Categories: Security

Smaller Botnets Used For Stealing Corporate Data

bWhile massive botnets such as Rustock and Conficker often make headlines, research from Damballa released in September shows many enterprises are under attack by smaller threats they’ve likely never heard of.

After tracking more than 600 botnets over a three-month period, researchers Gunter Ollmann and Erik Wu discovered that most were composed of 100 nodes or fewer. Those smaller botnets represented 57 percent of the total. Twenty-one percent had between 101 and 500 bots; 17 percent had between 500 and 10,000. Only 5 percent consisted of more than 10,000.

Finjan researchers find a botnet controlling over 1.9 million computers.

“While many people focus on the biggest botnets circulating around the Internet, it appears that the smaller botnets are not only more prevalent within real-life enterprise environments, but … they’re also doing different things,” blogged Damballa’s Ollmann, vice president of research. “And, in most cases, those ‘different things’ are more dangerous since they’re more specific to the enterprise environment they’re operating within.”

Many of the smaller botnets make use of “the popular DIY malware construction kits out there on the Internet,” he noted. Some of those, such as the infamous Zeus Trojan, can sell for as little as a few hundred dollars—but “can often be downloaded for free from popular hacking forums, pirate torrent feeds and newsgroups.”

Ollmann continued, “It looks to me as though these small botnets are highly targeted at particular enterprises (or enterprise vertical [sectors]), typically requiring a sizable degree of familiarity [with] the breached enterprise itself. I suspect that in some cases we’re probably seeing the [handiwork] of employees effectively backdooring critical systems so that they can ‘remotely manage’ the compromised assets and avoid antivirus detection … The problem, though, is that the majority of these ‘freely available’ DIY malware construction kits are similarly backdoored. Therefore, any [employees] using these free kits to remotely manage their network are also providing a parallel path for the DIY kit providers to access those very same systems—as evidenced [by] these small botnets often having multiple functional command and control channels.”

The smaller botnets appear to be “more professionally managed—with botnet masters specifically targeting corporate systems and data within the victim enterprise,” he wrote. Rather than being used for “noisy attacks” such as a denial of service, “they’re often passively monitoring the enterprise network to identify key assets or users” and then going after high-value data.

“The net result is that these smallest botnets efficiently evade detection and closure by staying below the security radar and relying upon botnet masters that have a good understanding of how the enterprise functions internally,” Ollmann wrote. “As such, they’re probably the most damaging to the enterprise in the long term.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago