Endpoint
9/24/2009
03:59 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Up To 9 Percent Of Machines In An Enterprise Are Bot-Infected

Most are members of tiny, unknown botnets built for targeting victim organizations

Bot infections are on the rise in the enterprise, and most come from botnets you've never heard of nor ever will.

In a three-month study of more than 600 different botnets found having infiltrated enterprise networks, researchers from Damballa discovered nearly 60 percent are botnets that contain only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface.

And Damballa has seen bot infections grow in enterprises as well, from 5 to 7 percent of an enterprise's IP address space and hosts last year, to 7 to 9 percent of them bot-infected this year. "Of all the enterprises where we've gone into who are customers or as proof-of-concept, 100 percent have had botnet infections," says Gunter Ollmann, vice president of research for Damballa. "It's more the smaller, customized and targeted types of botnets [that infect the enterprise].

"Corporations have become very good at dealing with the larger threats that get publicized -- they tend not to get affected widely by Conficker, for instance."

Ollmann's colleague, Erik Wu from Damballa, today revealed this latest research during a presentation at the Virus Bulletin Conference in Geneva.

Joe Stewart, a researcher with SecureWorks' Counter Threat Unit, says botnet operators who execute targeted attacks do so with fewer bots. "Entities that launch targeted attacks will have a smaller number of bots in their botnet than nontargeted ones, for sure," Stewart says.

The bad guys are also finding that deploying a small botnet inside a targeted organization is a more efficient way of stealing information than deploying a traditional exploit on a specific machine. And Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well. "They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets," he says.

If they remotely control four or five hosts, for instance, then they issue commands to the bots to navigate network shares, retrieve files, or access databases, he says.

"I suspect that a sizable percentage of small botnets are those developed by people who understand or are operating inside a business as employees who want to gain remote access to corporate systems, or by criminal entities that have dug deep and gotten insider information on the environment," Ollmann says. "The reason why we know this is the way the malware is constructed -- how it's specific to the host being targeted -- and the types of command and control being used. Bot agents are often hard-coded with the command and control channel" so they can bypass network controls with a user's credentials.

These mini-botnets tend to rely on popular DIY malware kids, like Ivy and Zeus, to infect their victim machines, he says. And they are typically more automated than bots in the big botnets: "Some designed for the enterprise worm they way around the network and look for common protocols that are open in the enterprise" and infect files, and exploit other hosts in the network, Ollmann says.

But like most other cybercriminals, these mini-botnet operators then try to sell the data they've stolen to other criminals. "They try to sell information based on the bot they have, or individual bots based on the performance of a machine, or its physical location and IP address space," he says. "And more recently, we've seen a growth in the number of sites that offer the sale of corporate documents that were extracted from the [bots]."

Ollmann says botnets of all sizes are also increasingly using more and different types of malware rather than one particular family in order to evade detection. "Most botnets, even small ones, have hundreds of different pieces of malware and families in use," he says.

One large botnet Damballa tracked during the study had 50,000 machines and used just less than 100,000 different forms of malware.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3594
Published: 2014-08-22
Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.