Up To 9% of a Company's Machines Are Bot-Infected 146
ancientribe sends in a DarkReading piece on the expanding footprint of small, targeted botnets in enterprises. "Bot infections are on the rise in businesses, and most come from botnets you've never heard of nor ever will. Botnet researchers at Damballa have found that nearly 60 percent of bot infections in organizations are from bot armies with only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface. And more businesses are getting hit: 7 to 9 percent of an organization's machines are bot-infected, up from 5-to-7 percent last year, according to Damballa. ... [Damballa's] Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well. 'They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets,' he says. ... Ollmann says botnets of all sizes are also increasingly using more and different types of malware rather than one particular family in order to evade detection. 'Most botnets, even small ones, have hundreds of different pieces of malware and families in use..."
Bot scanner? (Score:1)
Any good bot scanner?
Re: (Score:2, Informative)
Any good bot scanner?
your firewall logs...
Re: (Score:3, Insightful)
Any good firewall parser then ?
I'm lazy and don't want to read logs or parse them manually...
Anyway It's not even my job (I'm a programmer)! If they're a quick&dirty way to find out I'll try it once a week/month... but I wont read and parse this boring stuff...
Re: (Score:2)
I'm with parent on this. I'm a developer at a big company. Have 3 machines in front of me[*]. Don't have access to firewall logs, assuming IT is doing a decent job because none of my machines have ever gone down in last 3 years. Still, modern malware wouldn't take my machine down so I could very well be infected. How do I know? What do I scan?
[*] Linux on one, WinXP on the others because that is what the job demands (don't argue).
Re: (Score:2)
Any good bot scanner?
I don't know of one, but there is good bot prevention. It's called "Linux".
Re: (Score:1, Funny)
Comment removed (Score:4, Informative)
Re: (Score:2, Informative)
OTOH, Windows has its vulnerabilities baked right in, as shipped.
Apparently so does Linux [lwn.net].
Re: (Score:2)
Re: (Score:2)
Linux does too - who honestly takes a machine from the factory and deploys it without patching it? Or say you install Linux from CD or an image on the network - who puts that into production without patching it regularly?
Same with Windows - any admin worth anything is up to date on Windows patches. Yes it comes out of the box with loads of vulnerabilities, but most of these are fixable.
And yes I have fully patched network installs for Windows - go directly onto the machine without any major issues.
Re: (Score:2)
Gotta love the hypocrisy. If a user volunatarily installs malware on their system and get in a botnet and they are Windows it's: "ZOMG TEH WINDOZE IS TEH INSECURE!!!". When a Linux box is part of a botnet due to someone voluntarily installing malware on the system it's: "This isn't proof of Linux not being secure".
Not really. The above example is proof of the user being a security risk, not the OS. When a user installs malware, it is user error. Impossible for ANY OS to protect against. Calling the user a flaw in the OS is inaccurate at best. Same applies to situations where someone has gained physical access to the PC in question. Impossible for any OS to ever defend against such things. Where Windows excels though, is in automated installation of malware. Linux or OSX have years to go before they are even close t
Re: (Score:2)
Re: (Score:2)
That depends entirely on what your work involves. "Most applications" are not necessary for most work.
Re: (Score:2)
Re: (Score:2)
Actually, no. Most applications come with the OS. Now, if you mean "I can't run a spreadsheet in LINUX!" you CAN run a spreadsheet; just not Microsoft's. There are a few specialty apps that one might need that there are no Linux versions of, for these you can set your computer up dual-boot with networking disabled on the Windows side. When you're done with your nnon-linux app you can send the results over the net from Linux.
But most people don't need programs that will only run in Windows. Most people the "
Re: (Score:2)
I don't know of one, but there is good bot prevention. It's called "Linux".
So in other words, you want me to replace our Windows workstaions that run our ERP software which runs most of the business, over to Linux workstations that will not run ERP software worth anything, so that our business has to shut down?
SmRT!
I have made some Linux deployments here, but sadly there is just no way to fully switch over without seriously major and long interruptions in the business processes.
