Endpoint
9/24/2009
03:59 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Up To 9 Percent Of Machines In An Enterprise Are Bot-Infected

Most are members of tiny, unknown botnets built for targeting victim organizations

Bot infections are on the rise in the enterprise, and most come from botnets you've never heard of nor ever will.

In a three-month study of more than 600 different botnets found having infiltrated enterprise networks, researchers from Damballa discovered nearly 60 percent are botnets that contain only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface.

And Damballa has seen bot infections grow in enterprises as well, from 5 to 7 percent of an enterprise's IP address space and hosts last year, to 7 to 9 percent of them bot-infected this year. "Of all the enterprises where we've gone into who are customers or as proof-of-concept, 100 percent have had botnet infections," says Gunter Ollmann, vice president of research for Damballa. "It's more the smaller, customized and targeted types of botnets [that infect the enterprise].

"Corporations have become very good at dealing with the larger threats that get publicized -- they tend not to get affected widely by Conficker, for instance."

Ollmann's colleague, Erik Wu from Damballa, today revealed this latest research during a presentation at the Virus Bulletin Conference in Geneva.

Joe Stewart, a researcher with SecureWorks' Counter Threat Unit, says botnet operators who execute targeted attacks do so with fewer bots. "Entities that launch targeted attacks will have a smaller number of bots in their botnet than nontargeted ones, for sure," Stewart says.

The bad guys are also finding that deploying a small botnet inside a targeted organization is a more efficient way of stealing information than deploying a traditional exploit on a specific machine. And Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well. "They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets," he says.

If they remotely control four or five hosts, for instance, then they issue commands to the bots to navigate network shares, retrieve files, or access databases, he says.

"I suspect that a sizable percentage of small botnets are those developed by people who understand or are operating inside a business as employees who want to gain remote access to corporate systems, or by criminal entities that have dug deep and gotten insider information on the environment," Ollmann says. "The reason why we know this is the way the malware is constructed -- how it's specific to the host being targeted -- and the types of command and control being used. Bot agents are often hard-coded with the command and control channel" so they can bypass network controls with a user's credentials.

These mini-botnets tend to rely on popular DIY malware kids, like Ivy and Zeus, to infect their victim machines, he says. And they are typically more automated than bots in the big botnets: "Some designed for the enterprise worm they way around the network and look for common protocols that are open in the enterprise" and infect files, and exploit other hosts in the network, Ollmann says.

But like most other cybercriminals, these mini-botnet operators then try to sell the data they've stolen to other criminals. "They try to sell information based on the bot they have, or individual bots based on the performance of a machine, or its physical location and IP address space," he says. "And more recently, we've seen a growth in the number of sites that offer the sale of corporate documents that were extracted from the [bots]."

Ollmann says botnets of all sizes are also increasingly using more and different types of malware rather than one particular family in order to evade detection. "Most botnets, even small ones, have hundreds of different pieces of malware and families in use," he says.

One large botnet Damballa tracked during the study had 50,000 machines and used just less than 100,000 different forms of malware.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web