Up To 9 Percent Of Machines In An Enterprise Are Bot-Infected
Most are members of tiny, unknown botnets built for targeting victim organizations
Sep 24, 2009 | 03:59 PM
By Kelly Jackson Higgins
Bot infections are on the rise in the enterprise, and most come from botnets you’ve never heard of nor ever will.
In a three-month study of more than 600 different botnets found having infiltrated enterprise networks, researchers from Damballa discovered nearly 60 percent are botnets that contain only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface.
And Damballa has seen bot infections grow in enterprises as well, from 5 to 7 percent of an enterprise’s IP address space and hosts last year, to 7 to 9 percent of them bot-infected this year. “Of all the enterprises where we’ve gone into who are customers or as proof-of-concept, 100 percent have had botnet infections,” says Gunter Ollmann, vice president of research for Damballa. “It’s more the smaller, customized and targeted types of botnets [that infect the enterprise].
“Corporations have become very good at dealing with the larger threats that get publicized — they tend not to get affected widely by Conficker, for instance.”
Ollmann’s colleague, Erik Wu from Damballa, today revealed this latest research during a presentation at the Virus Bulletin Conference in Geneva.
Joe Stewart, a researcher with SecureWorks’ Counter Threat Unit, says botnet operators who execute targeted attacks do so with fewer bots. “Entities that launch targeted attacks will have a smaller number of bots in their botnet than nontargeted ones, for sure,” Stewart says.
The bad guys are also finding that deploying a small botnet inside a targeted organization is a more efficient way of stealing information than deploying a traditional exploit on a specific machine. And Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well. “They are very strongly associated with a lot of insider knowledge…and we see a lot of hands-on command and control with these small botnets,” he says.
If they remotely control four or five hosts, for instance, then they issue commands to the bots to navigate network shares, retrieve files, or access databases, he says.
“I suspect that a sizable percentage of small botnets are those developed by people who understand or are operating inside a business as employees who want to gain remote access to corporate systems, or by criminal entities that have dug deep and gotten insider information on the environment,” Ollmann says. “The reason why we know this is the way the malware is constructed — how it’s specific to the host being targeted — and the types of command and control being used. Bot agents are often hard-coded with the command and control channel” so they can bypass network controls with a user’s credentials.
These mini-botnets tend to rely on popular DIY malware kids, like Ivy and Zeus, to infect their victim machines, he says. And they are typically more automated than bots in the big botnets: “Some designed for the enterprise worm they way around the network and look for common protocols that are open in the enterprise” and infect files, and exploit other hosts in the network, Ollmann says.
But like most other cybercriminals, these mini-botnet operators then try to sell the data they’ve stolen to other criminals. “They try to sell information based on the bot they have, or individual bots based on the performance of a machine, or its physical location and IP address space,” he says. “And more recently, we’ve seen a growth in the number of sites that offer the sale of corporate documents that were extracted from the [bots].”
Ollmann says botnets of all sizes are also increasingly using more and different types of malware rather than one particular family in order to evade detection. “Most botnets, even small ones, have hundreds of different pieces of malware and families in use,” he says.
One large botnet Damballa tracked during the study had 50,000 machines and used just less than 100,000 different forms of malware.
Home / News
Rustock, Xarvester Spambots Capable of Sending 25,000 Messages Per Hour, Says New Study
* Apr 22, 2009 6:24 PM PDT
* Comments: 0
* Views: 1,596
By CircleID Reporter
Rustock, Xarvester Spambots Capable of Sending 25,000 Messages Per Hour, Says New Study
A recent study suggests Rustock and Xarvester malware provided the most efficient spambot code, enabling individual zombie computers to send 600,000 spam messages each over a 24 hour period.
“Over the past few years, botnets have revolutionized the spam industry and pushed spam volumes to epidemic proportions despite the best efforts of law enforcement and the computer security industry. Our intention was to better understand the origins of spam, and the malware that drives it,” said Phil Hay, senior threat analyst, TRACElabs (a research arm of security company Marshal8e6).
TRACElabs deliberately infected its lab computers and observed the behavior of the bot malware. Researchers looked at what changes it made to the registry, what ports it communicated over and observed how much spam each bot type was capable of sending.
The company’s research extended to nine botnets that TRACElabs considered to be the largest spammers or the strongest up-and-comers, including: Xarvester, Mega-D, Gheg, Grum, Donbot, Pushdo, Bobax, Rustock and Waledac. These botnets collectively account for more than 70 percent of the world’s total spam volume according to Marshal8e6.
Marshal8e6 Releases New Insight and Analysis into Botnets
One bot-infected PC = 600,000 spam messages a day
Related topics: Cybercrime, Malware, Security, Spam
Updated Friday, September 18, 2009 at 6:18 p.m. EST
The website for the popular children’s television show “Curious George” was compromised this week to serve malware to visitors, according to researchers at web security vendor Purewire.
The site, which is run by the Public Broadcasting Service (PBS), was propagating malware from at least Monday until Thursday, Nidhi Shah, research scientist at Purewire, told SCMagazineUS.com on Friday.
During the time of infection, when users visited the “Curious George” site, they were greeted with a pop-up message notifying them that authentication was required and were prompted to enter a username and password, Shah said. If a user entered the wrong credential, or simply clicked “cancel,” the site would display an error page that informed the user they failed to properly login.
“I don’t know how many people encountered it,” Shah said. “Given how famous and popular this website is, I am sure it’s quite a few.”
Kevin Dando, director of digital and education communications at PBS told SCMagazineUS.com on Friday that the situation has been “completely fixed.”
“Internal triggers alerted us to the situation, and we addressed it,” Dando said.
Dando said PBS believes the number of people exposed to the malware was “very low” since they have not received any complaints from website visitors. But, he said this incident should serve as a reminder that any system can potentially be exposed to infection.
“Service providers must remain vigilant against threats and be prepared to act aggressively and be ready with pre-established procedures,” Dando said.
The trend of compromising legitimate websites to propagate malware has been gaining steam with cybercriminals, Shah said. In fact, infected websites were dubbed the single biggest threat during the first half of the year, according to security firm Sophos.
In early September, the BusinessWeek magazine website was infected with code that redirected visitors to malicious servers. And during the weekend, some online readers of The New York Times were served an advertisement for rogue anti-virus products after hackers, posing as employees from the telephone company Vonage, bought ad space directly from the newspaper.
Or, if you do, do this to undo the quagmire you just created.
Yesterday, I tried to run Firefox as another user with the sudo command. However, I got the syntax wrong (put the option in the wrong place) and Firefox opened as root.
Normally, that wouldn’t be too bad… I mean, just close it and try again later, when I have the syntax down.
Wrong. When I opened Firefox again from the top menu bar, it opened to a blank page. I clicked my Home button and it took me to the Firefox Start Page, when my homepage was Google.
I checked my bookmarks, and they were gone too, with a glitchy blank bookmark being the only one left.
Apparently, when you run Firefox as root, root takes ownership of several of your configuration files, including bookmarks, etc. And since the default permissions are 7/0/0, you lose your ability to open them. If you don’t believe me, try running sudo firefox again. Hey look, there’s your bookmarks and homepage!
How to fix the problem:
=First, find your .mozilla/firefox folder. It’s almost always in your /home/username folder, but you’ll need to go to View–>Show Hidden Files to be able to see it. Inside there’s a firefox folder. Right-click and Copy that.
=Now, go to your Terminal. Type the following commands in order, but replace all instances of ‘username’ with your username:
sudo chown -R username:username /home/username/.mozilla/firefox
sudo chmod -R 775 /home/username/.mozilla/firefox
Now close Terminal and open Firefox normally. Huzzah, all your stuff is back! :guitar:
Windows 7 is good, very good. I tried out the beta and the RC.
Stable. Nimble. Lightweight, it ran on a ASUS eeepc 1000HE with 1 GB of ram. No issues, just as snappy (or semi-snappy?) as XP is on the same netbook.
All of the benefit of Vista with none of the annoyances. I liked it.