Security researchers at Damballa Inc. have been researching a new subset of botnets that they say should raise concern among security professionals charged with protecting company systems.
The botnets are tinier, stealthier and are sometimes made up of thousands of malware variants. In most cases, antivirus doesn't have the malware signatures necessary to detect, quarantine and eradicate them.
"The enterprise-focused malware for these botnets is far more advanced then what you see navigating the Internet," said Gunter Ollmann, vice president of research for Damballa, a security vendor focusing on botnet detection. "The bad guys can roll out brand new pieces of malware that they know won't be detected and they push out new variants faster than antivirus companies can roll out new signatures to their customers."
Unlike the highly publicized botnets, such as Conficker, Srizbi and Storm, the tiny botnets are made up of hundreds of malware variants. In one case, Damballa researchers discovered a single enterprise botnet containing over 87,000 malware variants. As the botnet grows within the organization, the malware gets more specific in its purpose, targeting management, including the machines of specific financial personnel, to weed out corporate banking instructions and company servers.
About half of the enterprise-based botnets are not enterprise focused, but instead are made up of malware designed to infect as many machines as possible. A more alarming subset
"It has greater use of stealth capabilities, but more importantly, it includes such features as being proxy aware," he said.
Enterprises use proxies for traffic shaping within the enterprise. The agents themselves need to be proxy aware to enable the command-and-control to communicate instructions in and out of the enterprise.
About 10% of the enterprise botnets examined by the Damballa researchers were designed to infect a specific company network. The malware making up the botnet was created by toolkits that can be purchased on hacker websites. Ollmann said the botnets targeting specific company networks were either designed by an insider or by a former employee creating a backdoor into the company network.
"The problem with using these DIY kits is that they are often backdoored themselves by the authors of the malware," Ollmann said. "These small botnets tuned to a particular organization often have more than one command-and-control channel creating an even bigger problem for enterprises."
The Damballa research is important, according to Ollmann, because until now, most security professionals were comfortable with the method of quarantining and eradicating a single piece of malware and then scanning an infected client for additional infections. Ollmann said some firms are also eradicating the malware by engaging in a method he calls "nuke and pave." Essentially, destroying all malware on an infected machine by whipping the hard drive and reimaging it, he said.
Another way to address the issue is to identify and block the command-and-control channel used by botnet operators to send instructions to the host.
"The command-and-control channel is the Achilles heel; [it is] the weakest point of the botnet operation," Ollmann said. "Shifting away from dealing with the botnet threat as a malware threat, and treating it as a network threat becomes much more efficient, scalable and easier to shut [botnets] down."