Up To 9% of a Company's Machines Are Bot-Infected

ancientribe sends in a DarkReading piece on the expanding footprint of small, targeted botnets in enterprises. "Bot infections are on the rise in businesses, and most come from botnets you've never heard of nor ever will. Botnet researchers at Damballa have found that nearly 60 percent of bot infections in organizations are from bot armies with only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface. And more businesses are getting hit: 7 to 9 percent of an organization's machines are bot-infected, up from 5-to-7 percent last year, according to Damballa. ... [Damballa's] Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well. 'They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets,' he says. ... Ollmann says botnets of all sizes are also increasingly using more and different types of malware rather than one particular family in order to evade detection. 'Most botnets, even small ones, have hundreds of different pieces of malware and families in use..."

Re:Bot scanner?

[Anonymous Coward]

Any good bot scanner?

your firewall logs...

Re:egress filtering

[TorKlingberg]

Not the kind of bots that this article describes, that are targeted specifically to your company.

My site has no dedicated IT

[__aaqvdr516]

So I've been doing what I can to keep things running smoothly. Recently we 'upgraded' our server with a dedicated line to the corporate network. When the company IT came in, their standard procedure was to image each of the machines with XP SP2, IE6, McAfee, and a few other outdated tools. When they left, half of my machines would hang on logout. A number of the machines wouldn't connect to their antivirus repositories. This story does not surprise me in the least. I asked a lot of questions about why they were using these old revisions, and their answer was "It hasn't been fully tested". It's a good thing I only make electricity and not something really important.

The best way ... Snort.

[khasim]

Simply hook up a decent intrusion detection system (Snort is exceptionally decent in this regard) and look at the traffic patterns.

Workstations contact servers for services provided by those servers. Services that you should be aware of.

Workstations do not contact other workstations (except for IT support people).

Then look at outbound traffic. Betsy in Accounting cannot spell IRC so why would she be using that protocol?

This isn't much help if everything turns to https for command and control. But at least you'd see the sites that those were hitting. Why is someone hitting e3rt49io.cn at 3 in the morning?

Re:Corporate America

[BenEnglishAtHome]

That's interesting. Where I work, [irs.gov] inserting a personally-owned pen drive to a computer on the network that gets caught in a scan results in a suspension. Inserting a personally-owned pen drive that pushes malware out onto the network gets you fired. Inadverdently attaching a spreadsheet with customer data to an email and sending it outside the organization gets you fired, everyone in your area subjected to additional training, and an executive or two dragged before a congressional subcommittee to fall on their swords. Deliberately accessing customer data to which you have no right gets you all of the above, plus you go to jail.

Other places don't take security as seriously?

Re:Corporate America

[Strange Ranger]

(no USB access or even no USB ports if they aren't needed)

This sort of mentality drives me up a wall. Let's pretend we're the Pentagon and take half the usefulness out of modern technology before we let our users us it.
No thanks. You're a cost center. I make the company money. If I want to plug a cordless mouse into my laptop to make my 60 hour week easier than I'm going to do that. If you can't figure out a way to let me then F@(% YOU. Sorry but that's how most of us feel. This is the laptop I carry with me everywhere and use all the time. It's the one I take on vacation so I can WORK from vacation. So of course I'm going to want to plug a camera into it and use it for personal use. If you want me to treat it like I don't own it then I'll start leaving it at the office and you can take 15-20 hours of my work every week and shove it. You can't have it both ways. The chance that somebody is targeting the company with a non-scan-able customized piece of malware through the jpegs on my camera's SD card is close enough to NIL. Create a white list of file types, scan the thumbdrive or memory card, do whatever you need to do short of turning into Mordac - Preventer of Information Services [whatitslik...inside.com]. And let me get on with my life. And while you're at it take the 95 things in my system tray that slow my machine down to a crawl and send them to oblivion.

The company has unsecured trash dumpsters, unsecured phone lines, an unsecured fax machine sitting in every hallway, and people in the mailroom that make 8 bucks an hour. How about addressing those things and getting some perspective before turning my laptop into a 60-hour per week jail sentence. Thanks.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Bot scanner?

[Anonymous Coward]

OTOH, Windows has its vulnerabilities baked right in, as shipped.

Apparently so does Linux [lwn.net].