Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Up To 9% of a Company's Machines Are Bot-Infected

kdawson posted about 5 years ago | from the 9-percent-of-your-machine-are-belong-to-us-and-that's-enough dept.

Businesses 146

ancientribe sends in a DarkReading piece on the expanding footprint of small, targeted botnets in enterprises. "Bot infections are on the rise in businesses, and most come from botnets you've never heard of nor ever will. Botnet researchers at Damballa have found that nearly 60 percent of bot infections in organizations are from bot armies with only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface. And more businesses are getting hit: 7 to 9 percent of an organization's machines are bot-infected, up from 5-to-7 percent last year, according to Damballa. ... [Damballa's] Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well. 'They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets,' he says. ... Ollmann says botnets of all sizes are also increasingly using more and different types of malware rather than one particular family in order to evade detection. 'Most botnets, even small ones, have hundreds of different pieces of malware and families in use..."

cancel ×

146 comments

Sorry! There are no comments related to the filter you selected.

Bot scanner? (1)

GerardAtJob (1245980) | about 5 years ago | (#29538949)

Any good bot scanner?

Re:Bot scanner? (2, Informative)

Anonymous Coward | about 5 years ago | (#29539105)

Any good bot scanner?

your firewall logs...

Re:Bot scanner? (3, Insightful)

GerardAtJob (1245980) | about 5 years ago | (#29539359)

Any good firewall parser then ?
I'm lazy and don't want to read logs or parse them manually...
Anyway It's not even my job (I'm a programmer)! If they're a quick&dirty way to find out I'll try it once a week/month... but I wont read and parse this boring stuff...

Re:Bot scanner? (1)

Traa (158207) | about 5 years ago | (#29540559)

I'm with parent on this. I'm a developer at a big company. Have 3 machines in front of me[*]. Don't have access to firewall logs, assuming IT is doing a decent job because none of my machines have ever gone down in last 3 years. Still, modern malware wouldn't take my machine down so I could very well be infected. How do I know? What do I scan?

[*] Linux on one, WinXP on the others because that is what the job demands (don't argue).

Re:Bot scanner? (1)

mcgrew (92797) | about 5 years ago | (#29539257)

Any good bot scanner?

I don't know of one, but there is good bot prevention. It's called "Linux".

Re:Bot scanner? (1, Funny)

Anonymous Coward | about 5 years ago | (#29539387)

Linux botnet of zombie servers [p2pnet.net] . I believe in the lingo the kids one would say: pwned!

Re:Bot scanner? (0)

Anonymous Coward | about 5 years ago | (#29539465)

Yes, a hundred bots that leaked from a windows botnet is obviously proof of inherent insecurity.

Re:Bot scanner? (0, Insightful)

Anonymous Coward | about 5 years ago | (#29540359)

Gotta love the hypocrisy. If a user volunatarily installs malware on their system and get in a botnet and they are Windows it's: "ZOMG TEH WINDOZE IS TEH INSECURE!!!". When a Linux box is part of a botnet due to someone voluntarily installing malware on the system it's: "This isn't proof of Linux not being secure".

Re:Bot scanner? (3, Informative)

cream wobbly (1102689) | about 5 years ago | (#29541127)

It seems it was PHP, not Linux, that was exploited. You have to be running a neglected PHP-capable Web server to have the necessary exploitable hole in place.

OTOH, Windows has its vulnerabilities baked right in, as shipped.

Re:Bot scanner? (0, Redundant)

mcgrew (92797) | about 5 years ago | (#29541525)

A trojan isn't the OSes fault no matter what OS is running. But Windows (as well as apps by both MS and other developers) has holes that let attackers in without trojans. You can't infect a Linux box by visiting the wron web site, you have to actively install the malware.

Re:Bot scanner? (1)

Stenchwarrior (1335051) | about 5 years ago | (#29539445)

Which also prevents you from being able to use most applications; ergo, prevents any actual work taking place. Sounds like a Win-Win.

Re:Bot scanner? (1)

somersault (912633) | about 5 years ago | (#29540519)

That depends entirely on what your work involves. "Most applications" are not necessary for most work.

Re:Bot scanner? (1)

cream wobbly (1102689) | about 5 years ago | (#29541145)

Flamebait.

Re:Bot scanner? (1)

mcgrew (92797) | about 5 years ago | (#29541483)

Actually, no. Most applications come with the OS. Now, if you mean "I can't run a spreadsheet in LINUX!" you CAN run a spreadsheet; just not Microsoft's. There are a few specialty apps that one might need that there are no Linux versions of, for these you can set your computer up dual-boot with networking disabled on the Windows side. When you're done with your nnon-linux app you can send the results over the net from Linux.

But most people don't need programs that will only run in Windows. Most people the "need" Windows are gamers.

Re:Bot scanner? (1)

dissy (172727) | about 5 years ago | (#29541319)

I don't know of one, but there is good bot prevention. It's called "Linux".

So in other words, you want me to replace our Windows workstaions that run our ERP software which runs most of the business, over to Linux workstations that will not run ERP software worth anything, so that our business has to shut down?

SmRT!

