Re: A Botted Fortune 500 a Day

["Jamie Riden" <jamie.riden () gmail com>]

On 13/04/07, Steven Adair <steven () securityzone org> wrote:
> Is this in anyway surprising?  I think we all know the answer is no.  Many
> Fortune 500 companies have more employees than some ISPs have customers.
> Should we really expect differently?

Yes! Off the top of my head:

1. Corporations should have more of an economic incentive to prevent
compromises on their internal networks. E.g. "TJX breach could cost
company $1B" - http://weblog.infoworld.com/zeroday/archives/2007/04/tjx_breach_coul.html
Now, a typical spambot will cost almost nothing compared with that,
but the point is you don't know the extent of the compromise until
you've examined the machines involved.

2. Corporations have a lot more influence over their employee's
behaviour than ISPs do over their customers. Customers can walk away
to a new ISP with minimal fuss if sanctions are threatened.

3. Corporations can lock down their firewalls a lot tighter than ISPs
can. If my ISP blocked the way my employer does, I would be looking
for a new ISP.

4. ISPs don't own the data on their customer's computers. Corps very
much do own most of the data on their employees computers. Therefore
they need to worry about confidentiality in a way that ISPs do not.

I used to look after security at a large-ish university and odd
activity would stand out because there the baseline was largely
'normal' traffic. ISPs have little chance to detect 'odd' behaviour
because everyone is doing 'odd' things. Corps should only have a very
few 'odd' things happening on their networks and a single outgoing
portscan or IRC session are grounds for serious concern. (Assuming IRC
is forbidden by policy - if not, you can still profile the IRC servers
you expect to be talking to and those you don't.) It's not hard to
find infected machines at a corp.

> Also, as a side note, I would like to add that just because SPAM is coming
> from a certain gateway does not necessarily mean that the machines on
> their network are infected.  We could assume this, but then again I would
> have to assume Microsoft's network is full of bots because I get SPAM
> originating from Hotmail.com.  It might be logical and in many cases to
> assume this, but it's worth noting this may not be the case.

Based on the Received headers, or just on the From line ? The latter
is trivial to forge and has been routinely forged pretty much forever.

If Received headers show that mail has been relayed from within your
organisation, then you have a serious problem, and it's better to
learn of it by checking for outgoing spam than when someone notices
something worse six months down the line.

cheers,
 Jamie
-- 
Jamie Riden / jamesr () europe com / jamie () honeynet org uk
UK Honeynet Project: http://www.ukhoneynet.org/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/