Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:45 AM
Connect Directly

Bots Rise in the Enterprise

Bot infections in enterprises underestimated, bigger than thought

Who says bots are just for home PCs? Turns out bot infections in the enterprise may be more widespread than originally thought.

Botnet operators traditionally have recruited "soft" targets -- home users with little or no security -- and the assumption was that the more heavily fortressed enterprise was mostly immune. But incident response teams and security researchers on the front lines say they are witnessing significant bot activity in enterprises as well.

Symantec, for instance, reported over 2,000 botnet-related security incidents last month via its Security Operations Centers around the country, which monitor security for its clients -- 81 of the Fortune 500 companies, according to Grant Geyer, vice president of managed security services for Symantec. Up to 30 of its customers per day experienced a bot-related incident in September, Geyer says.

Symantec only recently began tracking botnet activity for its clients as a service, so it doesn't have historical data to compare it to, but Geyer says enterprise bot activity indeed is a growing problem: "There's a significant problem in the enterprise with bots."

It may be more about an increase in awareness, however, than a jump in bot recruitment in the enterprise. Rick Wesson, CEO of Support Intelligence, says the rate of botnet infection in the enterprise isn't necessarily increasing -- it just hasn't been explored in detail until recently. "What's changing is the perception. It's been underestimated, underreported, and underanalyzed," Wesson says. "Corporate America is in as bad shape as a user at home."

Wesson says his firm, which does security monitoring, instantly finds dozens of bot-infected client machines in an enterprise customer's network when it starts studying its traffic. "We find dozens of bot-compromised systems off the bat. The longer we stay in [there], the more we find."

The rate of infection isn't as high as with ISP customers or consumers, but it's still significant, he says. "It's still high enough to be alarming," he says. "A significant portion of the Fortune 500 have bots on regular basis."

Consumers by far still rank as the biggest victims of bot infections, but with botnets such as Storm getting more sophisticated and stealthy in their operation, enterprise client machines are also at risk, especially as more enterprise users work from home or carry their laptops or PDAs back and forth. "These are all avenues where a virus can jump from a typical small network or single end user into an office" network, says Shane Coursen, a senior technical analyst with Kaspersky Lab.

Tripp Cox, vice president of engineering for startup Damballa, says it's no surprise that bots would infiltrate the enterprise: "Enterprises have always been susceptible to viruses, and those [often] come with bot capabilities."

Storm, the largest of the botnets, has altered the landscape, however. "There's an increasing awareness in the enterprise arena of botnet army capabilities and the threats they pose to the enterprise. Storm brought a lot of media attention here and had the side effect of educating CIOs and CISOs," Cox says. (See Researchers Fear Reprisals From Storm.)

Still, botnet operators generally want to infect as many machines as possible to join their armies, so it's not necessarily a concerted effort to "own" enterprise client machines. "It's more of a 'fire and forget' thing," says Dave Marcus, security research and communications manager for McAfee's Avert Labs. "Bots are very indiscriminate -- they're not usually picky and choosy about the machine they get on," unless it's a rare targeted attack.

Still, some botnets drop some powerful malware on their zombie victim machines, including keyloggers, which has researchers and enterprises concerned. "Most of the bots we are finding in the enterprise have keylogger capabilities enabled by default," Cox says.

While Cox says the purpose of most botnet activity is either to propagate, send spam, or initiate DDOSes, there's nothing stopping these operators from conducting more targeted or evil attacks using their armies or the malware planted on them, he says. "The challenge is that at any point in time, they can update these machines with additional capabilities. It's at the botnet operator's discretion how these machines are leveraged."

Although there's been an increase in so-called bot-aware features and products coming out, security tools often miss a bot infection. Mark Lance, supervisor for threat management at Symantec's East Coast SOC, says the reasons enterprises are struggling with bot infections are the sheer volume of systems on their networks, and the fact that some don't have strong patching systems in place. Then there are the number of home laptops and VPN clients that their mobile workforces are using, he says, which are even tougher to manage.

Most enterprise bot infections occur with a little social engineering to entice the user to click onto the malware, disguised as porn or legitimate links, for instance, says Damballa's Cox. "We also see a lot of Websites constructed to take advantage of browser exploits," he says. "And we see malware masquerading as legitimate software, mainly on peer-to-peer file-sharing networks."

Even though bot infections can sneak past security defenses, experts say to be extra vigilant in monitoring your network traffic for spam or other unusual activity. That may mean hiring a security monitoring service provider.

Meanwhile, botnet activity overall has been on the rise, according to Symantec. In its recent Internet Threat Report, Symantec said it detected over 5 million bot-infected machines between January 1 and June 30 of this year, an increase of nearly 7 percent from the same period last year.

But any indications of a rise in bots may have more to do with the mother of all botnets, Storm, which boasts 150,000 to 400,000 active bots in a 24-hour period, according to Damballa, which tracks botnet command and control. McAfee's Marcus says his company had seen bots decreasing since 2006 until Storm came along. "It has a lot of propagation methods and has made more inroads into the enterprise than bots generally do."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Symantec Corp. (Nasdaq: SYMC)
  • Damballa Inc.
  • McAfee Inc. (NYSE: MFE)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Inside the Ransomware Campaigns Targeting Exchange Servers
    Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
    Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-04-17
    The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
    PUBLISHED: 2021-04-17
    Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
    PUBLISHED: 2021-04-17
    A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
    PUBLISHED: 2021-04-17
    An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
    PUBLISHED: 2021-04-16
    jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...