Bots on the Corporate LAN

By Larry Seltzer  |  Posted 2007-05-10 Print this article Print

Opinion: Of course bots exist on corporate networks, but how big a problem are they? It could be that nobody knows.

People like me, who write about security, are flooded with reports on the state of malware. Theyre often valuable enough and say interesting things, but on certain points they are invariably, and infuriatingly, vague. Symantecs blog May 9 on bots in corporate networks illustrates this point with a sort of innuendo. You might be surprised to hear it, but did you know that there are bots on corporate networks? Whod have thunk it.

Symantec even has statistics on the matter: "Symantec has also observed that at least 42% of all bot-infected computers that were identified in the last six months of 2006 were identified as being on computers within corporations." I think youre supposed to conclude from statistics like this that bots are a major problem in large corporations, and perhaps they are, but the blog (and all the other materials Ive read on the matter) doesnt say that.

Some researchers argue that cheap labor, not hijacked computers, is the future for botnets. Click here to read more.

I wonder, for example, whether they found so many bots in corporations because corporations are so much more careful about security than home users or even small businesses. A bot installed on the home computer is likely to go undetected. A bot on the corporate LAN is more likely to be detected quickly, such as when it starts spamming out port 25 on the corporate gateway, or DOSing some innocent third party. Or perhaps it would be detected when a regularly scheduled scan occurs using updated signatures, something else likely to happen on a large corporate LAN.

The question then becomes: How long has this bot been on the corporate LAN? This is actually something that there might be data on, depending on whether the corporate security people do some forensics: Do you just run the removal program when you find a bot, or do you try to determine the who, when and how it got there? Its always good to know, and you might end up closing a hole in your protections or teaching a lesson to a careless user. On the other hand, youre probably busy enough as it is.

If data like this exists for corporate bot detections, I havent seen it. And maybe it exists in corporate security groups, but Symantec doesnt have it.

So its obvious that there are bots on corporate networks, but its not obvious how serious a problem it is. Control of bots is sold on underground markets, and Ive been told that a bot on a corporate network is much more valuable than a bot on a home broadband system. Why are corporate bots so much more valuable? Is it because you can do more valuable things with them, or is it just supply and demand? I would argue that all prices are set by supply and demand (absent artificial floors and ceilings set by external agencies like governments, and I am not aware of any corporate bot taxes or price control regimes in effect). This tells me that either corporate bot demand is very high or supply is low. Im betting on the supply side.

But like I keep saying, I dont have the data. Maybe nobody really has the data. Until I see it Im going to be skeptical that this is a major issue because, even though just one bot is too many, we need to keep our priorities rational.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers blog Cheap Hack More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel