff on hundreds/t
      • Re:Corporate America (Score:5, Informative)

        by BenEnglishAtHome (449670) on Friday September 25, 2009 @11:40AM (#29540205)

        That's interesting. Where I work, [irs.gov] inserting a personally-owned pen drive to a computer on the network that gets caught in a scan results in a suspension. Inserting a personally-owned pen drive that pushes malware out onto the network gets you fired. Inadverdently attaching a spreadsheet with customer data to an email and sending it outside the organization gets you fired, everyone in your area subjected to additional training, and an executive or two dragged before a congressional subcommittee to fall on their swords. Deliberately accessing customer data to which you have no right gets you all of the above, plus you go to jail.

        Other places don't take security as seriously?

        • Damn, I wish I worked for the feds. Good rules and retirement.

          --Deliberately accessing customer data to which you have no right gets you all of the above, plus you go to jail.--

          I think this is the case anywhere.

          --inserting a personally-owned pen drive to a computer on the network that gets caught in a scan results in a suspension.--

          To bad I can't force adoption of this policy within our organization. A lot of this stems from the fact that there is no broadband out where some of the higher ups live. So they

          • Just one question though; what does surfing and posting to /. get you working for the IRS?

            Good question!

            We have a "limited personal use" policy that allows us to do some surfing and send some personal email. We can't abuse it. If you sit and watch YouTube all day, you'll get in hot water pretty quick. But checking tech-related forums (the ones I used to visit in the *.ru and *.cjb.net domains are now blocked, I might add) is OK as long as it doesn't cause a noticable impact on productivity.

            Slashdot ge

            • I fear here that all personal internet activity will be banned, but define personal? Sometimes, this stuff has dual uses IMO.

              Message boards are where you really learn stuff I think, and with the unwillingness to pay for training you basically have to train yourself. Some have the discipline for this. Some do not.

              Most use their down time merely for play. I try to find something of some limited value at least. I have been reading /. long before I got a UID. There are some forums in my field that have maybe 30

        • by pfleming (683342)

          Inadverdently attaching a spreadsheet with customer data to an email and sending it outside the organization gets you fired,

          ... and if the receiver knows anything at all about the IRM he chats it over with the person whose information was disclosed IRS gets to pay out $1000.00 per name on the list.

      • Re:Corporate America (Score:5, Informative)

        by Strange Ranger (454494) on Friday September 25, 2009 @12:21PM (#29540671)
        (no USB access or even no USB ports if they aren't needed)

        This sort of mentality drives me up a wall. Let's pretend we're the Pentagon and take half the usefulness out of modern technology before we let our users us it.
        No thanks. You're a cost center. I make the company money. If I want to plug a cordless mouse into my laptop to make my 60 hour week easier than I'm going to do that. If you can't figure out a way to let me then F@(% YOU. Sorry but that's how most of us feel. This is the laptop I carry with me everywhere and use all the time. It's the one I take on vacation so I can WORK from vacation. So of course I'm going to want to plug a camera into it and use it for personal use. If you want me to treat it like I don't own it then I'll start leaving it at the office and you can take 15-20 hours of my work every week and shove it. You can't have it both ways. The chance that somebody is targeting the company with a non-scan-able customized piece of malware through the jpegs on my camera's SD card is close enough to NIL. Create a white list of file types, scan the thumbdrive or memory card, do whatever you need to do short of turning into Mordac - Preventer of Information Services [whatitslik...inside.com]. And let me get on with my life. And while you're at it take the 95 things in my system tray that slow my machine down to a crawl and send them to oblivion.

        The company has unsecured trash dumpsters, unsecured phone lines, an unsecured fax machine sitting in every hallway, and people in the mailroom that make 8 bucks an hour. How about addressing those things and getting some perspective before turning my laptop into a 60-hour per week jail sentence. Thanks.
        • by LibertineR (591918)
          First, you seem to admit that unless your company allows you to use THEIR property for YOUR personal use, then you are unmotivated to do more than the minimum amount of work required.

          Whether you make the company money or not, is completely irrelevant. You get PAID to do what you do; you are owed nothing beyond your check and whatever else is listed on your stub, baby.

          The fact that you get paid, means that you likely have the means to purchase YOUR OWN laptop, on which to conduct your personal business,

          • >NOBODY successful gives a shit about 60 hours, because they dont count them. They just get things done, and look for more to do.

            Spoken like someone with no family (and no other life either).

            >purchase YOUR OWN laptop, on which to conduct your personal business

            Spoken like someone who enjoys carrying two laptops everywhere.

            Thank you Mordac. But you need to get a clue. Your job is to ENABLE the people who make money. Even if I thought carrying two laptops around sounded like fun, having me swi
            • WE make no money for the company? Clearly you are yourself personally able to manage all your own IT needs including full compliance with SOX, PCI, HIPAA etc (like keeping your personal shit seperate from the business's). Clearly you yourself personally can engineer 150 servers down to 30 in a big VMotion capable environment with redundancy and failover. Clearly you are able to produce, maintain and evolve the business's ecommerce site all by yourself.

              Look, I'm real sorry your job sucks and you need 60 hour

              • Believe it or not I actually have a ton of respect for IT. For 12 years I was IT.

                The point is not how hard you or I are to replace.
                The point is that companies exist to make money. Anyone who throws up enough roadblocks to making money is harming the company and can't (or shouldn't) remain. IT exists to facilitate the people and processes that make money. IT, for the vast majority of companies, is a cost center. If you implement a system or policy that takes time or efficiency away from 5000 users in a
                • If IT is a cost center it is because the upper management has made it that way. They fail to hire or provide training for competent end-user employees, fail to approve IT's requests for tech initiatives that will streamline things and make them more effective, and generally play penny-wise pound-foolish and then throw IT under the bus.

                  This is the reality in those places where IT is a true cost center.

      • by danger42 (302987)

        ...how different is that to pulling the fire alarm, or jamming the lifts in a skyscraper?

        Skyscrapers have lifts? Aren't they tall enough already?

      • What if the ones most guilty are over you in rank?

        --that means limiting access to the bare minimum required--

        Define bare minimum? In some cases this can stifle productivity. A lot of the blame can be placed on Microsoft for not putting more of their stuff in user space. Here's my idea; switch the OS if possible, if not the switch what is possible to something else.

        I really wish I had the authority to do what you say, but here there would be so much whining that I would be likely affected by all of the negat

      • That's the "gen-X" problem of not understanding that you can't treat the work computer as your own. When you enforce strict policies they just think you are going too far, treating them unfairly, and think that as a cost centre IT people shouldn't be allowed to tell those that are making money for the company what to do in the first place. Leave social change to the management or you'll just be wasting a lot of time arguing and developing a reputation as a BOFH. That will eventually hurt the pay packet o
    • --All the network management in the world cannot control that many people--

      This hit a nerve, because this is the exact problem that we have in a small company, but it's the higher up's that insist on having this stuff present.

    • by pfleming (683342)
      Just reconfigure autorun on the USB drives to lock the computer up. Say it renames c:\boot.ini or win.ini and splashes a bogus blue screen so they reboot... yeah that would be fun.
  • by King_TJ (85913) on Friday September 25, 2009 @10:24AM (#29539329) Journal

    It seems like educational institutions have some of the biggest problems with system tampering/hacking/infections, since they're exposed to thousands of students each year who have attitudes of "Who cares? Not MY computer anyway!" and who often think it's a challenge and *fun* trying to mess up the system in question. Unlike hackers trying to infect you with malware over the Internet from some other country, these people have full PHYSICAL access to the computers.

    So how do they manage? Many schools I know have things configured so their workstations get re-imaged nightly from master images on a server. Any unauthorized changes made to the computer only last until that nightly maintenance runs, at the longest. (An admin might re-image a workstation even more quickly than that if he/she realizes it has an issue.)

    I could see large businesses resorting to this, as well - if they're starting to encounter risks as aggressive as bots targeted to their particular businesses.

