Exposing Bots In Big Companies 113
CalicoPenny let us know about yet another "30 days" effort, this one to name the names of major companies infected with spam-spewing bots. Support Intelligence began the effort on March 28, out of frustration at not being able to attract the attention of anyone who could fix the problems at these companies. While they haven't named 30 companies over the ensuing month, they did name some prominent ones, such as Thompson Financial, Bank of America, and AIG. The scary part is that if a bot can spam it can capture keystrokes or troll for interesting documents.
Really? (Score:5, Funny)
Or troll slashdot.
Re: (Score:1)
--
CashCrate [cashcrate.com]: Earn money for filling out surveys/forms, real info not required
Re: (Score:1)
Re: (Score:2)
Gives a whole new meaning (Score:5, Funny)
Re:Gives a whole new meaning (Score:5, Funny)
Re: (Score:2)
Re: (Score:1)
D
Not surprising... (Score:5, Interesting)
Aside from IT efforts to clean up (or at least keep their heads above water), the percentages would likely compare favorably with the home user population at large, methinks. Sometimes (like ferinstance the company I work for) can be outright anal about security (custom images, email that's filtered nine ways from Sunday, etc), and yet about once a month scans will pop up someone who has been bit with the latest variant of (insert malware here). To their credit, the guys here remove it often within minutes of detection- never seen one last more than a couple of hours. (not just saying that because I happen to be a sysadmin there, seriously... the user-end guys are anal about that sort of thing, and if they weren't the network guys would happily shut off the offending port @ the switch to get the user's attention).
Good to see the word getting out. (Score:3, Insightful)
The Register reported this about a month ago [slashdot.org] and I'm glad the issue is getting the attention it deserves. Having done some "upgrades" for a major bank and worked at a fortune 500 company, I can say that many supposedly secure corporate networks are owned by spammers. It's a big deal because it's hard to filter out.
the percentages would likely compare favorably with the home user population at large, methinks.
You would think that, seeing how much money these companies have to throw into manpower and so
Re: (Score:2)
Re: (Score:3, Informative)
Compared to government agencies (Score:5, Insightful)
I think it is interesting that we see "report cards" that give government agencies low grades on security, but publicly-owned corporations get a pass.
I seriously doubt that there are any botnets like this running on, say, the DoD network, yet they get a poor grade on security, while a frigging -bank- is pwned, and nobody is too bothered.
Re:Compared to government agencies (Score:4, Insightful)
I'd suspect that this is mostly because info about government security problems is often available, while corporations (public or private) are generally very secretive about such problems. Journalists have a tendency to report news when they have information, and not report when they don't have information. People conclude that there are problems in government agencies, but not in corporations. But the correct conclusion is usually "We don't know whether the corporate world has these problems, because we can't get information from them."
Maybe a better approach would be to surmise that, if an organization of any sort is hiding information, this means that it has something going on that it doesn't want us to know.
(Applying this to the Bush Administration rapidly leads to a high degree of suspicion.
Re: (Score:2)
Re: (Score:3, Interesting)
So, the systems do not get easily infected and when they do, they cannot spam the outside world.
But of course, there are too many users that think they need admin access (and worse: need it all the time). And the worst of those are the programmers. They think they need admin access and fail to test their products under a lesser
Re: (Score:1, Informative)
It comes down to a model of seperation and trust and applying policies at the proper place, not trust as in trust the users but trust the workstations and what is plugged into your network. Spyware, bots, viruses etc are the reason you should never trust a computer on the network, it does not matter whether you trust the user of that computer or not. The network engineer or a developer does not need port 25
Send in the lawyers (Score:5, Interesting)
No difference between the bot and Windows (Score:1, Troll)
Instead of suing those who disclose the fact
that machines on their lan are infected,
they should sue Microsoft for allowing it.
You don't know that Windows is not doing the
same nasty spyware tricks that people accuse
the bots of doing.
Oh, that's right, there is a difference.
