Botnet Expedition Reveals Corporate Weaknesses

It has long been assumed that corporate computers are relatively free of bots , pieces of malicious code hidden on a computer without the owner’s knowledge to perform spamming or other undesirable activities. After all, businesses are fairly militant about security and make antivirus software mandatory on all of their computers, right?


Support Intelligence (SI), a network security company in San Francisco, has been running what it called “30 Days of Bots,” featuring corporate networks infected with spam-churning bots.

It began analyzing data in February, monitoring 10,000 domains that plow data into a trap much like a fishnet, except the intelligence in the data is designed to determine what information to keep by looking for spam. In total, SI analyzed traffic from more than 100 sources, including the aforementioned spam traps.

Among the companies making the Hall of Shame: radio giant Clear Channel, Bank of America, consumer electronics giant Toshiba and most recently, insurance giant Nationwide.

It flies in the face of the assumption that corporate networks are clean. “Didn’t we all think that?” Adam Waters, COO of SI, told

Forrester Research security analyst Natalie Lambert said she wasn’t surprised. “We have gotten to a point where the LAN is as dirty as the WAN,” she said in an e-mail to “Enterprises do not have the necessary protections in place to mitigate today’s threat landscape. Enterprises need full-suite solutions that include anti-malware, personal firewalls and some sort of behavior detection.”

SI CEO Rick Wesson added “We knew about the ISPs because they show up high on the list, but we had no idea the Fortune 1000 were as culpable.” He said the worst offenders are still ISPs, with Verizon being the worst offender, followed by university networks.

But beneath the ISPs, SI began finding corporate IP addresses in its fishing. This wasn’t easy to do, as the spammers aren’t stupid; they won’t let spam go out from a bot with a Bank of America or Nationwide address on it. They obfuscate their origin as best as possible.

However, the TCP/IP protocol requires an end-to-end connection, so you will inevitably be able to track it back to a point of origin even with obfuscation, said Wesson.

Wesson said SI isn’t doing this to embarrass anyone. “We’re just trying to raise awareness that the bot problem is hitting all corners of the Internet, even the parts we think are safe, like Fortune 500 and 1000 companies,” he said. “I have a lot of sympathy for them because their problem is difficult.”

Waters said so far, SI has been correct in every diagnosis of infection, and no company has refused to cooperate when contacted with the news.

“In general, there’s some embarrassment but they are highly motivated to the right thing. The hard part is getting to the right person. In some cases, it took a week to get the info in the right person’s hands,” he said.

There doesn’t appear to be a single cause for the problem. It ranges from a lack of antivirus software to someone letting their kids use their work laptop to inconsistent security policies to inherited problems from acquisitions.

SI plans to inform at least 15 more companies and has 800 that are under analysis.

News Around the Web