Report: Botnets quadruple

Shadowserver Foundation finds number of compromised PCs jumps to more than 400,000

The number of computers infected by botnets quadrupled from 100,000 PCs to more than 400,000 machines over the past three months, according to data from the Shadowserver Foundation, a volunteer watchdog group of security professionals that gather, track and report on malware, botnet activity and electronic fraud to improve the security of the Internet.

Bots, or compromised computers under the remote control of a hacker, have been around for years. But botnets'networks of compromised machines under the control of a single evil overlord'have grown into a significant problem over the past year, as hacking has moved from a vanity hobby to profit-driven organized crime.

A botnet's originator can control the group remotely, usually for nefarious purposes including spam and phishing. A bot typically runs hidden. Newer bots, however, can propagate themselves using vulnerabilities and weak passwords.

John Bambenek, an incident handler with the SANS Internet Storm Center, which tracks hacking trends, speculates that the spike could be related to web-based malware.

'The timing, very roughly, coincides with when we started to see increase SQL injection attacks against Web servers,' Bambenek said. 'Short of spidering the Web on a consistent basis, it gets difficult to find infected sites for that malware. We at the ISC, and I'm sure many others, are working on ways to honeypot pure Web-based attacks to capture this malware, but much work is left to be done.'

Shadowserver Director Andre' M. DiMino said part of the apparent increase may be due to the group deploying more sensors to detect botnet attacks. But at the same time, he said, criminals are getting better at hiding their bots.

Criminals increasingly are moving to Web-based methods of controlling their botnet herds, making it difficult for Shadowserver and others to track how many PCs may be part of an infected herd, DiMino added. Shadowserver tracks bots by checking into IRC-based botnets and counting the number of bots reporting for duty; however, with the Internet, many bots are controlled via Web sites instead and only periodically check into the IRC control networks.

Additionally, Web-based botnet communications between the controlling Web site and the hacked PCs looks like ordinary Web traffic, and so tend to be let in and out of network firewalls without raising alarms, said DiMino.

About the Author

Kathleen Hickey is a freelance writer for GCN.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected