09/30/2009
9% of Enterprise Computers are Bot-Infected
One of the most common misconceptions about computers in a business environment is that somehow, perhaps because of corporate firewalls, perhaps because of the presence of IT professionals in an office, office computers there are immune to virus, bot, worm, and other malware infection.
There's very much a mistaken attitude of, "It's not like *my* office could get a virus!"
In fact, because office machines are typically connected via high-speed (or even very high speed) Internet connection, they may actually be more prone to these types of infections. Why?
High-speed connections are more desirable for those running the botnets and malware than a single machine on its own cable modem or DSL. Furthermore, once one of these machines that is behind a firewall, even very, very good ones, it's much easier for worms and the like to spread because once their behind the firewall, leaping from machine to machine is far easier than trying to penetrate through the firewall to get to them.
Put another way, once they're in, they're in.
A very interesting article on botnets on darkREADING.com discusses how things are shifting to target enterprises. According to the piece Up to 9% of machines in an enterprise are bot-infected.
What's even more interesting is how the new bots are actually being targeted towards the enterprise.
"The bad guys are also finding that deploying a small botnet inside a targeted organization is a more efficient way of stealing information than deploying a traditional exploit on a specific machine.
"And Ollmann says many of the smaller botnets appear to have more knowledge of the targeted organization as well.
'They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets.'"
That's just the start, too. What it appears these new botnets are doing often is acting to steal information from the organization.
The article goes on to say, quoting Gunter Ollman further, is
"'I suspect that a sizable percentage of small botnets are those developed by people who understand or are operating inside a business as employees who want to gain remote access to corporate systems, or by criminal entities that have dug deep and gotten insider information on the environment.
"The reason why we know this is the way the malware is constructed -- how it's specific to the host being targeted -- and the types of command and control being used. '
"Bot agents are often hard-coded with the command and control channel" so they can bypass network controls with a user's credentials.'
One of the key things from this piece is that these botnets are actually using users' credentials--their usernames and passwords--on the networks to further penetrate the network and get what they're after.
While we're definitely fans of firewalls--harware and software--it's clear that there's still need for running the best antivirus software and antispyware that your company can afford to help prevent and ferret out these botnet infestations.
Furthermore, while the article is specifically about hand-crafted bots, there's still risk from traditional garden-variety botnets and other malware threats, and here again, good antivirus firewall software can often serve as a last line of defense, even in the presence of a robust enterprise-grade firewall.
09/15/2009
Stopping Malware: ISPs Cutting Off Internet Access to Malware Infected Computers
Malware in all its forms, viruses, worm, trojans, keyloggers, botnets, spyware, and even adware, is for most individuals and businesses unpleasant at best and a nightmare at worst.
Once your PC has been infected, cleaning up the mess the malware leads behind can be easier said than done.
For better or worse, realizing your computer has been compromised is often difficult if not impossible. It can't be said too often that preventing the malware/virus infection in the first place should be your first priority in computer security:
|
In an effort to deal with those computers that have been infected, Australia's Internet Industry Association (IIA)
"has drafted a new code of conduct that suggests Internet Service Providers (ISPs) contact, and in some cases, disconnect customers that have malware-infected computers."
|
Some believe this shifts the onus onto the ISPs to ensure their customers PCs are malware free; however, given that the IIA is also calling for unresponsive customers (or ones involved in large-scale threats) to have their Internet access suspended, it really puts it onto the consumer, where I believe it really belongs. Here's why:
If your machine does have a virus, worm, or other malware, you may lose your Internet access 'til you get it cleaned up.
Given how cheap even the best antivirus firewall software is, risking your Internet access to save a few bucks on Internet security software doesn't make sense--especially given that you'd need Internet access to download software to clean up an infected PC.
No matter how you slice it, the ISPs realize what a threat viruses and other malware are and are going to take whatever steps they can to protect themselves, their customers, and their infrastructure. Seems like smart business to me.
09/06/2009
USB Memory Sticks: More Ways Computer Viruses Spread
Perhaps the single biggest mistake people make in computer security and in keeping themselves virus-free is that they take for granted that viruses spread in ways that look harmless.
In fact, the virus writers play on that very fact: they hope you're going to take for granted that an email, a link, a web page, or even a USB thumb drive / memory stick contains a virus by making it look like it's perfectly normal.
Meanwhile, they've hidden their insidious virus or other malware inside the shell of something trustworthy and harmless looking.
Such was the case in fact in London recently when the Ealin council was forced to "cut Internet and phone links to preserve 'core systems and data'., according to the London Evening Standard's site, ThisIsLondon.co.uk.
In the piece on the USB thumbdrive-based virus attack, the article's author, Felix Allen, goes on to say,
"Further shutdowns followed when the network was reinfected twice in the next week, and all terminals had to be rebuilt or replaced.
"This left cash-strapped Ealing with a [Over $820,000 US] bill for the emergency recovery and in lost revenue. But a report being considered by councillors tonight warns the final cost could top £1.1 million if a new computer security system is needed."
Yikes.
All this because someone inserted a keychain drive into the network and no doubt because it wasn't properly scanned by antivirus software first.
Here's a partial list of the damage to the network:
|
I'm sure the responsible party is no doubt embarrassed and very, very sorry. This doesn't let either the IT people off the hook for insufficient antivirus firewall software or the responsible user off the hook for failing to ensure their memory stick was virus-free.
As seen here, when it comes to computer viruses, you definitely cannot trust things just because they look harmless.