I have made some Linux deployments here, but sadly there is just no way to fully switch over without seriously major and long interruptions in the business processes.

Due to the ERP software using 'technologies' ranging from Access 2000 up to dotNET 3.0, this pretty much rules out Wine and CrossOver.

The only two methods I see available at the moment, are

a) Use vmware or the like for our ERP client. Still runs windows, still needs a license, etc etc. Not really solving the problem, nor worth the effort.

b) Upgrade/Add a Windows 2008 server (We use 2003 currently) which has the new Terminal Services (RDP 6.1) TS-RemoteApp [microsoft.com] where you can export applications instead of just full desktops.
This will let us seamlessly run the ERP client modeless on the Linux systems, where the software runs on the server, but the GUI looks native.

I do like the idea of B, but an upgrade to Win 2008 is not cheap, and while it would be an improvement (Keeping Windows off the desktop and away from the users), that will be a major chunk of budget for only minor benefits, with the possibility of major problems in the future.
The only upside is that to stay on the upgrade treadmill, going to Win2008 will need to happen eventually anyways.

Wide general sweeping statements though... Easy to prove wrong every time.

Re:Bot scanner? (2, Insightful)

Kylock (608369) | about 5 years ago | (#29541509)

While some malware/botnet clients may escape anti-virus detection, the common trait is that they all have to connect to a command and control server. Many IDS products have signatures to detect this type of traffic.

For example, many "botnet-kits" will connect using IRC on a random high port. IRC usage audit signatures are good for detecting the more common botnet c&c traffic.

Prevention is key, but it's still not easy - trying to keep Joe User from playing that Michael Jackson video he got in his email from an unknown sender is quite a challenge.

Up To 9% of a Company's Machines Are Bot-Infected (4, Funny)

navygeek (1044768) | about 5 years ago | (#29538969)

And after reading the linked article, there's another 40% :-p

Re:Up To 9% of a Company's Machines Are Bot-Infect (0)

Anonymous Coward | about 5 years ago | (#29539389)

Free trial of my new, award-winning bot cleaner at www.no_more_botnets.com.

Re:Up To 9% of a Company's Machines Are Bot-Infect (1)

Archangel Michael (180766) | about 5 years ago | (#29539557)

You read the article? Please hand in your Slashdot membership on your way out.

Re:Up To 9% of a Company's Machines Are Bot-Infect (1)

navygeek (1044768) | about 5 years ago | (#29540391)

*hangs head and sadly says* Okay, my bad...I'll go... :(

Re:Up To 9% of a Company's Machines Are Bot-Infect (0)

Anonymous Coward | about 5 years ago | (#29541043)

Did the article mention which company?

Education (5, Insightful)

sopssa (1498795) | about 5 years ago | (#29538977)

This is the reason traditional antivirus scanning will not work. If the specific malware is only inside your company or a few hundred PC's, there isn't signatures for them either. You have to educate your company's workers and restrict access in OS instead of blindly trusting your antivirus providers.

Now the same approach doesn't work in homes or educating those random users, but it should work inside your company.

Re:Education (0)

Anonymous Coward | about 5 years ago | (#29539205)

Maybe if I educate the owner that there is almost a 10% chance of him sending his day-trading activities to some guy in Russia, he will start to listen about moving to the linux based thin client solution I've been touting for years... nah, then he wouldn't be able to day-trade using those fancy tools.

Re:Education (5, Insightful)

sopssa (1498795) | about 5 years ago | (#29539271)

Moving to Linux does little to help in the situation the article explains. If its targeted at your company, it doesn't matter if you're running Windows or Linux or some other OS. The malware will be designed for it. If its purpose is to steal information or banking details, it runs just fine on user space too, no root required. It might even make the situation worse, since the system is new to almost everyone (and spotting a well hidden malware in Linux is hard)

Re:Education (0)

Anonymous Coward | about 5 years ago | (#29539413)

That's why you need to have a diverse network infrastructure, like we used to have in the 1980s and even most of the 1990s.

We had Solaris, Xenix, SCO's OpenDesktop, HP-UX, AiX and Windows NT on our workstations. Our backend was VMS and even OS/360 at one place I worked.

I see the typical corporate networks we have today, with Windows XP desktops connecting to Windows Server 2003 servers, and I have to laugh. There's no diversity whatsoever. It makes me glad I got out of the profession when that transition started!

Re:Education (1)

FatdogHaiku (978357) | about 5 years ago | (#29540351)

That's why you need to have a diverse network infrastructure, like we used to have in the 1980s and even most of the 1990s.

We had Solaris, Xenix, SCO's OpenDesktop, HP-UX, AiX and Windows NT on our workstations. Our backend was VMS and even OS/360 at one place I worked.

Jeez, diverse network infrastructure... we just called it a cluster fuck.
And you always end up with one person that is the king of kludges.

Re:Education (3, Insightful)

spydabyte (1032538) | about 5 years ago | (#29539429)

How does this education in a company differ from the home? Payment? Fire them if they're not secure? They've tried that, it's called government. We all see how well that [slashdot.org] works out [slashdot.org] .

If you want to be 100% secure, higher smart people and shut off your internet pipe.