The Microsoft EULA covers their ass, whereas
the bot does not ask you for permission to spy.
Re: (Score:1)
A worm attacked my server through an exploit and M$ took care of my bandwidth bills.
Re:Send in the boomstick (Score:1, Funny)
"Army of Botness", to be aired May 2, 2007
Bill - "Hey, what's going on here?"
Larry - "Stop giving free checks for life Bill."
Winston - "And free ATM cash withdrawals!"
Charles - "Or we let these spam zombies eat our brains!"
Bankers Pen - "Yeah!"
Bill - "Whoah! Whoah! Guys. People love all the features of WAMU's spam free online checking."
Larry - "Horse Pockey! V1a6rA l0ng D0ng che4p$$! Mmm. Braaaaaains..."
[ L
Re: (Score:2)
How long before some company tries to cover up the embarrassment by suing the people who disclose the fact that they have machines infected with bots? They might not succeed, but they might make life unpleasant for a short while for those who post the info.
Probably a little while, since it would be monumentally stupid. The obvious first step for the sued is talk to a lawyer (IAmNotALawyer). Then, have their lawyer to get a judge to order preservation of the current system state on each of the suspected
Who works for IT divisions in big companies? (Score:4, Insightful)
The notion that lots of big companies have spam bots all over the place is not all that hard for me to believe. Their IT divisions are often poorly staffed with folks who were selected with more input from HR than from the actual manager. They look at the certificates and then decide if a person is OK for the job. Honestly, the certificates are not a good gatekeepers to ensure that people without a clue don't find themselves on the front line. They can't be.
We all have known people who were extremely good at passing tests, but for reasons unknown to the rest of us, are unable to use those very skills in a real application. Those are the people who all too frequently end up in big organizations, pretending to know what real IT is. There is no substitute for learning from experience.
And these corporations are about to have one of those learning experiences. It won't be pleasant.
Re: (Score:3, Interesting)
The folks I work for has roughly 100,000+ employees, but as the sysadmin for one of the R&D labs, I'm given some very wide latitude. In exchange, I have to be a lot more flexible on lots of aspects than the guys who keep the production servers/network/etc going. IT's a trade-off, but one that I truly enjoy.
I can't hide behind policy to keep my schedule sane as a downside, in spite of working for a company whose production I
Re: (Score:2)
Re: (Score:2)
No offense, but simply because you're allowed to thrive doesn't mean you have the foggiest idea what you're doing with respect to keeping your machines clean.
None taken - my own evaluation of proficiency is judged by the results of my work as audited on a periodic semi-random basis. Because of the nature of my specific duties, I cannot simply hand off localized email filtering duties to "the email guys", hand off local IOS patching and vigilance to "the network guys", the Oracle and MySQL patches to "the DB guys", and etc. In fact, if anything goes splat in the lab security-wise and spreads to the corp network? I daresay that I'm more responsible for the resu
Re: (Score:1)
Hear, Hear!! When I worked as a sysadm in classified labs, it was my job to keep the network and its attached systems secure. While the company I worked for had a network group, they were only allowed to make changes that my team approved. This meant that we (I) h
Everyone thinks they are better. (Score:1, Interesting)
Every admin thinks they are better. Every IT guy thinks they KNOW how to run a network. Consider a company, a large one, with BRAZILLIONS of dollars like RIM. They screwed the pooch in a big way. Google did it too w/ their email/homepage disappearings.
The reality is computers break. I still contract for a large company on a part time basis. The "best and brightest" have jobs that reflect their skills. They design the n
Re: (Score:1, Interesting)
Re: (Score:3, Insightful)
IT divisions in big companies? (Score:3, Interesting)
"I know many others who also have these certificates. Their capabilities range from extraordinarily adept, to blithering idiot."
So how did you get technically proficient if you weren't a blithering idiot(but willing to learn) at some point? How did you learn without a few stumbles? As you pointed out, the certifications are often your way in the door. I think it's hard to become technically proficient with a large network without experience.
