Report: Botnets quadruple
Shadowserver Foundation finds number of compromised PCs jumps to more than 400,000
- By Kathleen Hickey
- Sep 08, 2008
The number of computers infected by botnets quadrupled from 100,000 PCs to more than 400,000 machines over the past three months, according to data from the Shadowserver Foundation, a volunteer watchdog group of security professionals that gather, track and report on malware, botnet activity and electronic fraud to improve the security of the Internet.
Bots, or compromised computers under the remote control of a hacker, have been around for years. But botnets'networks of compromised machines under the control of a single evil overlord'have grown into a significant problem over the past year, as hacking has moved from a vanity hobby to profit-driven organized crime.
A botnet's originator can control the group remotely, usually for nefarious purposes including spam and phishing. A bot typically runs hidden. Newer bots, however, can propagate themselves using vulnerabilities and weak passwords.
John Bambenek, an incident handler with the SANS Internet Storm Center, which tracks hacking trends, speculates that the spike could be related to web-based malware.
'The timing, very roughly, coincides with when we started to see increase SQL injection attacks against Web servers,' Bambenek said. 'Short of spidering the Web on a consistent basis, it gets difficult to find infected sites for that malware. We at the ISC, and I'm sure many others, are working on ways to honeypot pure Web-based attacks to capture this malware, but much work is left to be done.'
Shadowserver Director Andre' M. DiMino said part of the apparent increase may be due to the group deploying more sensors to detect botnet attacks. But at the same time, he said, criminals are getting better at hiding their bots.
Criminals increasingly are moving to Web-based methods of controlling their botnet herds, making it difficult for Shadowserver and others to track how many PCs may be part of an infected herd, DiMino added. Shadowserver tracks bots by checking into IRC-based botnets and counting the number of bots reporting for duty; however, with the Internet, many bots are controlled via Web sites instead and only periodically check into the IRC control networks.
Additionally, Web-based botnet communications between the controlling Web site and the hacked PCs looks like ordinary Web traffic, and so tend to be let in and out of network firewalls without raising alarms, said DiMino.
Kathleen Hickey is a freelance writer for GCN.