Now 99.999%? That's a different story.

Re:Education (3, Funny)

snowraver1 (1052510) | about 5 years ago | (#29539895)

***Irony alert** Title : Education. Text: "If you want to be 100% secure, higher smart people and shut off your internet pipe."

Re:Education (1)

somersault (912633) | about 5 years ago | (#29540613)

But I use my internet pipe to get me hire than high!

Re:Education (1)

amplt1337 (707922) | about 5 years ago | (#29541275)

I believe you mean "hire THEN high."

Honestly, the level of discourse on the Internet these days...

Re:Education (0)

Anonymous Coward | about 5 years ago | (#29540771)

That's not ironic.

Re:Education (1)

EvilBudMan (588716) | about 5 years ago | (#29539903)

Can you give more specifics? Like there may be no way to avoid this on an XP machine, that's what I'm getting at. A lot of corps still have that with computers 5 years old and it as godd a reason as any to use some other OS.

Re:Education (4, Interesting)

fbwhrdpmtajg (1452033) | about 5 years ago | (#29539921)

Screw educating, this situation calls for whitelisting and non-administrator privileges.

Voltron Anyone? (3, Funny)

Zantac69 (1331461) | about 5 years ago | (#29539027)

For some reason - this made me think of Voltron. Not the lion voltron - but the crappy vehicle voltron. All the tiny botnets coming together to form a huge botnet...but it would probably be a ro-beast. Maybe then lion voltron could come destroy the evil bot-net ro-beast.

Great - now my day is ruined because I am going to be looking for an MP3 of the lion voltron assembly thing to put as a ring tone on my phone.

Re:Voltron Anyone? (0)

Anonymous Coward | about 5 years ago | (#29539153)

Great, thanks - now my wife is looking for it too. Google is going to see the spike and create a set of graphs depicting the rise in Voltron interest, and then we'll all be saddled with something WORSE than the vehicle Voltron.

Re:Voltron Anyone? (0)

Anonymous Coward | about 5 years ago | (#29539199)

I think I am required by law to post this link now: Voltron Got Served [adultswim.com] from Robot Chicken.

Re:Voltron Anyone? (0)

Anonymous Coward | about 5 years ago | (#29539227)

your post would have been good if it were 9 screens long.

Re:Voltron Anyone? (1)

maxume (22995) | about 5 years ago | (#29539275)

Your whole day? Just rip if from some Youtube video, I'm sure it is there.

Re:Voltron Anyone? (1)

0-until-pink (202599) | about 5 years ago | (#29539295)

I got a real nostalgia kick out of this - not from the Lion Voltron reference but from the idea of spending half the day looking for a kitschy ringtone.
Oh to be 24 again.

Re:Voltron Anyone? (0)

Anonymous Coward | about 5 years ago | (#29540965)

I had completely forgotten how kitschy voltron was until I ran across an ep online the other day. I think my favorite part of the show was where voltron forms; His hands and feet roar!

Self promoting (1)

Anonymous Coward | about 5 years ago | (#29539065)

It sounds like the company in question provides security services, so isn't this piece of 'research' an advertisement for their services?

Mod parent up. (5, Interesting)

khasim (1285) | about 5 years ago | (#29540037)

I'm having a lot of trouble believing some of the claims in that article.

In a three-month study of more than 600 different botnets found having infiltrated enterprise networks, researchers from Damballa discovered nearly 60 percent are botnets that contain only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface.

600 botnets

5% of 600 is 30. So only 30 out of 600 were "big-name"? That doesn't sound like those "big-name" ones are all that big.

60% of 600 is 360. So their tiny sample found 360 instances of NEW viruses/worms/trojans? I find it very difficult to believe that there are that many sites with custom infections.

Which leaves 210 infections that are not custom and not "big-name". How did those sites manage that? In my experience, if some site it getting infected by less virulent code, it's also infected by the more virulent code.

"Of all the enterprises where we've gone into who are customers or as proof-of-concept, 100 percent have had botnet infections," says Gunter Ollmann, vice president of research for Damballa.

Which makes me question how those sites are selected for them to investigate. NONE of them had decent anti-virus practices?

The bad guys are also finding that deploying a small botnet inside a targeted organization is a more efficient way of stealing information than deploying a traditional exploit on a specific machine.

Whoa! I'd think that they're using a different definition of "botnet" than the one I'm familiar with. Of course having more than one machine is more efficient. If nothing else, that one machine is a "single point of failure" than can be re-imaged at any time.

And Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well. "They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets," he says.

I don't see how those two statements support each other. What knowledge do they need? IP ranges, routers, gateways and servers.

If they remotely control four or five hosts, for instance, then they issue commands to the bots to navigate network shares, retrieve files, or access databases, he says.

Which they cannot possibly do if they controlled 40 or 50 hosts. Or 400 or 500. Etc. Bullshit.

"I suspect that a sizable percentage of small botnets are those developed by people who understand or are operating inside a business as employees who want to gain remote access to corporate systems, or by criminal entities that have dug deep and gotten insider information on the environment," Ollmann says.

Again there is nothing to support those statements.

"The reason why we know this is the way the malware is constructed -- how it's specific to the host being targeted -- and the types of command and control being used. Bot agents are often hard-coded with the command and control channel" so they can bypass network controls with a user's credentials.

How can it be "specific to the host being targeted"?

Aren't "bots" always hardcoded with the "command and control channel"? Such as "use IRC" and "connect to this generated list of sites for updates".

These mini-botnets tend to rely on popular DIY malware kids, like Ivy and Zeus, to infect their victim machines, he says.

Damn "malware kids". Get off my lawn!

And they are typically more automated than bots in the big botnets: "Some designed for the enterprise worm they way around the network and look for common protocols that are open in the enterprise" and infect files, and exploit other hosts in the network, Ollmann says.

Damn! Not only are they "more automated" but they also have " a lot of hands-on command and control".

Pure
Marketing
Fluff

egress filtering (3, Interesting)

Lord Ender (156273) | about 5 years ago | (#29539071)

This solution is egress filtering: stop all traffic going out to the internet from desktop computers. Then provide a proxy server (HTTP and SOCKS) users can use to get what they need on the net. The proxy server must be a filtering server--the sort that keeps a list of known malware sites and botnet controllers, so that it can automatically block them.

With this in place, users will still be able to get what they need from the net, but 99% of bots will be stopped.

Re:egress filtering (3, Informative)

TorKlingberg (599697) | about 5 years ago | (#29539127)

Not the kind of bots that this article describes, that are targeted specifically to your company.

Re:egress filtering (1)

Havokmon (89874) | about 5 years ago | (#29539583)

I did this for PCI Compliance. Add NTLM auth with Squid and only allow a small number of people to have unrestricted access. Have everyone else filtered down to only required business sites.

Re:egress filtering (1)

mrdoogee (1179081) | about 5 years ago | (#29540381)

A squid [wikipedia.org] proxy server with Smartfilter works pretty well here at my office.

Re:egress filtering (1)

Sicnarf (529730) | about 5 years ago | (#29540459)

nowadays bot net controllers are hard to track, since they use peer to peer methods and hierachies. going through a proxy will lower latency :s

Re:egress filtering (1)

Sicnarf (529730) | about 5 years ago | (#29540469)

increase* latency ofc. that and once you're part of a botnet u wanne wipe ur machine clean with a reinstall. or else the malware will just spread on further.

machine malware infections (4, Interesting)

viralMeme (1461143) | about 5 years ago | (#29539077)

And the vast majority of these 'machine malware infections' run on Windows. machine malware infections.

Half of Fortune 100 companies compromised by new information stealing Trojan [blogspot.com]

"Security tool designed to stealthy run on winnt based systems (win2k to winvista) and to stealthy and efficiently spread with 3 spreaders, which were specially designed and improved compared to already known public methods.[sic]" The three spreaders are MSN, USB, and P2P. Listed P2P networks were "ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire.[sic]"

Re:machine malware infections (0)

Anonymous Coward | about 5 years ago | (#29539151)

"ares, bearshare, imesh, shareaza, kazaa, dcplusplus, emule, emuleplus, limewire.[sic]"

People still use these systems today? Or are they basically just malware networks these days?

Re:machine malware infections (1)

agnosticnixie (1481609) | about 5 years ago | (#29539483)

Primarily malware network with hints that they used to be useful.

This compromises other machine on the same network (4, Insightful)

MaraDNS (1629201) | about 5 years ago | (#29539107)

This, naturally, compromises other machines on the same network. If another machine on the same network is controlled by hackers, one thing they can do is run a packet sniffer and grab unencrypted passwords. Or read your email (unless you use Gmail and have things set up to always use SSL). Or try to control your computer; it's a lot easier to attack a computer when you're behind the firewall.

The good news is this: Since the computer is a company computer, there's a lot more we can do to find and remove the virus from the computer in question. Such as taking the computer off of the network, making a backup of all data files, and doing a complete reinstall of the OS and all company-approved applications. With or without the computer owner's consent. A corporate IT department has a lot more control over their computers than, say, Comcast.

So the question is this: What are good ways for a corporate IT network to know whether a given computer is a zombie? Analysis of the packets a given computer makes is one way.

Re:This compromises other machine on the same netw (1)

Talderas (1212466) | about 5 years ago | (#29539459)

You can usually locate a zombie by its insatiable appetite for human flesh. Other indicators tend to be lack of comprehension regarding basic command like 'stop' or 'there's a tasty young blonde over there'.

The best way ... Snort. (3, Informative)

khasim (1285) | about 5 years ago | (#29540125)

Simply hook up a decent intrusion detection system (Snort is exceptionally decent in this regard) and look at the traffic patterns.

Workstations contact servers for services provided by those servers. Services that you should be aware of.

Workstations do not contact other workstations (except for IT support people).

Then look at outbound traffic. Betsy in Accounting cannot spell IRC so why would she be using that protocol?

This isn't much help if everything turns to https for command and control. But at least you'd see the sites that those were hitting. Why is someone hitting e3rt49io.cn at 3 in the morning?