    • At my university, we have a the VCL [ncsu.edu], a pool of blade servers accessible by RDP or SSH that get imaged on the fly when a user requests a machine with certain apps. These blades get wiped on log-out. (Home directories are of course stored elsewhere, and accessed over AFS.) This is very secure, but it lets students get admin access to their machine, and it also helps keep software licensing costs down, because it is trivial to limit the number of concurrent users of a package that isn't volume licensed. Perfor

      • by clarkn0va (807617)
        We use thin clients and RDP for students here at the college. It removes physical access to the Windows machine in a very elegant way, and is tonnes easy to manage.
    • by mrdoogee (1179081)
      Seems like a lot of network overhead for that... why not use a product like Steadystate or Deep Freeze? Is there an advantage to re-imaging every box nightly?
      • by iamhigh (1252742)
        I don't use it the way the GP describes, but the imaging software I have used will usually let you kick off a job over the network, but the data is on a partition on the computer. This does mean that someone could mess with that data, but bots aren't that smart yet, and most users couldn't do more than delete data (which is easily restored). It cuts down greatly on network usage; also I would assume you would need one hell of a server to push that out to more than a few dozen computers.
        • by King_TJ (85913)

          Well, it all depends, really. If you push the images out using IP multicasting, it shouldn't take more bandwidth to image 100 identical boxes than it takes to image 1. (They all listen to the same broadcast of image data simultaneously.)

          Obviously, you're typically not going to have ALL of your PCs using the exact same image, but you probably can narrow things down to several images that cover the needs of the whole network.

          Plus, in a corporate setting - it's quite possible nobody really uses the network a

  • If I was a CTO and my department found a botnet like this, I'd be very tempted to play the disinformation game. Clean up some of them, but with others, just move the machines to an isolation area and start feeding them faked drafts of sales figures, annual reports, engineering drawings of dead-end designs, whatever else the botnet might be looking for. Alas there's probably some SEC regulation against that sort of thing.

    • Regulation? Why? You can't put whatever files you wish on your own machines?
      • by PitaBred (632671)
        The SEC has very specific, and sometimes seemingly random, mandates that are required for any computers and people that work with financial and securities data.
  • by Jaktar (975138) on Friday September 25, 2009 @10:34AM (#29539425)
    So I've been doing what I can to keep things running smoothly. Recently we 'upgraded' our server with a dedicated line to the corporate network. When the company IT came in, their standard procedure was to image each of the machines with XP SP2, IE6, McAfee, and a few other outdated tools. When they left, half of my machines would hang on logout. A number of the machines wouldn't connect to their antivirus repositories. This story does not surprise me in the least. I asked a lot of questions about why they were using these old revisions, and their answer was "It hasn't been fully tested". It's a good thing I only make electricity and not something really important.
  • The main problem is that, for a system to be sure, at least one part of it has to be strict. Since Windows is fairly permissive, security requires a sysadmin to be something of a hardass- a position which is not often appreciated by users. At my office, for instance, people constantly complain that our sysadmin doesn't allow them to install *anything* on their PCs, assuming that they even have full PCs (about 1/2 of them are Citrix thin clients). On the other hand, as I explain to them, I've worked in IT fo

    • by radish (98371)

      How is Windows different from anything else in that regard? If *nix users can install software they can also install trojans or anything else. It's (arguably) less likely that that software could cause damage to the local system, but that's not what botnets are about - they want to read local files and send out data. Apps running as a regular user can do that just fine.

  • An infection rate of 7 to 9 percent of IP addresses? That's a very narrow range. Too narrow to be credible. None of the enterprises had, say, 4 or 12 percent compromised?

    These folks are statistically impaired. They probably are sitting on a lot of really useful data, but they don't know what it means. Certainly, they haven't released enough information for anyone to draw conclusions from it.

  • "Botnets, spammer's botnets!
    What kind of boxes are on botnets?

    Compaq, HP, Dell and Sony, true!
    Gateway, Packard Bell, maybe even Asus, too!

    Are boxes, found on botnets.
    All running Windows, FOO!"

    I'm running Mac OS X 10.5.8, here.

    Why, yes. Yes I AM a smug bastard!
    Thanks for asking.

  • A little irrelevant, but I have noticed my entire adult life, from the 70's onward since I've been paying attention to stuff like this, that educated estimates of something in the general population are amazingly often about 10%. This cannot be a coincidence.

    I've often thought that 10% was a figure that these researchers come to because single digits are insignificant but still small enough that no one can easily disprove it. Or there is some natural law that correlates an anomaly i

  • When every program on the system, from Solitaire.exe to the MP3 player has complete access to read, write or delete all of the user's files, connect to any computer on the internet, etc, its no wonder malware thrives.

Air is water with holes in it.

Working...