Botnets target the enterprise warn experts

Deborah Hale knows firsthand how bots can bring an enterprise to its knees.

A computer security specialist for Sioux City, Iowa-based BCP Enterprise Inc., she had a nasty run-in with bots in September and spent three weeks trying to help one of her clients flush them out.

"The organization has 40 locations … approximately 60 servers and approximately 3,000 workstations," Deborah Hale wrote in a Sept. 25 blog entry on the Bethesda, Md.-based SANS Internet Storm Center Web site, where she is a handler. "The organization began to experience loss of Internet connectivity in several locations and before long they discovered that they were in the middle of a denial-of-service attack."

They shut the network down, investigated and slowly brought locations back online. The attack resumed, and the Norton antivirus definitions weren't updating. It turns out half the workstations and some of the servers were infected with W32.Gaobot. Infected machines were cleaned and the definition files updated. Then they were hit again, and Norton wasn't detecting it as W32.Gaobot. They later learned two different executable files were at work.

It's an experience more enterprises are certain to suffer in the coming year, security experts predict.

You heard a lot about zombie PC armies this year. But it's the bots that actually take control of the machines, using them to unleash spam, denial-of-service attacks and other deeds. The zombie PC army, or botnet, is typically associated with home computers, but they spread so rapidly experts predict more enterprises will be affected.

"Since botnets are built with open source code, the sheer number is extremely large," said Mikko Hypponen, director of AV research for Finish security firm F-Secure Corp. "With a typical worm or virus you may see 10 variants in a month. With bots you can see 600 variants in a month."

Or, said Mike Murray, director of vulnerability and exposure research for San Francisco-based nCircle: "Where there are 10 variations of a worm in a month, there are 10 variations in a day for bots."

Because they spread so quickly, most antivirus software can't keep up, prompting handlers at the Internet Storm Center to focus on them aggressively.

"One reason we focus on botnets so much is because it's very hard to defend against them," said Johannes Ullrich, CTO of the Internet Storm Center. "They're very flexible, very quiet and antivirus software has a very hard time counting them and keeping up with all the variations."

Enterprises are a target because there's a lot of money to be made, Ullrich said. "A couple years ago bots came from kids trying to knock each other off. They had a game called Bot Jousting, where the winner was the one who could go the longest without their computer being knocked down. Now it's a big business. Some corporations hire people to launch bots that can help knock down the Web sites of their competitors."

New York-based e-mail security firm MessageLabs noted the scope of the problem in its MessageLabs report detailing malicious botnet activity in October. The company scanned 1.9 billion e-mails for spam, finding it 76.8% of the time. During the same period, the company scanned more than 2.3 billion e-mails for viruses, Trojans and other malicious content, finding more than 71 million sinister programs.

So what's an IT administrator to do?

"It's all about defense-in-depth," Murray said. "You need your antivirus, your firewall, intrusion detection and you need to apply patches the moment you hear about them."

All agreed antivirus companies must also update their products to meet the growing threat.

"Get to know your computer and your network intimately," Hale said. "Know when something just doesn't look or feel right. I am amazed how many small business and home computer users have no idea what software is installed on their computer. Things like bots, keyloggers, downloaders, viruses [and] Trojans go undetected for days, even weeks."