"
Re: (Score:2, Interesting)
Later on, you say:
Trust me, there are some "blundering novices" in every organization. They tend to either learn from having their feet put to the fire, or they get out. That said, based on 30 years in the business, there are very definitely enough "blithering idiots" in the organization to make your life either int
Re: (Score:2)
The ignorant person will still ask the right kinds of questions, and have a half a clue which direction they should be looking. The stupid person will either sit there and wait to be spoon-fed, or charge off randomly trying things that have no relevance to the issue at hand, mucking things up worse.
It's all about the way the person thinks. A person with a sharp mind and good general troubleshooting skills can pick up the det
Re: (Score:2)
That's why when I said idiot, I meant it. Some people learn from experience and some do not. The ones who can not learn from any experience whatsoever are the idiots. They are thankfully few, but they do exist. And in large companies, where education and certificates seem to be the curren
exposing == alienating potential clients? (Score:5, Interesting)
Am I wrong? Should I publish the list of companies that I know had bots on their networks in March?
Re: (Score:1)
If you work your cards right, you could make them seem valiant for announcing such information, and attempting to resolve it.
Or you might get canned.
most likely canned.
-Lemur
Re: (Score:2, Insightful)
For the last year Waters and Support Intelligence CEO Rick Wesson called companies they found spamming, Waters says. But in big companies they had trouble connecting with people who had authority to clean up the networks. Waters thinks corporate upper management--CIO level and above--still don't appreciate the dangers of bots. "We'd talk to mid-level security people who understood botnets but had no buy-in from the CIO," he says. "Or the CEO had never heard about it."
So they decided after "much soul searching" to name offending companies. Their goal is to clean up the Internet, not embarrass people or make money, although Support Intelligence has gained some new business. But most companies are grateful to be told they have a problem, Waters says.
This public disclosure is a last ditch attempt to get someone to do something. They've tried to report the problem, but sometimes nothing will get done until someone with letters after their name sees the company's name in the headlines (where customers can see it and income is affected).
Are you in the same situation with your list?
Re: (Score:2)
Let's do a thought experiment. For each of these "potential clients", estimate the potenitial that they might realistically become your client within a reasonable timeframe given your current advertising budget. Then estimate the percent of these potential clients that would have hired you, that won't. Compare that to the number of potential clients that don't even know your name, that migh
Re: (Score:3, Insightful)
> if they're there, are often ignored.
IT at big companies are kept busy just trying to keep the base OS and necessary apps puttering along, and resurrecting users' workstations that have melted down or upchucked. Their mediocrity is enforced by the needs and whims of the big suits and PHBs. Corporate budgeting for IT is on a need-to-go basis. If IT has any money left at the end of a fiscal year, rather than letting them put it
Re: (Score:2)
Ya know... (Score:5, Insightful)
Make it interesting. Start out asking for people's opinions on spam. Get 'em good and worked up. Then set up some network monitor with a nice, easy-to-see graphic interface (maybe write one) and demonstrate how a workstation gets infected by the user running a compromised app. Once it takes hold (pick a good one), pull out the stopwatch, tick off 5-10 seconds, then show how many mails it sent. Then do the math; multiply those ten seconds by 6 to get minutes, then 60, to get hours, then 24. I bet even the math-challenged will get the point quickly, looking at those really large numbers.
Re:Ya know... (Score:5, Funny)
Then, to ensure you reach 100% of your target audience, convert the presentation to an animated
Re: (Score:2)
Re: (Score:2)
Class Action risk for using Microsoft's Products (Score:2, Interesting)
Re:Class Action risk for using Microsoft's Product (Score:2)
A lot of the MS Wi
Re: (Score:2)
Brilliant! I may have to change my sig...
Re:Class Action risk for using Microsoft's Product (Score:4, Informative)
Re: (Score:2, Insightful)
Re: (Score:1)
Re: (Score:1)
Shouldn't be too hard? (Score:5, Interesting)
It scares me just how prevalent this type of software is.. not just the spam bots but the malware and other stuff meant to steal data. Locating+shutting down spambots is the easiest task. I'm pretty small time but I found something interesting once while working with a new client to get them fixed up with antivirus and internet monitoring software (squid+sarg). I'd locked down some things and I kept noticing one PC trying to connect to yahoo every week at about 2:00 am. Long story short it was apparently attempting to email a 500kb attachment... that was apparently a log of everything typed in the week before and some other stuff. That *almost* went unnoticed. That type of infection is downright scary.... who is going to notice a 500kb email going out through an https connection at yahoo? It didn't even seem to be part of a command+control network... just gathering info??
The spambot infections is just the most visible symptom of a larger problem... they're talking about some "big name" companies apparently, but it is the smaller and medium sized businesses that really make the world tick... it is simply too complex, challenging and costly to really secure windows boxes without severely compromising functionality. It is also apparently not something that lends itself well to automation... I see big companies using enterprise software to "lock down" workstations and "reset" workstation images as their solution but there isn't really a small business answer here that I know of. If the tools were better/easier to use it might be easier to keep an eye on one's "flock" but it is a horrible pain both in setup and upkeep to really anticipate what might be happening. The entire stack one could use in windows to manage this stuff, from Event Logging to vb scripting automation, and all the way up to group policy is half-assed at best. This is the type of result you can expect.
this type of story is why I think that learning and/or heuristic scanners (both at the machine and router/firewall/proxy level) are pretty much the only way we can win. I'm not imagining something sentient, mind you, just something that will sift through all the event logs and point me toward things actually worth my attention instead of "every little thing".
Re: (Score:2)
Why don't they block outgoing smtp traffic? (Score:5, Insightful)
Why is this not "best practice"?
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
But by then we are dealing with a known quantity at a central location. These companies should be blocking everything their users don't need first and foremost, then they can look at the traffic from their mail server and use standard off the shelf pattern analysis to find the spammer bots.
It's simple security.
Re: (Score:2)
Canary (Score:5, Insightful)
Absolutely. But -if you are monitoring your FW logs-, you will see the not so cleverly-written ones, and they can be your "canary in the coalmine". If you are seeing any denied outbound attempts, you know that either someone (or some software) is going against policy, or you have a workstation weakness that is being exploited, and you follow up on it.
Sure, this doesn't guarantee that you don't have a problem (ie., cleverly-written malware). You must take a layered approach to security strategy to be effective. Discounting a layer because it doesn't take every single possibility into account is ridiculous. That's why you have depth built into your security strategy, because no single layer works for everything.
That is the problem with most "security solutions" that are being peddled to CIOs, they claim to be a single magic bullet when real security solutions are more about correlation and follow-up from different layers. Not sexy, but very effective.
Re: (Score:3, Insightful)
Indeed. But it's still a good idea to block port 25 on business or educational networks unless it's absolutely needed - as it prevents one class of abusers, i.e. direct-to-mx sending malware, making use of that particular method on your network. There still seems to be a lot of direct-to-mx stuff in circulation, if the evidence in our logfiles is any
Re: (Score:3, Interesting)
There are ways to block that behaviour. You could use SMTP AUTH to authenticate connections to the SMTP server and SSL/TLS to encrypt the connection. That way the bots won't be able to use the SMTP server to send their spam.
What, like the broadband ISP's do? (Score:1, Troll)
Surely, these large companies could block outgoing port 25 traffic, except for their own email servers. Then the traffic can easily be monitored and spam zombies detected.
Surely, the bot net operators have already gotten around that on cable networks and those companies that do this. All they have to do is make the bot mail through the company smtp.
Your idea is a variation on the "blame the user" theme. The problem is M$ on the desktop. Big dumb companies fork over all sorts of money, do what they a
Re: (Score:2)
How to think like a manager 101: You are presented with two answers to a single problem. One; is to "task" the network/email admins to fix a problem. Two; involves blaming a large vendor. One of these answers actually lets you accomplish something, while the other doesn't. Which do you choo
Re: (Score:2)
Two. One requires work from your own people (who no doubt already have enough work for three people each), while the other involves forcing a big vendor to try to do something. If they don't, your ass is covered, sin
Re: (Score:2)
It means you have logs, however. And company mail servers can be run in a far more ``shoot first, ask questions afterwards'' mode because there are far fewer reasons for `abnormal' traffic: for example, a user sending high volumes of messages has fewer legitimate reasns.
I run the whole internal network on RFC1918, with acce
Re: (Score:2)
But our department doesn't have the clout to override the other VPs desire to keep that functionality.
In fact, I think part of the argument is that we can't respond to their needs quickly enough, partly because we're running around dealing with stuff we wouldn't have to if we were allowed to do things right =-/
Re: (Score:2)
Re: (Score:2)
When you get an organization large enough to have hundreds of VPs, you also have the other flotsam that comes with them.
This wins the DUH award (Score:3, Insightful)
Uh, yeah, that's why, like, some of us actually run a secure operating system instead of freaking Windows.
I look forward to the day when proposing a Windows SOE is a firing offence. As for the state of American IT... Aren't you guys supposed to have landed on the moon, way back before Microshit was founded? WHAT HAPPENED TO Y'ALL?
Re: (Score:2)
Re: (Score:3, Insightful)
also in the spirit, (Score:2)
Re: (Score:2)
I look forward to the day when proposing a Windows SOE is a firing offence. As for the state of American IT... Aren't you guys supposed to have landed on the moon, way back before Microshit was founded? WHAT HAPPENED TO Y'ALL?
Well first Microsoft Windows is the most widely used OS in the world. So if "Y'ALL" is referring to the people of the U.S., it looks like we made the most popular OS in the world, which you are probably running. On top of that a large number of the developers of open sources systems are from the U.S. as well. Then of all these "major companies" that are infected (think Fortune 500 or Fortune 100), a large portion [majority?] are U.S. companies. So it doesn't look like a whole lot happened besides a lot
I blame yahoo/freehosting companies (Score:2)
All these bots use common resources like yahoo/geocities for either mailing out or storing online content/payloads.
Seriously, yahoo etc... should have an active role with at least 10-30 people constantly scanning their networks/servers for bot hosters/emailers.
Is it that hard?
Exposing Bots in Big Companies (Score:4, Funny)
Re: (Score:2)
Nah, they're the "dolts".
Another term people often confuse with "bots" is "bods" who tend to work in HR and Marketing. Unfortunately they also tend to have Middle-Management-like qualities.
No way (Score:3, Insightful)
Re: (Score:2)
Sarbanes-Oxley (Score:3, Interesting)
My understanding is that Sarbanes-Oxley imposes strict IT standards for public companies.
If the companies involved are indeed Fortune 500 companies then they are exposing themselves to massive lawsuits.
In the big company that I work in this couldn't happen: we have good firewalls, machines are locked down in terms of downloads, machines are regularly tested/audited and we have a great IT department.
If I were a CEO of one of these companies I'd be looking to fire the CIO...
Re: (Score:2)
If I were a shareholder, I'd be asking for the resignation of the CEO... the buck stops with him...
Re: (Score:2, Insightful)
Bullshit. If a box is on a network, the possibility of an exploit exists. The only secure desktop/server is the one buried in concrete 6 feet underground.
Re: (Score:2, Funny)
Re: (Score:1)
It is very unlikely to happen on a large scale...
Bank of America (Score:3, Interesting)
So you mean that some of those Bank of America SPAMs are actually coming from Bank of America computers? Woh...
Bank of America phishing spam (Score:2)
IT jitters (Score:2, Insightful)
I could lock down that
I misunderstood... (Score:2)
Would prefer outing spam buyers (Score:3, Interesting)
Re: (Score:2)
Bad summary: It's a WINDOWS problem. (Score:2)
Eliminate those, and you're a good deal closer to solving the problem.
More companies (Score:1)