Re:This compromises other machine on the same netw (1)

99BottlesOfBeerInMyF (813746) | about 5 years ago | (#29540265)

This, naturally, compromises other machines on the same network... Or try to control your computer; it's a lot easier to attack a computer when you're behind the firewall.

Most enterprises now segregate their internal networks with a series of firewalls as well.

So the question is this: What are good ways for a corporate IT network to know whether a given computer is a zombie?

There are a lot of tools designed for exactly this purpose. Some of the better ones integrate with your routers and will do more than give you a list of infected machines. They'll attempt to find them automatically and identify them and notify you and either automatically or on command quarantine the infected systems by filtering out traffic from them or from a chunk of your network using the routers. At least one tool can quarantine a particular network section, while still whitelisting the normal, critical traffic in and out of that subsection, so if a branch office is infected, the machines' traffic to the rest of the world and to the rest of your network is blackholed, with the exception of the server they host which uploads payroll. That server is limited to it's normal connections though, so it can only talk to the other payroll server and only on the same port at the normal time.

Re:This compromises other machine on the same netw (2, Insightful)

orange47 (1519059) | about 5 years ago | (#29541857)

but, don't packet sniffers grab passwords only on hubs, not the switches that everyone uses nowadays? besides many use google POP3 server, that should be safe(r)?

*An* organization? (1)

Culture20 (968837) | about 5 years ago | (#29539143)

And more businesses are getting hit: 7 to 9 percent of an organization's machines are bot-infected, up from 5-to-7 percent last year, according to Damballa.

I think the bolded "an" is a typo, otherwise, this sentence makes little sense.

Re:*An* organization? (1)

Em Emalb (452530) | about 5 years ago | (#29539263)

no, it's perfectly valid. A little ugly, but valid.

Re:*An* organization? (1)

eexaa (1252378) | about 5 years ago | (#29541811)

That was meant to be 'anal'. I'm sure that everyone saw the mistake right away and no confusion occured.

Apple fanboys (2, Funny)

Chrisq (894406) | about 5 years ago | (#29539179)

I thought it was only Apple fanboys who had to worry about getting their bots infected.

Corporate America (3, Insightful)

girlintraining (1395911) | about 5 years ago | (#29539231)

Why do people blame the company for this?

I worked deployment for several years at a company with about 13,000 servers and 96,000 workstations, as well as over 25,000 POS systems. I can safely say that size is not the problem. Policies are the problem. There is always that one employee that thinks that he can sneak iTunes onto the network and download some mp3s to a flash drive despite the "no pen drives policy". Disabling them doesn't really help -- they have physical access to the machine of course.

If you figure that there are 150,000 employees in your company, and the consumer market has a 5% infection rate, and 1% of your employees decide to bring a flash drive in... Then every five days, someone is plugging an infected flash drive into your network. All the network management in the world cannot control that many people -- I can't replicate myself to stand over each user and remind them of the risks. And since they don't see the consequences as they happen, there's no chance for them to learn.

But blaming corporations for this is stupid. And blaming employees for it isn't productive. The truth of the matter is, as far as the business world is concerned -- viruses, worms, malware, spyware, and the like are the cost of doing business. It would cost way more to fix the problem than to simply let it eat at the margins.

Sorry to say, but your data isn't worth those kinds of expenses.

Re:Corporate America (5, Insightful)

ledow (319597) | about 5 years ago | (#29539321)

Because, physical access or not, you should be stopping it anyway.

And if someone plugs something in and pushes a virus onto the network - how different is that to pulling the fire alarm, or jamming the lifts in a skyscraper? The company should be dealing with it - first by basic prevention (no USB access or even no USB ports if they aren't needed), secondly by policies but most importantly by enforcement. With physical access, if an employee plugs in a USB stick and somehow "makes" it work when you've disabled it as an administrator, then it's not an accidental thing - not an unthinking "Oh, I can't send it over the network, I'll just plug in my personal USB and do it at home"... it's a deliberate, wilful act to insert an unauthorised device into the corporate network. No different to plugging in an unsecured wireless router, or anything else.

The *company* should be taking basic precautions with its customer's and its own business data - that means limiting access to the bare minimum required. Then any violation of that (because it *can* be worked around) is a clear attempt to do something deliberately that can damage the entire corporate network - i.e. bye bye, don't trip up on the tech who's rebuilding your machine from a clean image on the way out...

Pushing it onto "random employees do shit and we can't stop it" could cover all sorts of mistakes that the customers and business end up paying for - oops, the customer database was accidentally attached to that email (Demon Internet in the UK earlier this week)... oh well, too many employees to police *that*... ??? No... someone gets disciplined. And eventually that stops happening, especially if you have the right precautions in place to prevent it happening accidentally.

Re:Corporate America (1, Insightful)

girlintraining (1395911) | about 5 years ago | (#29539457)

And if someone plugs something in and pushes a virus onto the network - how different is that to pulling the fire alarm, or jamming the lifts in a skyscraper? The company should be dealing with it - first by basic prevention (no USB access or even no USB ports if they aren't needed), secondly by policies but most importantly by enforcement.

Pulling fire alarms generally lead to jail time. I don't think there are many courts that would view dismissing an employee every five days for using a computer kindly, let alone jailing them for years.

