Botnets come in all shapes and sizes and if you can’t find one that fits your unique purposes off-the-rack, it’s trivial to create a custom one using a do-it-yourself construction kit – which helps to explain the diversity we’re seeing within the enterprise. In general though, enterprise-targeted botnets tend to be a different breed – make use of enterprise-specific functionality (e.g. being proxy aware and exploiting vulnerabilities over the network that would be blocked by perimeter firewalls) – and their objectives tend to be more “refined” and clearly criminal.
That’s not to say that the average mass-Internet botnet doesn’t manage to find itself deposited within an enterprise network. Public news worthy botnets such as Taterf are increasingly found within enterprise networks – even though this isn’t their intended hunting ground, and isn’t likely to yield anything profitable for the botnet operator (I spoke with Byron Acohido at USA Today about this for today’s story – “PC users open doors to such worms as Conficker, Taterf“). You see Taterf is pretty much a run-of-the-mill botnet focused upon stealing online gaming credentials (such as log-in credentials for World of Warcraft, EverQuest and Aion) – credentials that can be used directly by botnet masters for use within the game (e.g. stealing “gold” from the hijacked virtual characters, or selling the virtual assets of the characters (e.g. magic swords)).
Unless the enterprise network in question happens to belong to a game development company, it’s unlikely that there’s going to be much to steal and for the botnet operator to profit on. Not only that, my most infection vectors (e.g. trojaned keygens and money makers for the online games) are already blocked by corporate defense in depth strategies. Yet they still get in.
This is mostly due to what can be best described as botnet “bleed-over” from employee personal systems/habits – e.g. remote teleworkers using their work laptops for online games or connected to tainted home networks that then worm their way on to the work laptop. Once on the work laptop they typically deposit themselves within the enterprise network either over the VPN connection (via file shares, etc.) or through transportable media (e.g. USB devices). From there they infect files and additional hosts – hunting for online gaming credentials, but achieving very little apart from leaving behind a trail of breached assets. Or so you’d think…
But botnet masters are pretty ingenious folks. While there probably isn’t anything of value from an online gaming context, it’s pretty easy for the botnet master to see (via their botnet management console) the types of hosts they’ve compromised and where they’re located, and even which corporate entity owns them. Armed with this information, the botnet operator can either sell or trade these botted hosts to a different botnet master who will find them more valuable. For example, you’ll sometimes encounter botnet masters discussing the “trade-in value” of the botted hosts they no longer want on various hacking forums – maybe 5 “useless” Taterf bots for 1 new hijacked online gaming account.
With that in mind, enterprises need to be careful in how they intend to respond to hosts compromised with online-gaming botnet malware. These hosts may be compromised by one particular piece of malware initially, but can (and will) be traded and updated with new botnet agents that are more useful to the botnet master – which can be done remotely at a moments notice. At the end of the day, the enterprise network has been breached – regardless of the attackers intention.
* Gunter Ollmann is vice president of research at Damballa.