Research: Small DIY botnets prevalent in enterprise networks

Research: Small DIY botnets prevalent in enterprise networks

Summary: Does the size of a botnet really matter? It's all a matter of perspective.


Does the size of a botnet really matter? It's all a matter of perspective.

Contrary to the “common wisdom” that based on their size, big botnets are theoretically capable of infiltrating a huge percentage of enterprise networks, a recently presented study entitled "My Bots Are Not Yours! A case study of 600+ real-world living botnets" shows an entirely different picture.

According to Gunter Ollmann, VP of research at Damballa, based on their observation of 600 different botnets within global enterprises throughout a period of three months, small DIY botnets aiming to stay beneath the radar accounted for 57% of all botnets, and hence, successfully evaded detection in most of the cases:

"The average size of the 600 botnets we examined hovered in the 101-500 range on a daily basis. Why do I use the term “on a daily basis”? Because the number of active members within each botnet tend to change daily – based upon factors such as whether the compromised hosts were turned on or part of the enterprise network (e.g. laptops), whether or not they had been remediated, and whether or not the remote botnet master was interactively controlling them.

While many people focus on the biggest botnets circulating around the Internet, it appears that the smaller botnets are not only more prevalent within real-life enterprise environments, but that they’re also doing different things. And, in most cases, those “different things” are more dangerous since they’re more specific to the enterprise environment they’re operating within."

Conducting corporate espionage through botnets is not a new concept. In fact, the practice of relying on targeted attacks for automatic abuse of corporate networks has been a successful approach for several years.

For instance, in 2007, researchers from Support Intelligence launched an initiative called "30 Days of Bots" aiming to highlight Fortune 1000 businesses sending out spam through malware infected hosts within their networks. Their initiative provided interesting results, emphasizing on the modest number of infected hosts found within the following companies:

What the researchers from Support Intelligence did, is something cybecriminals have been doing and offering as a service for a while - data mining, or from their perspective, the ability to data mine a big botnet and rent access to hosts residing on particular networks not for the purpose of spam sending, but for targeted corporate espionage.

And whereas these small botnets are favored for conducing cyber espionage, the size of the botnet truly matters to efficient cybercrime platforms generating billions of spam, phishing and malware like some of the newly emerging "market players".

According to the just released MessageLabs Intelligence report for August, the Grum and Bobax botnets have overtaken the leading position of Cutwail/Pushdo, currently responsible for 23.2% and 15.7% of all spam respectively, with an estimated botnet size for Grum at 560k to 840k followed by Bobax with 80k to 120k infected IPs.

Topics: Emerging Tech, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Out of interest...

    These botnets with these name companies. What's up with leaving them in place (at least for a time) as implied by this study. And for that matter do you know if they've been able to get rid of them?
    • I have been there.

      At a previous company there was a computer infected with the 'e-card' virus. It was sending out thousands of emails a day. I found the computer via the firewall logs and shut it down. For 3 months I scanned the hard drive with McAfee, AVG, and Norton to no avail. The only solution is a clean install of Windows. The anti-virus programs can only find virus' about 50% of the time.

      I have seen some Windows 2000 servers infected with something that almost nothing can detect. A give away is over 30 ports open and it adds about a port a month. That can be found with port scanning software. Another give away is that it uses 2 gigs of ram and runs out and crashes every month or two.
      • Been there too...

        Been there too... I don't do security stuff but this client didn't find anybody else to do it quickly. For several months they were having network congestion problems. After monitoring the network, I discovered several workstations and one server sending spam, exchanging files to IRC channels and trying connections to thousands of computers all over the world. Their antivirus didn't detect anything, their alternate antivirus only detected virus in some of the computers. After inspecting the workstations I found several very active programs in their System Restore directories. I sent each executable file to and most AVs didn't identify the files as malware. And some programs were unique for each workstation. Very disturbing!

        At the end of the day I recommended a clean install on all computers excepting one (because it contained the payroll system and other legacy apps which could not be reinstalled for some reason). For that computer we did a manual search-and-destroy (using debugging tools and network analysis) and then isolated it from the network. I also recommended blocking outbound connections in their firewall and disabling all P2P and IM.

        Two years later, I have heard the client again has the same problems... it seems they didn't followed my advice about the firewall, the IM and the P2P software. (Why the IT department need to use P2P software while working?!)


  • RE: Research: Small DIY botnets prevalent in enterprise networks

    Interesting. Do you know where the actual paper can be downloaded from?
  • A good intrusion detection system would help.

    Any time I have had a network with an infection with spam bots I immediately limit the number of bytes the infected machine can send through the firewall outbound. Within a day or two the spam stops. If you cannot throttle traffic outbound through your firewall then you should invent in this technology.

    • Re:A good intrusion detection system would help

      It is possible to throttle outbound traffic. The problem arrises when things change - the same amount of data may not flow in a given day, and business needs to continue to operate. The main axiom of Information Secuirty: Business needs come first. Throttling would very well stop business operations.
      Also, the size of the botnets makes detection difficult, if not impossible. Consider this: an enterpise sized business would see many port scans in a day. To determine who to block would be difficult if it comes from a variety of host, in many locations ( i.e a botnet). In the same vien, a botnet exisiting with few users wouldn't generate a pattern large enough to be noticable, and therefore near impossible to consistently prevent.
    • How do you detection the infection?

      The greeting e-card virus used a strange port, I think it was 1050. How do you detect the newer virus'? I am afraid they are using normal (unblocked) ports these days?

      I am generally throwing 4 anti-virus' at them, then when that does not work, swap out the hard drive and reinstall windows. The problem is that is not easy to do on servers!

      I wish my firewall or router would report the number of bytes that were sent on port 110 or 25 from each computer during the last week. That might be a sign of an infection.
      • Well

        If the infection sends out tons of spam emails,
        yes, outgoing activity on port 25 could be a

        But if it doesn't (e.g. if the point of it is
        just to spy on your computer) then there would
        be no reason for it to use either of those
        ports. Port 80 would be the most likely choice,
        since it is almost never blocked.
  • And the next step is...?

    While I do appreciate you bringing the existence of major botnets, the reader seems left with no next step.

    How does one identify existence of a bot on their machine?

    Which, if any, of the popular anti-virus application will identify and remove such bots?
    • Thats the biggest problem!

      There is no anti-virus out there that can detect and remove these things. One of the most effective IMO is MalwareBytes but I also run Symantec, AVG, MRT, and Kaspersky.

      The best thing might be your firewall log of outbound traffic (inbound should be blocked) and port scanning software like NMap/ZenMap, or APorts
  • Kinda like "Internal Affairs" at LAPD being crooked!

    Who/what can you trust?
  • RE: Research: Small DIY botnets prevalent in enterprise networks

    Well done! Thank you very much for professional templates and community edition
    <a href="">seslisohbet</a> <a href="">seslichat</a>