The *company* should be taking basic precautions with its customer's and its own business data - that means limiting access to the bare minimum required.

Which drives the costs up. Hey -- $50 for a bag of chips. $120 dollars a gallon for gas. You want perfect security? Pay for it.

especially if you have the right precautions in place to prevent it happening accidentally.

There is no precaution that can outsmart human stupidity. If you had more than a year of experience in the field, you'd know this. Damn armchair network admins...

Re:Corporate America (2, Insightful)

giorgiofr (887762) | about 5 years ago | (#29539671)

Yeah right. My boss only hears "blah blah" and thinks "don't care - wanna play golf" when I say "unauthorised device into the corporate network". Tentative policies trying to deal with this stuff make executives cry bloody murder and are promptly removed. And even if anybody cared, there would be legislative obstacles to firing an employee over here: read, it's basically impossible unless they've got some CP on their boxes.

Re:Corporate America (0)

Anonymous Coward | about 5 years ago | (#29539757)

You can fire mindless idiots that will be replaced without effort, but critical people are not so easily replaced and they have the means to commit any crime and cover their traces. Only education can prevent this from happening. Or feeling pride for what you do. Then you don't sabotage the company. NASA and few others can maybe make you proud of working there. Most other companies? Money-making scams. Screw them.

Re:Corporate America (1)

should_be_linear (779431) | about 5 years ago | (#29539801)

but you are talking about preventing users to do one of the most convenient and basic things they need for their job: transferring bunch of data via USB key (moving gigabytes any other way is painful). You can't treat users as idiots. They want permanent internet/e-mail access and this is far bigger problem. Meybe you can sacrifice MS Office instead. Then it would be possible to replace Windows with anything else and make your whole network much safer then by trying to enforce impossible stuff on hundreds/thousands of users.

Re:Corporate America (0)

Anonymous Coward | about 5 years ago | (#29539971)

Give her a break.. she's just a girl.. who's still in training.

Re:Corporate America (4, Informative)

BenEnglishAtHome (449670) | about 5 years ago | (#29540205)

That's interesting. Where I work, [irs.gov] inserting a personally-owned pen drive to a computer on the network that gets caught in a scan results in a suspension. Inserting a personally-owned pen drive that pushes malware out onto the network gets you fired. Inadverdently attaching a spreadsheet with customer data to an email and sending it outside the organization gets you fired, everyone in your area subjected to additional training, and an executive or two dragged before a congressional subcommittee to fall on their swords. Deliberately accessing customer data to which you have no right gets you all of the above, plus you go to jail.

Other places don't take security as seriously?

Re:Corporate America (1)

EvilBudMan (588716) | about 5 years ago | (#29540975)

Damn, I wish I worked for the feds. Good rules and retirement.

--Deliberately accessing customer data to which you have no right gets you all of the above, plus you go to jail.--

I think this is the case anywhere.

--inserting a personally-owned pen drive to a computer on the network that gets caught in a scan results in a suspension.--

To bad I can't force adoption of this policy within our organization. A lot of this stems from the fact that there is no broadband out where some of the higher ups live. So they take stuff home & bring it back in.

Just one question though; what does surfing and posting to /. get you working for the IRS?

Re:Corporate America (4, Informative)

Strange Ranger (454494) | about 5 years ago | (#29540671)

(no USB access or even no USB ports if they aren't needed)

This sort of mentality drives me up a wall. Let's pretend we're the Pentagon and take half the usefulness out of modern technology before we let our users us it.
No thanks. You're a cost center. I make the company money. If I want to plug a cordless mouse into my laptop to make my 60 hour week easier than I'm going to do that. If you can't figure out a way to let me then F@(% YOU. Sorry but that's how most of us feel. This is the laptop I carry with me everywhere and use all the time. It's the one I take on vacation so I can WORK from vacation. So of course I'm going to want to plug a camera into it and use it for personal use. If you want me to treat it like I don't own it then I'll start leaving it at the office and you can take 15-20 hours of my work every week and shove it. You can't have it both ways. The chance that somebody is targeting the company with a non-scan-able customized piece of malware through the jpegs on my camera's SD card is close enough to NIL. Create a white list of file types, scan the thumbdrive or memory card, do whatever you need to do short of turning into Mordac - Preventer of Information Services [whatitslik...inside.com] . And let me get on with my life. And while you're at it take the 95 things in my system tray that slow my machine down to a crawl and send them to oblivion.

The company has unsecured trash dumpsters, unsecured phone lines, an unsecured fax machine sitting in every hallway, and people in the mailroom that make 8 bucks an hour. How about addressing those things and getting some perspective before turning my laptop into a 60-hour per week jail sentence. Thanks.

Re:Corporate America (1)

danger42 (302987) | about 5 years ago | (#29540843)

...how different is that to pulling the fire alarm, or jamming the lifts in a skyscraper?

Skyscrapers have lifts? Aren't they tall enough already?

Re:Corporate America (1)

EvilBudMan (588716) | about 5 years ago | (#29540923)

What if the ones most guilty are over you in rank?

