Smaller Botnets Used For Stealing Corporate Data

Research from Damballa shows the biggest botnets are not always the most threatening when it comes to swiping corporate data

bWhile massive botnets such as Rustock and Conficker often make headlines, research from Damballa released in September shows many enterprises are under attack by smaller threats they’ve likely never heard of.

After tracking more than 600 botnets over a three-month period, researchers Gunter Ollmann and Erik Wu discovered that most were composed of 100 nodes or fewer. Those smaller botnets represented 57 percent of the total. Twenty-one percent had between 101 and 500 bots; 17 percent had between 500 and 10,000. Only 5 percent consisted of more than 10,000.

Finjan researchers find a botnet controlling over 1.9 million computers.

“While many people focus on the biggest botnets circulating around the Internet, it appears that the smaller botnets are not only more prevalent within real-life enterprise environments, but … they’re also doing different things,” blogged Damballa’s Ollmann, vice president of research. “And, in most cases, those ‘different things’ are more dangerous since they’re more specific to the enterprise environment they’re operating within.”

Many of the smaller botnets make use of “the popular DIY malware construction kits out there on the Internet,” he noted. Some of those, such as the infamous Zeus Trojan, can sell for as little as a few hundred dollars—but “can often be downloaded for free from popular hacking forums, pirate torrent feeds and newsgroups.”

Ollmann continued, “It looks to me as though these small botnets are highly targeted at particular enterprises (or enterprise vertical [sectors]), typically requiring a sizable degree of familiarity [with] the breached enterprise itself. I suspect that in some cases we’re probably seeing the [handiwork] of employees effectively backdooring critical systems so that they can ‘remotely manage’ the compromised assets and avoid antivirus detection … The problem, though, is that the majority of these ‘freely available’ DIY malware construction kits are similarly backdoored. Therefore, any [employees] using these free kits to remotely manage their network are also providing a parallel path for the DIY kit providers to access those very same systems—as evidenced [by] these small botnets often having multiple functional command and control channels.”

The smaller botnets appear to be “more professionally managed—with botnet masters specifically targeting corporate systems and data within the victim enterprise,” he wrote. Rather than being used for “noisy attacks” such as a denial of service, “they’re often passively monitoring the enterprise network to identify key assets or users” and then going after high-value data.

“The net result is that these smallest botnets efficiently evade detection and closure by staying below the security radar and relying upon botnet masters that have a good understanding of how the enterprise functions internally,” Ollmann wrote. “As such, they’re probably the most damaging to the enterprise in the long term.”