Due to the ERP software using 'technologies' ranging from Access 2000 up to dotNET 3.0, this pretty much
Re: (Score:2, Insightful)
While some malware/botnet clients may escape anti-virus detection, the common trait is that they all have to connect to a command and control server. Many IDS products have signatures to detect this type of traffic.
For example, many "botnet-kits" will connect using IRC on a random high port. IRC usage audit signatures are good for detecting the more common botnet c&c traffic.
Prevention is key, but it's still not easy - trying to keep Joe User from playing that Michael Jackson video he got in his email
Up To 9% of a Company's Machines Are Bot-Infected (Score:5, Funny)
Re: (Score:2)
You read the article? Please hand in your Slashdot membership on your way out.
Re: (Score:2)
Education (Score:5, Insightful)
This is the reason traditional antivirus scanning will not work. If the specific malware is only inside your company or a few hundred PC's, there isn't signatures for them either. You have to educate your company's workers and restrict access in OS instead of blindly trusting your antivirus providers.
Now the same approach doesn't work in homes or educating those random users, but it should work inside your company.
Re:Education (Score:4, Insightful)
If you want to be 100% secure, higher smart people and shut off your internet pipe.
Now 99.999%? That's a different story.
Re:Education (Score:4, Funny)
Re: (Score:2)
But I use my internet pipe to get me hire than high!
Re: (Score:2)
I believe you mean "hire THEN high."
Honestly, the level of discourse on the Internet these days...
Re: (Score:2)
Dash it all - I've been uncovered yet again! *dons top hat, twiddles moustache and leaves*
Re: (Score:2)
Can you give more specifics? Like there may be no way to avoid this on an XP machine, that's what I'm getting at. A lot of corps still have that with computers 5 years old and it as godd a reason as any to use some other OS.
Re:Education (Score:4, Interesting)
Screw educating, this situation calls for whitelisting and non-administrator privileges.
Re: (Score:2)
Re: (Score:2)
This is the reason traditional antivirus scanning will not work.
I've come to realise that antivirus scanning of any kind does not, and has never - really - worked. A combination of human factors, poor design and general stupidity makes it so.
Re: (Score:2)
I think I can safely say that educating users is a lost cause. Some people just CAN'T be educated.
Re:Education (Score:5, Insightful)
Moving to Linux does little to help in the situation the article explains. If its targeted at your company, it doesn't matter if you're running Windows or Linux or some other OS. The malware will be designed for it. If its purpose is to steal information or banking details, it runs just fine on user space too, no root required. It might even make the situation worse, since the system is new to almost everyone (and spotting a well hidden malware in Linux is hard)
Re: (Score:2)
Moving to Linux may help. The article says:
these mini-botnets tend to rely on popular DIY malware kids, like Ivy and Zeus
Surely there are far more malware kits for Windows? If there are few or none for Linux, then Linux will be much harder to attack: they could write everything from scratch, but its a lot more work so they would probably just move to the next target.
Re: (Score:2)
That's why you need to have a diverse network infrastructure, like we used to have in the 1980s and even most of the 1990s.
We had Solaris, Xenix, SCO's OpenDesktop, HP-UX, AiX and Windows NT on our workstations. Our backend was VMS and even OS/360 at one place I worked.
Jeez, diverse network infrastructure... we just called it a cluster fuck.
And you always end up with one person that is the king of kludges.
Re: (Score:2)
Maybe if I educate the owner that there is almost a 10% chance of him sending his day-trading activities to some guy in Russia, he will start to listen about moving to the linux based thin client solution I've been touting for years... nah, then he wouldn't be able to day-trade using those fancy tools.
The thin client set up doesn't change whether there is a bot on the server or not. Having said that there are some Java based cross-platform trading tools being developed by TDAmeritrade.
Voltron Anyone? (Score:4, Funny)
Great - now my day is ruined because I am going to be looking for an MP3 of the lion voltron assembly thing to put as a ring tone on my phone.
Re: (Score:1)
Your whole day? Just rip if from some Youtube video, I'm sure it is there.
Re: (Score:2)
http://www.youtube.com/watch?v=kF7cuJ3V5HY&feature=related [youtube.com]
Self promoting (Score:1)
It sounds like the company in question provides security services, so isn't this piece of 'research' an advertisement for their services?
Mod parent up. (Score:5, Interesting)
I'm having a lot of trouble believing some of the claims in that article.
600 botnets
5% of 600 is 30. So only 30 out of 600 were "big-name"? That doesn't sound like those "big-name" ones are all that big.
60% of 600 is 360. So their tiny sample found 360 instances of NEW viruses/worms/trojans? I find it very difficult to believe that there are that many sites with custom infections.
Which leaves 210 infections that are not custom and not "big-name". How did those sites manage that? In my experience, if some site it getting infected by less virulent code, it's also infected by the more virulent code.
Which makes me question how those sites are selected for them to investigate. NONE of them had decent anti-virus practices?
Whoa! I'd think that they're using a different definition of "botnet" than the one I'm familiar with. Of course having more than one machine is more efficient. If nothing else, that one machine is a "single point of failure" than can be re-imaged at any time.
I don't see how those two statements support each other. What knowledge do they need? IP ranges, routers, gateways and servers.
Which they cannot possibly do if they controlled 40 or 50 hosts. Or 400 or 500. Etc. Bullshit.
Again there is nothing to support those statements.
How can it be "specific to the host being targeted"?
Aren't "bots" always hardcoded with the "command and control channel"? Such as "use IRC" and "connect to this generated list of sites for updates".
Damn "malware kids". Get off my lawn!
Damn! Not only are they "more automated" but they also have " a lot of hands-on command and control".
Pure
Marketing
Fluff
egress filtering (Score:4, Interesting)
This solution is egress filtering: stop all traffic going out to the internet from desktop computers. Then provide a proxy server (HTTP and SOCKS) users can use to get what they need on the net. The proxy server must be a filtering server--the sort that keeps a list of known malware sites and botnet controllers, so that it can automatically block them.
With this in place, users will still be able to get what they need from the net, but 99% of bots will be stopped.
Re:egress filtering (Score:4, Informative)
Not the kind of bots that this article describes, that are targeted specifically to your company.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
We have an eSafe gateway with the antimalware/antispam piece which does stop communications with known malware sites and botnet controllers. I point that out as a solution to this problem. There are others.
machine malware infections (Score:5, Interesting)
Half of Fortune 100 companies compromised by new information stealing Trojan [blogspot.com]
"Security tool designed to stealthy run on winnt based systems (win2k to winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods.[sic]" The three spreaders are MSN, USB, and P2P. Listed P2P networks were "ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire.[sic]"
Re: (Score:2)
Primarily malware network with hints that they used to be useful.
This compromises other machine on the same network (Score:4, Insightful)
This, naturally, compromises other machines on the same network. If another machine on the same network is controlled by hackers, one thing they can do is run a packet sniffer and grab unencrypted passwords. Or read your email (unless you use Gmail and have things set up to always use SSL). Or try to control your computer; it's a lot easier to attack a computer when you're behind the firewall.
The good news is this: Since the computer is a company computer, there's a lot more we can do to find and remove the virus from the computer in question. Such as taking the computer off of the network, making a backup of all data files, and doing a complete reinstall of the OS and all company-approved applications. With or without the computer owner's consent. A corporate IT department has a lot more control over their computers than, say, Comcast.
So the question is this: What are good ways for a corporate IT network to know whether a given computer is a zombie? Analysis of the packets a given computer makes is one way.
Re: (Score:2)
You can usually locate a zombie by its insatiable appetite for human flesh. Other indicators tend to be lack of comprehension regarding basic command like 'stop' or 'there's a tasty young blonde over there'.
The best way ... Snort. (Score:4, Informative)
Simply hook up a decent intrusion detection system (Snort is exceptionally decent in this regard) and look at the traffic patterns.
Workstations contact servers for services provided by those servers. Services that you should be aware of.
Workstations do not contact other workstations (except for IT support people).
Then look at outbound traffic. Betsy in Accounting cannot spell IRC so why would she be using that protocol?
This isn't much help if everything turns to https for command and control. But at least you'd see the sites that those were hitting. Why is someone hitting e3rt49io.cn at 3 in the morning?
Re:This compromises other machine on the same netw (Score:2)
This, naturally, compromises other machines on the same network... Or try to control your computer; it's a lot easier to attack a computer when you're behind the firewall.
Most enterprises now segregate their internal networks with a series of firewalls as well.
So the question is this: What are good ways for a corporate IT network to know whether a given computer is a zombie?
There are a lot of tools designed for exactly this purpose. Some of the better ones integrate with your routers and will do more than give you a list of infected machines. They'll attempt to find them automatically and identify them and notify you and either automatically or on command quarantine the infected systems by filtering out traffic from them or from a chunk of your network using the routers. At least one tool
Re: (Score:2, Insightful)
Re: (Score:2)
*An* organization? (Score:2)
And more businesses are getting hit: 7 to 9 percent of an organization's machines are bot-infected, up from 5-to-7 percent last year, according to Damballa.
I think the bolded "an" is a typo, otherwise, this sentence makes little sense.
Re: (Score:1)
no, it's perfectly valid. A little ugly, but valid.
Apple fanboys (Score:3, Funny)
Corporate America (Score:3, Insightful)
Why do people blame the company for this?
I worked deployment for several years at a company with about 13,000 servers and 96,000 workstations, as well as over 25,000 POS systems. I can safely say that size is not the problem. Policies are the problem. There is always that one employee that thinks that he can sneak iTunes onto the network and download some mp3s to a flash drive despite the "no pen drives policy". Disabling them doesn't really help -- they have physical access to the machine of course.
If you figure that there are 150,000 employees in your company, and the consumer market has a 5% infection rate, and 1% of your employees decide to bring a flash drive in... Then every five days, someone is plugging an infected flash drive into your network. All the network management in the world cannot control that many people -- I can't replicate myself to stand over each user and remind them of the risks. And since they don't see the consequences as they happen, there's no chance for them to learn.
But blaming corporations for this is stupid. And blaming employees for it isn't productive. The truth of the matter is, as far as the business world is concerned -- viruses, worms, malware, spyware, and the like are the cost of doing business. It would cost way more to fix the problem than to simply let it eat at the margins.
Sorry to say, but your data isn't worth those kinds of expenses.
Re:Corporate America (Score:5, Insightful)
Because, physical access or not, you should be stopping it anyway.
And if someone plugs something in and pushes a virus onto the network - how different is that to pulling the fire alarm, or jamming the lifts in a skyscraper? The company should be dealing with it - first by basic prevention (no USB access or even no USB ports if they aren't needed), secondly by policies but most importantly by enforcement. With physical access, if an employee plugs in a USB stick and somehow "makes" it work when you've disabled it as an administrator, then it's not an accidental thing - not an unthinking "Oh, I can't send it over the network, I'll just plug in my personal USB and do it at home"... it's a deliberate, wilful act to insert an unauthorised device into the corporate network. No different to plugging in an unsecured wireless router, or anything else.
The *company* should be taking basic precautions with its customer's and its own business data - that means limiting access to the bare minimum required. Then any violation of that (because it *can* be worked around) is a clear attempt to do something deliberately that can damage the entire corporate network - i.e. bye bye, don't trip up on the tech who's rebuilding your machine from a clean image on the way out...
Pushing it onto "random employees do shit and we can't stop it" could cover all sorts of mistakes that the customers and business end up paying for - oops, the customer database was accidentally attached to that email (Demon Internet in the UK earlier this week)... oh well, too many employees to police *that*... ??? No... someone gets disciplined. And eventually that stops happening, especially if you have the right precautions in place to prevent it happening accidentally.
Re: (Score:1, Insightful)
And if someone plugs something in and pushes a virus onto the network - how different is that to pulling the fire alarm, or jamming the lifts in a skyscraper? The company should be dealing with it - first by basic prevention (no USB access or even no USB ports if they aren't needed), secondly by policies but most importantly by enforcement.
Pulling fire alarms generally lead to jail time. I don't think there are many courts that would view dismissing an employee every five days for using a computer kindly, let alone jailing them for years.
The *company* should be taking basic precautions with its customer's and its own business data - that means limiting access to the bare minimum required.
Which drives the costs up. Hey -- $50 for a bag of chips. $120 dollars a gallon for gas. You want perfect security? Pay for it.
especially if you have the right precautions in place to prevent it happening accidentally.
There is no precaution that can outsmart human stupidity. If you had more than a year of experience in the field, you'd know this. Damn armchair network admins...
Re: (Score:3, Insightful)
Re: (Score:2)
Re:Corporate America (Score:5, Informative)
That's interesting. Where I work, [irs.gov] inserting a personally-owned pen drive to a computer on the network that gets caught in a scan results in a suspension. Inserting a personally-owned pen drive that pushes malware out onto the network gets you fired. Inadverdently attaching a spreadsheet with customer data to an email and sending it outside the organization gets you fired, everyone in your area subjected to additional training, and an executive or two dragged before a congressional subcommittee to fall on their swords. Deliberately accessing customer data to which you have no right gets you all of the above, plus you go to jail.
Other places don't take security as seriously?
Re: (Score:2)
Damn, I wish I worked for the feds. Good rules and retirement.
--Deliberately accessing customer data to which you have no right gets you all of the above, plus you go to jail.--
I think this is the case anywhere.
--inserting a personally-owned pen drive to a computer on the network that gets caught in a scan results in a suspension.--
To bad I can't force adoption of this policy within our organization. A lot of this stems from the fact that there is no broadband out where some of the higher ups live. So they
Re: (Score:2)
Good question!
We have a "limited personal use" policy that allows us to do some surfing and send some personal email. We can't abuse it. If you sit and watch YouTube all day, you'll get in hot water pretty quick. But checking tech-related forums (the ones I used to visit in the *.ru and *.cjb.net domains are now blocked, I might add) is OK as long as it doesn't cause a noticable impact on productivity.
Slashdot ge
Re: (Score:2)
I fear here that all personal internet activity will be banned, but define personal? Sometimes, this stuff has dual uses IMO.
Message boards are where you really learn stuff I think, and with the unwillingness to pay for training you basically have to train yourself. Some have the discipline for this. Some do not.
Most use their down time merely for play. I try to find something of some limited value at least. I have been reading /. long before I got a UID. There are some forums in my field that have maybe 30
Re: (Score:2)
Inadverdently attaching a spreadsheet with customer data to an email and sending it outside the organization gets you fired,
... and if the receiver knows anything at all about the IRM he chats it over with the person whose information was disclosed IRS gets to pay out $1000.00 per name on the list.
Re: (Score:2)
The difference between the way our public-facing site is run and the way our intranet is run is attributable to a variety of factors, some of them political. I know too much about it to post on this site and I know too little about it to fully understand it and explain it. Let's just say there's a different set of operators and a different set of ideas about what constitutes "best practices".
Re:Corporate America (Score:5, Informative)
This sort of mentality drives me up a wall. Let's pretend we're the Pentagon and take half the usefulness out of modern technology before we let our users us it.
No thanks. You're a cost center. I make the company money. If I want to plug a cordless mouse into my laptop to make my 60 hour week easier than I'm going to do that. If you can't figure out a way to let me then F@(% YOU. Sorry but that's how most of us feel. This is the laptop I carry with me everywhere and use all the time. It's the one I take on vacation so I can WORK from vacation. So of course I'm going to want to plug a camera into it and use it for personal use. If you want me to treat it like I don't own it then I'll start leaving it at the office and you can take 15-20 hours of my work every week and shove it. You can't have it both ways. The chance that somebody is targeting the company with a non-scan-able customized piece of malware through the jpegs on my camera's SD card is close enough to NIL. Create a white list of file types, scan the thumbdrive or memory card, do whatever you need to do short of turning into Mordac - Preventer of Information Services [whatitslik...inside.com]. And let me get on with my life. And while you're at it take the 95 things in my system tray that slow my machine down to a crawl and send them to oblivion.
