Bots on the Corporate LAN

Opinion: Of course bots exist on corporate networks, but how big a problem are they? It could be that nobody knows.

People like me, who write about security, are flooded with reports on the state of malware. Theyre often valuable enough and say interesting things, but on certain points they are invariably, and infuriatingly, vague.

Symantecs blog May 9 on bots in corporate networks illustrates this point with a sort of innuendo. You might be surprised to hear it, but did you know that there are bots on corporate networks? Whod have thunk it.

Symantec even has statistics on the matter: "Symantec has also observed that at least 42% of all bot-infected computers that were identified in the last six months of 2006 were identified as being on computers within corporations." I think youre supposed to conclude from statistics like this that bots are a major problem in large corporations, and perhaps they are, but the blog (and all the other materials Ive read on the matter) doesnt say that.

/zimages/5/28571.gifSome researchers argue that cheap labor, not hijacked computers, is the future for botnets. Click here to read more.

I wonder, for example, whether they found so many bots in corporations because corporations are so much more careful about security than home users or even small businesses. A bot installed on the home computer is likely to go undetected. A bot on the corporate LAN is more likely to be detected quickly, such as when it starts spamming out port 25 on the corporate gateway, or DOSing some innocent third party. Or perhaps it would be detected when a regularly scheduled scan occurs using updated signatures, something else likely to happen on a large corporate LAN.

The question then becomes: How long has this bot been on the corporate LAN? This is actually something that there might be data on, depending on whether the corporate security people do some forensics: Do you just run the removal program when you find a bot, or do you try to determine the who, when and how it got there? Its always good to know, and you might end up closing a hole in your protections or teaching a lesson to a careless user. On the other hand, youre probably busy enough as it is.

If data like this exists for corporate bot detections, I havent seen it. And maybe it exists in corporate security groups, but Symantec doesnt have it.

So its obvious that there are bots on corporate networks, but its not obvious how serious a problem it is. Control of bots is sold on underground markets, and Ive been told that a bot on a corporate network is much more valuable than a bot on a home broadband system. Why are corporate bots so much more valuable? Is it because you can do more valuable things with them, or is it just supply and demand? I would argue that all prices are set by supply and demand (absent artificial floors and ceilings set by external agencies like governments, and I am not aware of any corporate bot taxes or price control regimes in effect). This tells me that either corporate bot demand is very high or supply is low. Im betting on the supply side.

But like I keep saying, I dont have the data. Maybe nobody really has the data. Until I see it Im going to be skeptical that this is a major issue because, even though just one bot is too many, we need to keep our priorities rational.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers blog Cheap Hack

More from Larry Seltzer