Bots on your net? Look twice

Think the botnets you read about consist solely of zombies on unprotected consumer PCs? Think again.

Gartner predicts that by year-end 75% of enterprises "will be infected with undetected, financially motivated, targeted malware that evaded traditional perimeter and host defenses," and early reports from beta customers of a yet to be released product from Mi5 show how nefarious these infections can be.

Mi5 says it installed a Web security beta product at an organization with 12,000 nodes and in one month detected 22 active bots, 123 inactive bots and was watching another 313 suspected bots. That may not sound like a lot, but those bots were responsible for 136 million bot-related incidents, such as scanning for other hosts inside the firewall.

Web sites are the source of all this nasty code, Mi5 says, and Google research backs that up. In a recently released report Google researchers say they did an in-depth analysis of 4.5 million URLs and found that 450,000 - one in 10 - were "successfully launching drive-by-downloads of malware binaries." Another 700,000 URLs seemed malicious but the researchers had lower confidence in their ability to label them as such.

Once bots have successfully infected corporate resources, they scan the network for vulnerable hosts, spread where they can and report back to central command about how many systems are under control. The network is then available for whatever wrongdoing the botnet operator has in mind, be that generating spam, launching attacks or collecting confidential data.

Bot communications with controllers is where bots are most detectable/vulnerable, Mi5 says, so reporting is typically limited to a few messages per month. That's one of the things that makes bots difficult to detect, but a host of other developments contribute as well.

For one, botnets today typically have multiple control servers. "It used to be if you cut off the head you killed the net," says Doug Camplejohn, Mi5 CEO. Now botnets have multiple heads, and control can be changed every few minutes. They even dynamically change IP addresses.

And two, bots also are infecting more than just desktops. SMTP servers are a common target, Camplejohn says, and servers in general are being increasingly targeted, even Unix-based servers.

How much do the bad guys make using your resources to run their business? Camplejohn says the going rate is about 5 cents per node, so $50,000 rents a million-node network capable of generating 20 to 25 gigabits worth of traffic.

Do you know what's on your network?

Learn more about this topic

Bots and rootkits among top 10 threats, said McAfee


Losing confidence in IT security


Botnets getting nastier


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.