Security Researcher Charges Many Companies Are Complacent Regarding BotNet Infections
In an article from today’s NY Times, John Markoff quotes Rick Wesson a security researcher at Support Intelligence, a company that tracks BotNet computers, as saying
“The rate of infection [of Botnets] is still high, but concern among corporations is low…” Many corporations seem to think it’s O.K. to be infected several times a month.”
He says this because it was discovered recently that the Russian hacker gang who’s BotNet was controlling about 100K computers was re-infecting large corporations and even a state police agency. The infections were removed but the admin passwords were not changed so it made re-infection easy. Although the details are sketchy they appear to have used Microsoft’s own software distribution program to infect many of the computers
The juicy details will be released over the next few days at Black Hat.
There are always lessons learned from these breaches.
- It’s not only important to remove an infection but to find the source of the infection and remove it.
- Breaches involving Trojans, backdoors or keyloggers (such as CoreFlood, the one used here) should prompt a complete change of all admin passwords. Going through this is “bloody” in some cases but the alternative as we have seen is worse.
- Forensic data must be kept. That’s why having system logs on all devices activated and having some form of a log consolidator is so important. Logs give you the evidence you need to locate infections, track the sources of infections and provide the evidence to law enforcement agencies for criminal prosecution.