Up To 9% of a Company's Machines Are Bot-Infected 146
ancientribe sends in a DarkReading piece on the expanding footprint of small, targeted botnets in enterprises. "Bot infections are on the rise in businesses, and most come from botnets you've never heard of nor ever will. Botnet researchers at Damballa have found that nearly 60 percent of bot infections in organizations are from bot armies with only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface. And more businesses are getting hit: 7 to 9 percent of an organization's machines are bot-infected, up from 5-to-7 percent last year, according to Damballa. ... [Damballa's] Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well. 'They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets,' he says. ... Ollmann says botnets of all sizes are also increasingly using more and different types of malware rather than one particular family in order to evade detection. 'Most botnets, even small ones, have hundreds of different pieces of malware and families in use..."
Education (Score:5, Insightful)
This is the reason traditional antivirus scanning will not work. If the specific malware is only inside your company or a few hundred PC's, there isn't signatures for them either. You have to educate your company's workers and restrict access in OS instead of blindly trusting your antivirus providers.
Now the same approach doesn't work in homes or educating those random users, but it should work inside your company.
This compromises other machine on the same network (Score:4, Insightful)
This, naturally, compromises other machines on the same network. If another machine on the same network is controlled by hackers, one thing they can do is run a packet sniffer and grab unencrypted passwords. Or read your email (unless you use Gmail and have things set up to always use SSL). Or try to control your computer; it's a lot easier to attack a computer when you're behind the firewall.
The good news is this: Since the computer is a company computer, there's a lot more we can do to find and remove the virus from the computer in question. Such as taking the computer off of the network, making a backup of all data files, and doing a complete reinstall of the OS and all company-approved applications. With or without the computer owner's consent. A corporate IT department has a lot more control over their computers than, say, Comcast.
So the question is this: What are good ways for a corporate IT network to know whether a given computer is a zombie? Analysis of the packets a given computer makes is one way.
Corporate America (Score:3, Insightful)
Why do people blame the company for this?
I worked deployment for several years at a company with about 13,000 servers and 96,000 workstations, as well as over 25,000 POS systems. I can safely say that size is not the problem. Policies are the problem. There is always that one employee that thinks that he can sneak iTunes onto the network and download some mp3s to a flash drive despite the "no pen drives policy". Disabling them doesn't really help -- they have physical access to the machine of course.
If you figure that there are 150,000 employees in your company, and the consumer market has a 5% infection rate, and 1% of your employees decide to bring a flash drive in... Then every five days, someone is plugging an infected flash drive into your network. All the network management in the world cannot control that many people -- I can't replicate myself to stand over each user and remind them of the risks. And since they don't see the consequences as they happen, there's no chance for them to learn.
But blaming corporations for this is stupid. And blaming employees for it isn't productive. The truth of the matter is, as far as the business world is concerned -- viruses, worms, malware, spyware, and the like are the cost of doing business. It would cost way more to fix the problem than to simply let it eat at the margins.
Sorry to say, but your data isn't worth those kinds of expenses.
Re:Education (Score:5, Insightful)
Moving to Linux does little to help in the situation the article explains. If its targeted at your company, it doesn't matter if you're running Windows or Linux or some other OS. The malware will be designed for it. If its purpose is to steal information or banking details, it runs just fine on user space too, no root required. It might even make the situation worse, since the system is new to almost everyone (and spotting a well hidden malware in Linux is hard)
Re:Corporate America (Score:5, Insightful)
Because, physical access or not, you should be stopping it anyway.
And if someone plugs something in and pushes a virus onto the network - how different is that to pulling the fire alarm, or jamming the lifts in a skyscraper? The company should be dealing with it - first by basic prevention (no USB access or even no USB ports if they aren't needed), secondly by policies but most importantly by enforcement. With physical access, if an employee plugs in a USB stick and somehow "makes" it work when you've disabled it as an administrator, then it's not an accidental thing - not an unthinking "Oh, I can't send it over the network, I'll just plug in my personal USB and do it at home"... it's a deliberate, wilful act to insert an unauthorised device into the corporate network. No different to plugging in an unsecured wireless router, or anything else.
The *company* should be taking basic precautions with its customer's and its own business data - that means limiting access to the bare minimum required. Then any violation of that (because it *can* be worked around) is a clear attempt to do something deliberately that can damage the entire corporate network - i.e. bye bye, don't trip up on the tech who's rebuilding your machine from a clean image on the way out...
Pushing it onto "random employees do shit and we can't stop it" could cover all sorts of mistakes that the customers and business end up paying for - oops, the customer database was accidentally attached to that email (Demon Internet in the UK earlier this week)... oh well, too many employees to police *that*... ??? No... someone gets disciplined. And eventually that stops happening, especially if you have the right precautions in place to prevent it happening accidentally.
Re:Bot scanner? (Score:3, Insightful)
Any good firewall parser then ?
I'm lazy and don't want to read logs or parse them manually...
Anyway It's not even my job (I'm a programmer)! If they're a quick&dirty way to find out I'll try it once a week/month... but I wont read and parse this boring stuff...
Re:Education (Score:4, Insightful)
If you want to be 100% secure, higher smart people and shut off your internet pipe.
Now 99.999%? That's a different story.
Re:Corporate America (Score:1, Insightful)
And if someone plugs something in and pushes a virus onto the network - how different is that to pulling the fire alarm, or jamming the lifts in a skyscraper? The company should be dealing with it - first by basic prevention (no USB access or even no USB ports if they aren't needed), secondly by policies but most importantly by enforcement.
Pulling fire alarms generally lead to jail time. I don't think there are many courts that would view dismissing an employee every five days for using a computer kindly, let alone jailing them for years.
The *company* should be taking basic precautions with its customer's and its own business data - that means limiting access to the bare minimum required.
Which drives the costs up. Hey -- $50 for a bag of chips. $120 dollars a gallon for gas. You want perfect security? Pay for it.
especially if you have the right precautions in place to prevent it happening accidentally.
There is no precaution that can outsmart human stupidity. If you had more than a year of experience in the field, you'd know this. Damn armchair network admins...
Re:Corporate America (Score:3, Insightful)
Re:Bot scanner? (Score:0, Insightful)
Re:Bot scanner? (Score:2, Insightful)
While some malware/botnet clients may escape anti-virus detection, the common trait is that they all have to connect to a command and control server. Many IDS products have signatures to detect this type of traffic.
For example, many "botnet-kits" will connect using IRC on a random high port. IRC usage audit signatures are good for detecting the more common botnet c&c traffic.
Prevention is key, but it's still not easy - trying to keep Joe User from playing that Michael Jackson video he got in his email from an unknown sender is quite a challenge.
Re:This compromises other machine on the same netw (Score:2, Insightful)
You are the problem. (Score:2, Insightful)
Whether you make the company money or not, is completely irrelevant. You get PAID to do what you do; you are owed nothing beyond your check and whatever else is listed on your stub, baby.
The fact that you get paid, means that you likely have the means to purchase YOUR OWN laptop, on which to conduct your personal business, but no.......fuck them, right?
The fact is, they CAN have it both ways, not YOU. Most professionals work from a sense of personal pride, and do what they feel is necessary to get the job done, not as barter for perks.
My guess, is that you are probably no where near as successful as you think you are, but if you would like to find out, why not post your screed on your Linked In page, and see how many employers (including your current one) are enamored with your attitude.
Here is a clue; NOBODY successful gives a shit about 60 hours, because they dont count them. They just get things done, and look for more to do.