Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/24/2009
03:59 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Up To 9 Percent Of Machines In An Enterprise Are Bot-Infected

Most are members of tiny, unknown botnets built for targeting victim organizations

Bot infections are on the rise in the enterprise, and most come from botnets you've never heard of nor ever will.

In a three-month study of more than 600 different botnets found having infiltrated enterprise networks, researchers from Damballa discovered nearly 60 percent are botnets that contain only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface.

And Damballa has seen bot infections grow in enterprises as well, from 5 to 7 percent of an enterprise's IP address space and hosts last year, to 7 to 9 percent of them bot-infected this year. "Of all the enterprises where we've gone into who are customers or as proof-of-concept, 100 percent have had botnet infections," says Gunter Ollmann, vice president of research for Damballa. "It's more the smaller, customized and targeted types of botnets [that infect the enterprise].

"Corporations have become very good at dealing with the larger threats that get publicized -- they tend not to get affected widely by Conficker, for instance."

Ollmann's colleague, Erik Wu from Damballa, today revealed this latest research during a presentation at the Virus Bulletin Conference in Geneva.

Joe Stewart, a researcher with SecureWorks' Counter Threat Unit, says botnet operators who execute targeted attacks do so with fewer bots. "Entities that launch targeted attacks will have a smaller number of bots in their botnet than nontargeted ones, for sure," Stewart says.

The bad guys are also finding that deploying a small botnet inside a targeted organization is a more efficient way of stealing information than deploying a traditional exploit on a specific machine. And Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well. "They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets," he says.

If they remotely control four or five hosts, for instance, then they issue commands to the bots to navigate network shares, retrieve files, or access databases, he says.

"I suspect that a sizable percentage of small botnets are those developed by people who understand or are operating inside a business as employees who want to gain remote access to corporate systems, or by criminal entities that have dug deep and gotten insider information on the environment," Ollmann says. "The reason why we know this is the way the malware is constructed -- how it's specific to the host being targeted -- and the types of command and control being used. Bot agents are often hard-coded with the command and control channel" so they can bypass network controls with a user's credentials.

These mini-botnets tend to rely on popular DIY malware kids, like Ivy and Zeus, to infect their victim machines, he says. And they are typically more automated than bots in the big botnets: "Some designed for the enterprise worm they way around the network and look for common protocols that are open in the enterprise" and infect files, and exploit other hosts in the network, Ollmann says.

But like most other cybercriminals, these mini-botnet operators then try to sell the data they've stolen to other criminals. "They try to sell information based on the bot they have, or individual bots based on the performance of a machine, or its physical location and IP address space," he says. "And more recently, we've seen a growth in the number of sites that offer the sale of corporate documents that were extracted from the [bots]."

Ollmann says botnets of all sizes are also increasingly using more and different types of malware rather than one particular family in order to evade detection. "Most botnets, even small ones, have hundreds of different pieces of malware and families in use," he says.

One large botnet Damballa tracked during the study had 50,000 machines and used just less than 100,000 different forms of malware.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6328
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6329.
CVE-2019-6329
PUBLISHED: 2019-06-25
HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6328.
CVE-2018-1858
PUBLISHED: 2019-06-25
IBM API Connect 5.0.0.0 through 5.0.8.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 151256.
CVE-2018-2011
PUBLISHED: 2019-06-25
IBM API Connect 2018.1 through 2018.4.1.5 could allow an attacker to obtain sensitive information from a specially crafted HTTP request that could aid an attacker in further attacks against the system. IBM X-Force ID: 155150.
CVE-2018-2013
PUBLISHED: 2019-06-25
IBM API Connect 2018.1 through 2018.4.1.5 could disclose sensitive information to an unauthorized user that could aid in further attacks against the system. IBM X-Force ID: 155193.