--that means limiting access to the bare minimum required--

Define bare minimum? In some cases this can stifle productivity. A lot of the blame can be placed on Microsoft for not putting more of their stuff in user space. Here's my idea; switch the OS if possible, if not the switch what is possible to something else.

I really wish I had the authority to do what you say, but here there would be so much whining that I would be likely affected by all of the negative feedback. We don't just have people doing data entry here. There are many applications that are needed and used, but perhaps there are some things that can be done, but I don't think this problem is going away any time soon with so many old XP machines out there in business. They are easier to break into in the first place.

Re:Corporate America (0)

Anonymous Coward | about 5 years ago | (#29539405)

POS as in Piece Of Shit?

Re:Corporate America (1)

mjihad (686196) | about 5 years ago | (#29539501)

POS as in Piece Of Shit?

Point of Sale [wikipedia.org] , also known as a cash register.

Re:Corporate America (0)

Anonymous Coward | about 5 years ago | (#29539571)

Point of Sale more than likely.

Re:Corporate America (1)

EvilBudMan (588716) | about 5 years ago | (#29540513)

--All the network management in the world cannot control that many people--

This hit a nerve, because this is the exact problem that we have in a small company, but it's the higher up's that insist on having this stuff present.

Might have to resort to what many schools do? (2, Interesting)

King_TJ (85913) | about 5 years ago | (#29539329)

It seems like educational institutions have some of the biggest problems with system tampering/hacking/infections, since they're exposed to thousands of students each year who have attitudes of "Who cares? Not MY computer anyway!" and who often think it's a challenge and *fun* trying to mess up the system in question. Unlike hackers trying to infect you with malware over the Internet from some other country, these people have full PHYSICAL access to the computers.

So how do they manage? Many schools I know have things configured so their workstations get re-imaged nightly from master images on a server. Any unauthorized changes made to the computer only last until that nightly maintenance runs, at the longest. (An admin might re-image a workstation even more quickly than that if he/she realizes it has an issue.)

I could see large businesses resorting to this, as well - if they're starting to encounter risks as aggressive as bots targeted to their particular businesses.

Re:Might have to resort to what many schools do? (1)

644bd346996 (1012333) | about 5 years ago | (#29539421)

At my university, we have a the VCL [ncsu.edu] , a pool of blade servers accessible by RDP or SSH that get imaged on the fly when a user requests a machine with certain apps. These blades get wiped on log-out. (Home directories are of course stored elsewhere, and accessed over AFS.) This is very secure, but it lets students get admin access to their machine, and it also helps keep software licensing costs down, because it is trivial to limit the number of concurrent users of a package that isn't volume licensed. Performance when accessing the VCL on-campus is great, and in a corporate environment it could work great with thin clients.

Re:Might have to resort to what many schools do? (1)

clarkn0va (807617) | about 5 years ago | (#29540253)

We use thin clients and RDP for students here at the college. It removes physical access to the Windows machine in a very elegant way, and is tonnes easy to manage.

Re:Might have to resort to what many schools do? (1)

mrdoogee (1179081) | about 5 years ago | (#29540477)

Seems like a lot of network overhead for that... why not use a product like Steadystate or Deep Freeze? Is there an advantage to re-imaging every box nightly?

Re:Might have to resort to what many schools do? (1)

iamhigh (1252742) | about 5 years ago | (#29540577)

I don't use it the way the GP describes, but the imaging software I have used will usually let you kick off a job over the network, but the data is on a partition on the computer. This does mean that someone could mess with that data, but bots aren't that smart yet, and most users couldn't do more than delete data (which is easily restored). It cuts down greatly on network usage; also I would assume you would need one hell of a server to push that out to more than a few dozen computers.

I'd use 'em (1)

russotto (537200) | about 5 years ago | (#29539409)

If I was a CTO and my department found a botnet like this, I'd be very tempted to play the disinformation game. Clean up some of them, but with others, just move the machines to an isolation area and start feeding them faked drafts of sales figures, annual reports, engineering drawings of dead-end designs, whatever else the botnet might be looking for. Alas there's probably some SEC regulation against that sort of thing.

Re:I'd use 'em (1)

K. S. Kyosuke (729550) | about 5 years ago | (#29539481)

Regulation? Why? You can't put whatever files you wish on your own machines?

Re:I'd use 'em (1)

PitaBred (632671) | about 5 years ago | (#29540179)

The SEC has very specific, and sometimes seemingly random, mandates that are required for any computers and people that work with financial and securities data.

My site has no dedicated IT (2, Informative)

Jaktar (975138) | about 5 years ago | (#29539425)

So I've been doing what I can to keep things running smoothly. Recently we 'upgraded' our server with a dedicated line to the corporate network. When the company IT came in, their standard procedure was to image each of the machines with XP SP2, IE6, McAfee, and a few other outdated tools. When they left, half of my machines would hang on logout. A number of the machines wouldn't connect to their antivirus repositories. This story does not surprise me in the least. I asked a lot of questions about why they were using these old revisions, and their answer was "It hasn't been fully tested". It's a good thing I only make electricity and not something really important.

Re:My site has no dedicated IT (0)

Anonymous Coward | about 5 years ago | (#29539819)

The old versions haven't been fully tested? Sheesh...

I'm surprised the number's as low as 9% (1)

zorro-z (1423959) | about 5 years ago | (#29539541)

The main problem is that, for a system to be sure, at least one part of it has to be strict. Since Windows is fairly permissive, security requires a sysadmin to be something of a hardass- a position which is not often appreciated by users. At my office, for instance, people constantly complain that our sysadmin doesn't allow them to install *anything* on their PCs, assuming that they even have full PCs (about 1/2 of them are Citrix thin clients). On the other hand, as I explain to them, I've worked in IT for a long time, + I've never seen a network as securely-run as ours; much of this is due to our sysadmin's being a hardass. If, on the other hand, people are given the freedom to install their own s/w, they often wind up installing trojans and so forth.

Yeah but... (1)

jarden_from_cerberus (1195981) | about 5 years ago | (#29539661)

The other 91% are infected with users :(

Now I understand... (1)

KitsuneSoftware (999119) | about 5 years ago | (#29539707)

Now I understand why my previous employer disconnected it's old network from the internet, and gave everyone a new computer (on a separate network) solely for internet work. This made life extremely complicated for everyone, as they make and published browser-based games.

university who blocked game web site game programm (0)

Anonymous Coward | about 5 years ago | (#29539859)

Now I understand why my previous employer disconnected it's old network from the internet, and gave everyone a new computer (on a separate network) solely for internet work. This made life extremely complicated for everyone, as they make and published browser-based games.

sounds like that university who blocked game web sites and they have game programming classes.

Re:Now I understand... (1)

PitaBred (632671) | about 5 years ago | (#29540203)

Was it really that hard, though? I mean, I'm sure you had in-house webservers. Making browser games, you probably wouldn't push them to the public site except once every few days at most, right? What's an air-gap when that's the case?

One more reason to commoditize to r/o terminals (1)

davidwr (791652) | about 5 years ago | (#29539767)

When's the last time you saw a machine that rebooted from read-only storage* get an infection that lasted past a reboot?

*this means a BIOS that is, from a virus's perspective, read-only as well.

In some corporate environments, a commodity client computers that boot from a known-good, read-only boot disk with a writable "cache" portion that's flushed daily or weekly will do the trick. User data should be stored on the network anyways. Many VM environments offer this type of functionality, and it might be a good idea if bare-metal environments offered it as well.

Re:One more reason to commoditize to r/o terminals (1)

Jesus_666 (702802) | about 5 years ago | (#29541459)

Exactly what I thought when reading this: Have the OS on a read-only disk (or a central server) and applications on a read-only network share if the OS is local (on the same server otherwise). Bonus points for making the OS refuse to run any executable not found on one of those two volumes. Data files lie on a network share but are never be considered executable (if possible).
That would still not completely protect against botnets but the only people capable of getting them established are te IT department and you have no way of defending against them anyway.

The only exemption would be admin and development computers as these restrictions would severely hinder the latter and can't be properly enforced on the former anyway.

Upper bound (1)

EdgeyEdgey (1172665) | about 5 years ago | (#29540601)

Up To 9% of a Company's Machines Are Bot-Infected

Excellent. If I infect those 9% myself then no more can be infected. Easy life.

Tools? (1)

Jahf (21968) | about 5 years ago | (#29540711)

What tools exist to diagnose this nowadays? I would think that sticking a proxy between your modem and router (assuming you're not using a built-in) would let you do some pretty quick and dirty traffic analysis. I would also think that open source router firmwares could do the same.

Heck, I would like to know for my own purposes at my home office to occasionally verify my PCs and friends laptops aren't acting like botnet zombies.

And you could probably turn it into a fairly interesting consulting gig.

Re:Tools? (1)

derrickh (157646) | about 5 years ago | (#29541407)

Why did this get modded down? I too would like to know of a good way to check for infected computers aside from going line by line down firewall logs. And if the log scan is the only way, then what would indicate an infected pc?

D

Credibility Gap (1)

thethibs (882667) | about 5 years ago | (#29541477)

An infection rate of 7 to 9 percent of IP addresses? That's a very narrow range. Too narrow to be credible. None of the enterprises had, say, 4 or 12 percent compromised?

These folks are statistically impaired. They probably are sitting on a lot of really useful data, but they don't know what it means. Certainly, they haven't released enough information for anyone to draw conclusions from it.

mod m0p (-1, Redundant)

Anonymous Coward | about 5 years ago | (#29541497)

OS I do, because Kreskin Argued by Eric of business and was and the Bazzar see... The number There's no the problems Consider worthwhile there are counterpart, FreeBSD project, host what the house later seen in centralized and Michael Smith to predict *BSD's

The botnet international anthem (1)

Chris Tucker (302549) | about 5 years ago | (#29542065)

"Botnets, spammer's botnets!
What kind of boxes are on botnets?

Compaq, HP, Dell and Sony, true!
Gateway, Packard Bell, maybe even Asus, too!

Are boxes, found on botnets.
All running Windows, FOO!"

I'm running Mac OS X 10.5.8, here.

Why, yes. Yes I AM a smug bastard!
Thanks for asking.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?