Businesses targeted by small botnets

Most networks of compromised computers in organisations are small and surreptitious, according to security company Damballa
Written by Tom Espiner, Contributor

The majority of botnets in enterprises are small and targeted, according to security firm Damballa.

Enterprise botnets typically consist of a network of fewer than 100 machines, in contrast to botnets in the general internet population, according to Damballa researchers Gunter Ollmann and Erik Wu. For example, the Zeus botnet encompasses millions of machines, according to security researchers.

"While we often observe plenty of stats pertaining to just how big some of the largest internet-based botnets are (reaching in to the tens-of-millions), the spectrum of enterprise botnets appear to be different," Ollmann wrote in a blog post on Tuesday.

"Based upon Damballa's observations of some 600 different botnets encountered and examined within global enterprise businesses over three months, we found that botnets [with fewer than 100 bots] account for 57 percent of all botnets," Ollmann said.

Compromised networks of over 10,000 machines accounted for just five percent of those botnets found in large companies, according to the research. Attackers monitor the compromised machines to harvest high-value data such as source code or copies of customer databases, or to extract directly usable data such as authentication details for large money transfers.

Ollmann wrote that the majority of malicious code on the machines had been built using kits available on the internet, including the Zeus and Poison Ivy kits.

While most of the companies were likely to have become compromised through specially tailored, targeted attacks, Ollmann said that in some cases malicious employees could have deliberately installed the software in order to bypass corporate security.

"It looks to me as though these small botnets are highly targeted at particular enterprises [or vertical sectors], typically requiring a sizable degree of familiarity of the breached enterprise itself," Ollmann wrote. "I suspect that in some cases we're probably seeing the handiwork of employees effectively backdooring critical systems so that they can 'remotely manage' the compromised assets and avoid antivirus detection."

Thorsten Holz, a botnet researcher at the Vienna University of Technology, told ZDNet UK on Wednesday that he had never heard of employees knowingly installing bots on their systems. However, he agreed it was feasible that most botnets in large companies were small, and that the machines had been targeted.

"If someone attacks a company, they want to stay below the radar," said Holz. "They would try to have a couple of hundred infections at most, so companies don't realise they are infected, antivirus companies don't get signatures, and attacks [to harvest information] can be more stealthy."

Holz added that, in a company with over 10,000 users, there is a good chance many users' systems would be infected with software that could make them part of a botnet. "Employees click on a malicious link, or use laptops at home, get infected and bring the machines back in," he said. "The threat is real."

Editorial standards