Bot infections in enterprises underestimated, bigger than thought

Who says bots are just for home PCs? Turns out bot infections in the enterprise may be more widespread than originally thought.

Botnet operators traditionally have recruited "soft" targets -- home users with little or no security -- and the assumption was that the more heavily fortressed enterprise was mostly immune. But incident response teams and security researchers on the front lines say they are witnessing significant bot activity in enterprises as well.

Symantec, for instance, reported over 2,000 botnet-related security incidents last month via its Security Operations Centers around the country, which monitor security for its clients -- 81 of the Fortune 500 companies, according to Grant Geyer, vice president of managed security services for Symantec. Up to 30 of its customers per day experienced a bot-related incident in September, Geyer says.

Symantec only recently began tracking botnet activity for its clients as a service, so it doesn't have historical data to compare it to, but Geyer says enterprise bot activity indeed is a growing problem: "There's a significant problem in the enterprise with bots."

It may be more about an increase in awareness, however, than a jump in bot recruitment in the enterprise. Rick Wesson, CEO of Support Intelligence, says the rate of botnet infection in the enterprise isn't necessarily increasing -- it just hasn't been explored in detail until recently. "What's changing is the perception. It's been underestimated, underreported, and underanalyzed," Wesson says. "Corporate America is in as bad shape as a user at home."

Wesson says his firm, which does security monitoring, instantly finds dozens of bot-infected client machines in an enterprise customer's network when it starts studying its traffic. "We find dozens of bot-compromised systems off the bat. The longer we stay in [there], the more we find."

The rate of infection isn't as high as with ISP customers or consumers, but it's still significant, he says. "It's still high enough to be alarming," he says. "A significant portion of the Fortune 500 have bots on regular basis."

Consumers by far still rank as the biggest victims of bot infections, but with botnets such as Storm getting more sophisticated and stealthy in their operation, enterprise client machines are also at risk, especially as more enterprise users work from home or carry their laptops or PDAs back and forth. "These are all avenues where a virus can jump from a typical small network or single end user into an office" network, says Shane Coursen, a senior technical analyst with Kaspersky Lab.

Tripp Cox, vice president of engineering for startup Damballa, says it's no surprise that bots would infiltrate the enterprise: "Enterprises have always been susceptible to viruses, and those [often] come with bot capabilities."

Storm, the largest of the botnets, has altered the landscape, however. "There's an increasing awareness in the enterprise arena of botnet army capabilities and the threats they pose to the enterprise. Storm brought a lot of media attention here and had the side effect of educating CIOs and CISOs," Cox says. (See Researchers Fear Reprisals From Storm.)

Still, botnet operators generally want to infect as many machines as possible to join their armies, so it's not necessarily a concerted effort to "own" enterprise client machines. "It's more of a 'fire and forget' thing," says Dave Marcus, security research and communications manager for McAfee's Avert Labs. "Bots are very indiscriminate -- they're not usually picky and choosy about the machine they get on," unless it's a rare targeted attack.

Still, some botnets drop some powerful malware on their zombie victim machines, including keyloggers, which has researchers and enterprises concerned. "Most of the bots we are finding in the enterprise have keylogger capabilities enabled by default," Cox says.

While Cox says the purpose of most botnet activity is either to propagate, send spam, or initiate DDOSes, there's nothing stopping these operators from conducting more targeted or evil attacks using their armies or the malware planted on them, he says. "The challenge is that at any point in time, they can update these machines with additional capabilities. It's at the botnet operator's discretion how these machines are leveraged."

Although there's been an increase in so-called bot-aware features and products coming out, security tools often miss a bot infection. Mark Lance, supervisor for threat management at Symantec's East Coast SOC, says the reasons enterprises are struggling with bot infections are the sheer volume of systems on their networks, and the fact that some don't have strong patching systems in place. Then there are the number of home laptops and VPN clients that their mobile workforces are using, he says, which are even tougher to manage.

Most enterprise bot infections occur with a little social engineering to entice the user to click onto the malware, disguised as porn or legitimate links, for instance, says Damballa's Cox. "We also see a lot of Websites constructed to take advantage of browser exploits," he says. "And we see malware masquerading as legitimate software, mainly on peer-to-peer file-sharing networks."

Even though bot infections can sneak past security defenses, experts say to be extra vigilant in monitoring your network traffic for spam or other unusual activity. That may mean hiring a security monitoring service provider.

Meanwhile, botnet activity overall has been on the rise, according to Symantec. In its recent Internet Threat Report, Symantec said it detected over 5 million bot-infected machines between January 1 and June 30 of this year, an increase of nearly 7 percent from the same period last year.

But any indications of a rise in bots may have more to do with the mother of all botnets, Storm, which boasts 150,000 to 400,000 active bots in a 24-hour period, according to Damballa, which tracks botnet command and control. McAfee's Marcus says his company had seen bots decreasing since 2006 until Storm came along. "It has a lot of propagation methods and has made more inroads into the enterprise than bots generally do."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights