Little-Known Botnets Can Pose Biggest Threat

Following the security field, you often see big malware names come and go. Storm crashes onto the scene and grabs headlines. Then it’s on to botnets like Srizbi, or Cutwail or Conficker.

But while those names rang — and in some cases continue to ring — bells, Brian Rexroad knows that it’s the smaller botnets moving quietly underneath the radar that can be the most problematic for enterprises.

“I think it comes basically in two flavors,” noted Rexroad, who serves as the principal technical security architect in AT&T‘s Chief Security Office. “There certainly exists what I would describe as the traditional botnet. So there’s still a number of them that are running using IRC as their control mechanism, maybe low-tech would be a way of describing it. A lot of those botnets I think in many ways are more unscrupulous about what they do … Whereas the larger botnets, the ones that are getting a lot of the media attention, they tend to be spamming botnets.”

Spam is certainly no laughing matter — it clogs my junk mail folder daily. But it also is in many ways little more than an annoyance for the typical employee. Things like data and identity theft and denial-of-service conditions, on the other hand, can be much more disruptive to business, and the smaller botnets take the most interest in the easiest activities.

“One, for example, is Virut,” Rexroad said. “Virut … its primary propagation mechanism is actually through the sharing of USB devices. That’s one that has been problematic from an enterprise point of view, more so because there tends to be more sharing of that sort.

“Some of the other ones that we’ve seen that are targeting enterprises are oriented toward basically brute force attacks or password guessing … we’ve observed one that is basically looking for routers that they are able to exploit,” he said. “They basically get into the router using a password-guessing attack and then install malware on those routers.”

Routers being turned into bots. Ouch.

“There is no anti-virus on routers,” he continued. “There’s … usually not an intrusion detection system. They’re sitting outside of firewalls, and so it actually provides a mechanism [for hackers] that’s largely invisible to most organizations that own those routers.”

According to security company Damballa, as much as 3 to 5 percent of enterprise network assets are infected with bot malware. Given the situation, there was a lot of talk at the recent RSA conference about finding better ways to disrupt botnet activity, starting with researchers putting together concerted, sustained efforts to target the most problematic botnets. Still, dealing with the threats goes beyond the security industry and must extend to government and PC users.

“The primary issue that we tell customers [to pay attention to] is defense in depth, and [to] generally come at security from a risk assessment perspective,” said Brian Perry, executive director of AT&T Managed Security Services. “It’s not just a security industry issue … It really needs the help of government agencies and, more importantly, end-user awareness.”