Look around at all of the different computers in an organization.  Any one of them may be part of a Botnet, systematically stealing information and discretely infecting others as needed, and only when needed.   A different class of Botnet targets the enterprise, some call it the mini-Botnet.  Compared to the well known monster BotNets, the mini-Botnet is quiet, meticulous, and  better hidden.  They’re designed to harvest insider information and intellectual property for months and years.  And research suggests, Botnet infected PCs remain so for years.

Enterprise: Worry about Mini-Botnets more than the Big Botnets

Trend Micro is expected to report that the global median for the duration a computer is Botnet infected is over 300 days.  Further, they will also report that approximately one fourth of all detected Botnet zombies are enterprise computers.  The enterprise share may actually be higher because the numbers are more difficult to estimate because multiple enterprise computers share a single public IP address.

Damballa, a network security firms that offers network appliances that detect Botnet communications within an enterprise, recently published figures that both challenge and complement the Trend Micro findings.  They estimate that 7% to 9% of detected Botnet communications stem from enterprise owned IP space, or less than half what Trend Micro estimates.  I suspect that the Trend Micro research is based upon a significantly larger set of data points, some 100 million detected Botnet IP addresses.

Damballa reports that less than 5% of their detected enterprise Botnet computers were part of the loud, monster Botnets such as Koobface and ZDbot, meaning most infected enterprise computers are part of mini-Botnets.

Despite lacking the comparative scale of the big Botnets, the mini-Botnets are impressive, lacking nothing in terms of malware attack code variants or command and control sophistication.

Multi-Stage Malware Infestations Maximize Penetration and Value for Cyber Criminals

Mini-Botnets employ black market malware kits that enable them to launch intelligent, multi-stage attacks on computers.  These kits automate production of never-before-seen malware attack code (i.e., zero day attack/exploit), which means no signature exists for typical anti-virus/spyware software to detect them.  Targeted email attacks, or spear phishing attacks, either include virus/worm/Trojan tainted attachments or a hyperlink to a compromised web server, 100,000’s of which are legitimate sites.

When a PC gets hit, temporary malware launches and assesses the computer, determines the best options for infestation, downloads the necessary code, and loads it into the PC.  This staged process is even used to conduct privilege escalation attacks such that computers running with limited user accounts (i.e., no local admin rights) can still be infested with rootkit-based malware.  Third generation rootkits are effectively invisible to commonly available detection techniques.

Mini-Botnets Quietly, Systematically Harvest Information

Once one or a few computers in an enterprise are part of a Botnet, the operators quietly explore network shares, application/database servers, network topology, available communication protocols, and other client computers, and they collect credentials so they can dig deep into information resources as needed.  They infect other computers when they seek to access additional information.

On the other hand, they may infect end-user documents and/or multimedia that are likely to be sent to another enterprise.  For the other enterprise, they may create a separate Botnet, meaning a separate command and control system.  This way, if one mini-Botnet is discovered, the other may continue unabated.

If all this seems unsettling, and it should, consider the steps following the harvesting of information.  Someone has to read through it to determine what is valuable and who would buy it.  These are significant challenges.  Consider the distinction between insider information and intellectual property from the Botnet operator perspective, for example.  Intellectual property materials not only require analysis but they also require a buyer, whereas insider information can yield considerable gains (e.g., stock market trades) without finding a trustworthy buyer.  The collection of enterprise information creates demand for a new black market industry of analysts and brokers.  This suggests that the enterprise might prioritize its anti-data leak efforts toward the most readily identifiably valuable and exploitable information.

Data Leak Prevention Could Inadvertently Help Cyber Criminals

As the bad guys work out how they are going to find gold nuggets in the gravel, data leak practitioners should be careful not to mistakenly make matters easier for the bad guys.  Note, part of data leak prevention implementation involves classifying and tagging information/documents so that security policies can be enforced based on content.  The tags could be exploited by the bad guys to more easily find the gold.  Maybe these tags should be encrypted, and maybe even polymorphic/variable.

Laptops Make Great Mules for Data Leaks

Large organizations have already begun to deploy network-based data leak prevention systems.  Some are merely intrusion detection, looking for suspicious outbound communications.  Some actually inspect communications content.  Neither detects anything leaking from laptops off the enterprise.  Blue Ridge offers centrally managed endpoint security policy enforcement agents that are location aware/based.  Why can’t Botnet malware?

Cost Effective, Zero Day Malware Prevention is Paramount

Implementing data leak prevention systems is very burdensome.  Detecting Botnet communications is already hard and getting worse as they get more sophisticated.  So, ultimately, the enterprise must focus on preventing virus, worm, Trojan, and other zero-day malware infestations on their client computers.  But, signature-based anti-virus/spyware security software found on typical enterprise computers misses 71% of Botnet attack code, because its altered every 10 minutes to elude detection.  The big and familiar vendors offer massive endpoint security suite software with features that detect/block Botnet attack code.  However, these features are so difficult to configure and maintain that they are usually disabled or severely under-utilized.  In other words, their effective protection is far less than what the vendors report via their independent lab tests.

Blue Ridge Recommendation

Deploy one of our AppGuard Technology solutions designed to provide zero-day protection from Botnet attack code.  AppGuard is available as a free 30 day trial, no registration required.  Administrators can get a very good sense for how little effort is required to configure and maintain AppGuard, AppGuard Enterprise, or AppGuard Enterprise Plus.  Check out their respective product pages to determine, which is best for you.  For more information on how they protect computers better than your existing anti-virus/spyware security software, check out our zero day computer protection white paper.

A Different, Better Approach to Zero Day Attack Computer Protection

These security software solutions take a different approach to computer protection than that of anti-virus/spyware products that rely on virus signatures.  They place the applications under guard that process the incoming and potentially malicious content, instead of picking out the good from the bad out of a nearly infinite variety.  However, we steered away from protection that depends on knowing good behavior from bad behavior by those guarded applications, to a deterministic approach.

We focus on preventing the guarded applications from doing harm by blocking write operations to critical PC resources.  Secondly, all those endpoint places where users have write access, we prevent unknown/unauthorized executables from launching at all.  We call this user-space, and one can consider USB as such. Guarded apps can launch from user-space (typically 2 to 4 applications from user-space are listed), this amounts to user-space whitelisting, which is considerably less effort to implement than total whitelisting.  With the at-risk applications and unknown user-space executable launches precluded from writing into ‘Program Files’ and ‘Windows’ directories, total whitelisting is far, far less of a value-add, and that’s where the bulk of the total whitelisting implementation pain lies.

Related Articles

SANS: Client-Side Software Vulnerabilities Are Highest Priority But Most Neglected Risk

Never Ending Vulnerabilities for Web Browsers

Employee Owned Computers are Data Leak Risks to Employers

Business Protection from AntiVirus-Failure Caused Fraudulent Bank Transfer Losses

Why Should UnPatched PC Software Concern You?

Todays Spear Phishing Attacks Can Wipe Out Small Businesses in One Click

Signature Based AntiVirus Technologies vs Malware Detection with a Coin Toss

Posted: Friday, October 9th, 2009 - Endpoint Security
RSS 2.0 - Comment - Trackback