In the past few weeks, enterprise networks have been getting hit with a relatively new security attack known as the Jericho Botnet. This malware network is designed to lift access to banking and other financial sites from victims' networks. It appears to have its origins in both Romania and Israel.
Jericho is a sophisticated botnet with noteworthy skills, in particular the ability to avoid anti-malware detection temporarily and to communicate over the network through other legitimate applications. Mechanics aside, though, Jericho's quick advance is a reminder that botnets are particularly attracted to enterprise victims the way autumn yellow jackets are drawn to open bottles of sugary soda.
A hacker creates a botnet when he or she can infect multiple victims with a payload designed to be controlled from a remote location. In a typical scenario, Hacker Hal builds a malicious payload designed to infect a Windows machine. This payload can be configured with a wide variety of malicious tools, such as a keylogger, file search, remote desktop, or even webcam capture. If Hacker Hal is good at his work, he encrypts the payload with a signature not yet known to anti-malware scanners. He then needs to tempt or trick victims into executing the malware. Hal has many options, including malicious e-mail attachments, infected Web pages (Jericho was delivered through infected PHP scripts), or drive-bys through Java or Flash. Not every effort will stick, but if Hal devotes enough resources to spreading his malware, he can eventually accumulate a botnet of infected victims.
Enterprise organizations make great victims! By various estimates, 5 to 9 percent of enterprises harbor a botnet infection (compared with 20 percent of home users). Botnet creators, who are both individuals and criminal organizations, usually have a few goals. Some, like Jericho, dig for access to confidential Websites. Stored passwords or logins captured through a keylogger are possible targets. Enterprise victims could be expected to house particularly valuable data, including access to private company servers.
Botnets are often used for mass-scale shenanigans, such as spam distribution, clickfraud schemes, and distributed denial-of-service (DDOS) attacks. These efforts become more effective as the number of leveraged machines increases. These networks can range in size from 1,000 to 50,000-plus victims. Increasingly, botnet creators contract out their services on behalf of clients who want the dirty work done. Enterprise networks are such juicy targets for botnet creators for a few reasons.
- Predictable infrastructure: In a medium or large enterprise, there is a good chance that hundreds of machines, if not thousands, are running the same software. Infecting one significantly improves the chance of infecting many or all.
- Unattended operation: Enterprise networks, particularly workstations, are likely to be unused outside of business hours yet often remain powered on. A botnet that schedules its activities smartly is more likely to avoid casual detection from users noticing curious symptoms like unexplained slowdowns with either their machines or the network.
- Trusted origins: Enterprise networks and their associated IP address blocks are more likely to have "good cred" in the eyes of anti-spam filters and similar security systems at other networks. This means attacks launched from an enterprise-based botnet as less likely to be stopped, or at least to be stopped as quickly, as those originating from home users on more easily compromised residential connections or machines in suspect foreign countries.
Businesses can't simply rely on anti-malware software to prevent botnet infections. Of course, these need to be deployed, but the more advanced Hacker Hals out there can evade detection for a critical period before the anti-malware vendors catch up. User education is not enough, either, because even conscientious employees can be struck by drive-by Java and other Web-based attacks. A better botnet defense is mounted at the outer edge of your enterprise network.
This is a whole book unto itself, but the key to catching botnet infections is network activity analysis -- monitoring traffic flowing through unconventional ports, comparing destination IPs to known blacklists of botnet command-and-control hosts, and checking out unusual amounts of traffic through conventional ports (which can suggest malware tunneling through services like DNS).