Research from Damballa shows the biggest botnets are not always the most threatening when it comes to swiping corporate data. In a study of more than 600 active botnets, security researchers discovered that the smaller networks were often used in highly targeted, more dangerous attacks, Damballa says.
While
massive
botnets such as Rustock and Conficker often make headlines, research from
Damballa released in September shows many enterprises are under attack
by smaller threats they've likely never heard of.
After
tracking more than 600 botnets over a three-month period, researchers Gunter
Ollmann and Erik Wu discovered that most were composed of 100 nodes or fewer.
Those smaller botnets represented 57 percent of the total. Twenty-one percent
had between 101 and 500 bots; 17 percent had between 500 and 10,000. Only 5
percent consisted of more than 10,000.
Finjan
researchers find a botnet controlling over 1.9 million computers. Click here to
read more.
"While
many people focus on the biggest botnets circulating around the Internet, it
appears that the smaller botnets are not only more prevalent within real-life
enterprise environments, but ... they're also doing different things,"
blogged Damballa's Ollmann, vice
president of research. "And, in most cases, those 'different things' are
more dangerous since they're more specific to the enterprise environment
they're operating within."
Many
of the smaller botnets make use of "the popular DIY malware
construction kits out there on the Internet," he noted. Some of those,
such as the infamous Zeus Trojan, can
sell
for as little as a few hundred dollars-but "can often be downloaded
for free from popular hacking forums, pirate torrent feeds and newsgroups."
Ollmann
continued, "It looks to me as though these small botnets are highly targeted
at particular enterprises (or enterprise vertical [sectors]), typically
requiring a sizable degree of familiarity [with] the breached enterprise
itself. I suspect that in some cases we're probably seeing the [handiwork] of
employees effectively backdooring critical systems so that they can 'remotely
manage' the compromised assets and avoid antivirus detection ... The problem,
though, is that the majority of these 'freely available' DIY malware
construction kits are similarly backdoored. Therefore, any [employees] using
these free kits to remotely manage their network are also providing a parallel
path for the DIY kit providers to access those very same systems-as evidenced [by]
these small botnets often having multiple functional command and control
channels."
The
smaller botnets appear to be "more professionally managed-with botnet
masters specifically targeting corporate systems and data within the victim
enterprise," he wrote. Rather than being used for "noisy attacks"
such as a denial of service, "they're often passively monitoring the
enterprise network to identify key assets or users" and then going after
high-value
data.
"The
net result is that these smallest botnets
efficiently
evade detection and closure by staying below the security radar and relying
upon botnet masters that have a good understanding of how the enterprise
functions internally," Ollmann wrote. "As such, they're probably the
most damaging to the enterprise in the long term."
Email
Print