The company has unsecured trash dumpsters, unsecured phone lines, an unsecured fax machine sitting in every hallway, and people in the mailroom that make 8 bucks an hour. How about addressing those things and getting some perspective before turning my laptop into a 60-hour per week jail sentence. Thanks.
You are the problem. (Score:2, Insightful)
Whether you make the company money or not, is completely irrelevant. You get PAID to do what you do; you are owed nothing beyond your check and whatever else is listed on your stub, baby.
The fact that you get paid, means that you likely have the means to purchase YOUR OWN laptop, on which to conduct your personal business,
Re: (Score:2)
Spoken like someone with no family (and no other life either).
>purchase YOUR OWN laptop, on which to conduct your personal business
Spoken like someone who enjoys carrying two laptops everywhere.
Thank you Mordac. But you need to get a clue. Your job is to ENABLE the people who make money. Even if I thought carrying two laptops around sounded like fun, having me swi
Re: (Score:2)
WE make no money for the company? Clearly you are yourself personally able to manage all your own IT needs including full compliance with SOX, PCI, HIPAA etc (like keeping your personal shit seperate from the business's). Clearly you yourself personally can engineer 150 servers down to 30 in a big VMotion capable environment with redundancy and failover. Clearly you are able to produce, maintain and evolve the business's ecommerce site all by yourself.
Look, I'm real sorry your job sucks and you need 60 hour
Re: (Score:2)
The point is not how hard you or I are to replace.
The point is that companies exist to make money. Anyone who throws up enough roadblocks to making money is harming the company and can't (or shouldn't) remain. IT exists to facilitate the people and processes that make money. IT, for the vast majority of companies, is a cost center. If you implement a system or policy that takes time or efficiency away from 5000 users in a
Re: (Score:2)
If IT is a cost center it is because the upper management has made it that way. They fail to hire or provide training for competent end-user employees, fail to approve IT's requests for tech initiatives that will streamline things and make them more effective, and generally play penny-wise pound-foolish and then throw IT under the bus.
This is the reality in those places where IT is a true cost center.
Re: (Score:2)
...how different is that to pulling the fire alarm, or jamming the lifts in a skyscraper?
Skyscrapers have lifts? Aren't they tall enough already?
Re: (Score:2)
What if the ones most guilty are over you in rank?
--that means limiting access to the bare minimum required--
Define bare minimum? In some cases this can stifle productivity. A lot of the blame can be placed on Microsoft for not putting more of their stuff in user space. Here's my idea; switch the OS if possible, if not the switch what is possible to something else.
I really wish I had the authority to do what you say, but here there would be so much whining that I would be likely affected by all of the negat
Just assume that everything will break (Score:2)
Re: (Score:2)
--All the network management in the world cannot control that many people--
This hit a nerve, because this is the exact problem that we have in a small company, but it's the higher up's that insist on having this stuff present.
Re: (Score:2)
Re: (Score:1)
POS as in Piece Of Shit?
Point of Sale [wikipedia.org], also known as a cash register.
Might have to resort to what many schools do? (Score:3, Interesting)
It seems like educational institutions have some of the biggest problems with system tampering/hacking/infections, since they're exposed to thousands of students each year who have attitudes of "Who cares? Not MY computer anyway!" and who often think it's a challenge and *fun* trying to mess up the system in question. Unlike hackers trying to infect you with malware over the Internet from some other country, these people have full PHYSICAL access to the computers.
So how do they manage? Many schools I know have things configured so their workstations get re-imaged nightly from master images on a server. Any unauthorized changes made to the computer only last until that nightly maintenance runs, at the longest. (An admin might re-image a workstation even more quickly than that if he/she realizes it has an issue.)
I could see large businesses resorting to this, as well - if they're starting to encounter risks as aggressive as bots targeted to their particular businesses.
Re: (Score:1)
At my university, we have a the VCL [ncsu.edu], a pool of blade servers accessible by RDP or SSH that get imaged on the fly when a user requests a machine with certain apps. These blades get wiped on log-out. (Home directories are of course stored elsewhere, and accessed over AFS.) This is very secure, but it lets students get admin access to their machine, and it also helps keep software licensing costs down, because it is trivial to limit the number of concurrent users of a package that isn't volume licensed. Perfor
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Well, it all depends, really. If you push the images out using IP multicasting, it shouldn't take more bandwidth to image 100 identical boxes than it takes to image 1. (They all listen to the same broadcast of image data simultaneously.)
Obviously, you're typically not going to have ALL of your PCs using the exact same image, but you probably can narrow things down to several images that cover the needs of the whole network.
Plus, in a corporate setting - it's quite possible nobody really uses the network a
Re: (Score:2)
What happens if the image was corrupted?
That's a days work gone.
I'd use 'em (Score:2)
If I was a CTO and my department found a botnet like this, I'd be very tempted to play the disinformation game. Clean up some of them, but with others, just move the machines to an isolation area and start feeding them faked drafts of sales figures, annual reports, engineering drawings of dead-end designs, whatever else the botnet might be looking for. Alas there's probably some SEC regulation against that sort of thing.
Re: (Score:2)
Re: (Score:2)
My site has no dedicated IT (Score:3, Informative)
I'm surprised the number's as low as 9% (Score:1)
The main problem is that, for a system to be sure, at least one part of it has to be strict. Since Windows is fairly permissive, security requires a sysadmin to be something of a hardass- a position which is not often appreciated by users. At my office, for instance, people constantly complain that our sysadmin doesn't allow them to install *anything* on their PCs, assuming that they even have full PCs (about 1/2 of them are Citrix thin clients). On the other hand, as I explain to them, I've worked in IT fo
Re: (Score:2)
How is Windows different from anything else in that regard? If *nix users can install software they can also install trojans or anything else. It's (arguably) less likely that that software could cause damage to the local system, but that's not what botnets are about - they want to read local files and send out data. Apps running as a regular user can do that just fine.
Credibility Gap (Score:2)
An infection rate of 7 to 9 percent of IP addresses? That's a very narrow range. Too narrow to be credible. None of the enterprises had, say, 4 or 12 percent compromised?
These folks are statistically impaired. They probably are sitting on a lot of really useful data, but they don't know what it means. Certainly, they haven't released enough information for anyone to draw conclusions from it.
The botnet international anthem (Score:2)
"Botnets, spammer's botnets!
What kind of boxes are on botnets?
Compaq, HP, Dell and Sony, true!
Gateway, Packard Bell, maybe even Asus, too!
Are boxes, found on botnets.
All running Windows, FOO!"
I'm running Mac OS X 10.5.8, here.
Why, yes. Yes I AM a smug bastard!
Thanks for asking.
Up To 9%... (Score:2)
A little irrelevant, but I have noticed my entire adult life, from the 70's onward since I've been paying attention to stuff like this, that educated estimates of something in the general population are amazingly often about 10%. This cannot be a coincidence.
I've often thought that 10% was a figure that these researchers come to because single digits are insignificant but still small enough that no one can easily disprove it. Or there is some natural law that correlates an anomaly i
No wonder (Score:2)
When every program on the system, from Solitaire.exe to the MP3 player has complete access to read, write or delete all of the user's files, connect to any computer on the internet, etc, its no wonder malware thrives.
Re: (Score:2)
Re: (Score:2)
Why did this get modded down? I too would like to know of a good way to check for infected computers aside from going line by line down firewall logs. And if the log scan is the only way, then what would indicate an infected pc?
D
Re: (Score:2)
That would still not completely protect against botnets but the only people capable of getting them established are te IT department
Re: (Score:2)
I'm probably sure someone who managed to breach a large company and pwn the HR department might offer that as a service where one's resume would "pass" all the keyword searches while others get dequeued.
It would be similar to those services which offer to spy on someone else, by sending them a Trojan with a keylogger via E-mail, or a phishing attack. (There was /. article on something like that.)
It wouldn't be a service a wise person should patronize. First, the breach is likely to get discovered and patc