Botnets on your networks………….
April 12th, 2007 Drazen Drazic Posted in cyber crime |
The guys at Support Intelligence have been gathering some information on botnets on corporate networks. Worth a read at http://blog.support-intelligence.com/.
Without doubt a huge problem - far more than most expect. We’ve covered this before but it’s worth repeating - most companies have little idea of what some of their perimeter systems are doing. We see it all the time! But, hey, a patch will fix that won’t it?! …. 
If only spam was the only concern.
As mentioned, we still see figures in the vicinity of 90%+ of businesses who don’t want to know what may have been happening on their systems when we detect a compromised or potentially compromised system(s). Why? Pretty obvious ……..
It’s a bit like knowing someone has broken into your house and your first reaction is to come home, sit down, watch TV and carry on life as normal. You decide to replace the lock after a few days, and then hope that sometime in the future you don’t stumble upon something broken or missing.
Gees, if I was the CEO or a shareholder, I’d want to know this stuff is happening.
April 12th, 2007 at 3:52 pm
Rather large corporate I recently worked with had only 20 machines compromised internally ( out of thousands.. won´t go in to details let´s just say unmanged machines and labs ) that took out one of their major global POP´s from the resulting DDOS following the default route to the internet. They were not the target just victims e.g. innocent bystanders unlnkowingly partaking in some other attempted attack elsewhere. Have you got IDS on your darkspace. Have you got sinkhole routing ready to roll or can you scrub your traffic be you an enterprise or ISP? Ever heard of extrusion detection
Scary when the command and control channels are not IRC anymore and are becoming SSL based scraping of websites, harder to detect without proxies and operating whitelisting rather than blacklisting. Do you limit where your employees can go today?
Glad you point this out as it´s not just Mom and Pop PC´s but corporates actually wondering why their FW´s are dying. Check your DENIED traffic outbound today? Audited your FW ruleset recently?
Is your organisation a member of FIRST or on NSP-SEC ?
My 0.02cents,
D.
June 23rd, 2007 at 11:25 am
[...] likely points (2) and (3) have happened, unless we investigate further, it can’t be proven, (as mentioned previously that path is rarely [...]
June 23rd, 2007 at 11:30 am
[...] You’ll see the same old story if you track the links deeper. Surprise surprise, this may have been happening back as far as 2005. I hate to keep repeating myself but many (a lot, more than you would hope, a good percentage of) companies just have no idea if their systems are secure, who “owns” them, whether they have been breached in the past and whether they continue to be used by unauthorised parties. It’s been said many times …. most companies just don’t want to know! [...]
June 23rd, 2007 at 1:47 pm
[...] even knowing if they have been breached. We see this all the time as I have noted in a few entries; Botnets, Zero Days, Tell me I’m not owned. How will this play out when disclosure laws come out? 3 [...]