Network News

X My Profile
View More Activity

Number of Bot-Infected PCs Skyrockets

The number of PCs compromised with software that lets cyber criminals control the machines from afar has more than quadrupled over the last quarter, security experts warn.

The estimates come from Shadowserver, a group of volunteers that monitor activity from robot networks or "botnets," large armies of hacked personal computers used for spam, phishing and all kinds of criminal activity. Shadowserver saw a rise from roughly 100,000 botted PCs to about 400,000 over the past three months.

SSbotmonth.jpg

John Bambenek, an incident handler with the SANS Internet Storm Center, which tracks hacking trends, speculates that the spike is probably related to the massive numbers of Web sites that have been hacked by SQL attacks, and seeded with browser exploits.

SSbotyearly.jpg

While those numbers might seem high, they suggest more of a recent upward trend in bot counts rather than an accurate picture of just how many compromised PCs are out there. In fact, numerous other security experts this year have spotted single botnets that include upwards of 350,000 compromised PCs. And by nearly all accounts, there are thousands of distinct botnets out there today under the thumb of criminal groups and individual hackers.

Shadowserver director Andre' M. DiMino said part of the apparent increase may be due to the fact that the group has been able to deploy more sensors to detect botnet attacks. But at the same time, he said, bad guys are getting better at hiding their bots.

Part of the visibility problem, DiMino said, is that criminals increasingly are moving to Web-based methods of controlling their herds. Traditionally, botnets were controlled by reporting in to an Internet relay chat network and awaiting commands. Most of Shadowserver's numbers come from peering into these IRC-based botnets and counting the number of bots reporting for duty. Instead of reporting in and remaining at IRC control networks, many of today's bots are controlled via Web sites, and only periodically do the bots stop by the site to see if any new instructions have been issued by the bot controllers. Unfortunately for groups like Shadowserver, Web-based botnets make it difficult to track just how many infected PCs may be part of the herd.

"Now, you can't draw a conclusion as to typical botnet size the way you could earlier," DiMino said.

Web-based botnets introduce a few key improvements over IRC-based botnets. Most importantly, any communications between the controlling Web site and the hacked PCs looks like ordinary Web traffic, and so tend to be let in and out of network firewalls without raising alarms. While IRC-based botnet controllers often struggle under the load of traffic from maintaining constant communication with thousands of bots simultaneously, Web-based botnets only require bots to check in briefly every 30-60 minutes or so, DiMino said.

So, what can you do to make sure your computer doesn't become part of a botnet? Staying up to date with security patches for the operating system as well as Internet-facing applications -- such as media players and chat software -- is a good start.

Running the system under a "limited user" account for every day use can block "drive-by" downloads, and otherwise prevent malicious software from getting its hooks into your system, or at least limit the damage that malware can do. This is more of an issue for Windows XP systems, which come configured to run under all-powerful administrator accounts by default. Windows Vista by default uses a standard account, and prompts the user for approval before allowing software to install. In my opinion, Vista tends to overdo the warnings, and doesn't force the user to enter her password before installing software, as does Mac OS X (which I believe has the more balanced and secure approach here).

Using anti-virus software and a firewall is key, but these programs won't save you from your own poor decisions. To that end, be extremely cautious with the programs you install on your system. My rule of thumb is: If you didn't go looking for it, don't install it. If you're not sure about whether a particular program is safe, do some basic research on it first. If a Web site you visit says you need to install or update a plug-in to view the content, download the plug-in from the source itself (i.e., Adobe's Web site, in the case of Flash or Adobe Reader, for example). If the site says you need to install a special video codec, chances are better than even that the site is trying to trick you into installing malicious software.

By Brian Krebs  |  September 4, 2008; 8:58 AM ET
Categories:  Fraud , Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Firefox Plug-in Offers Clarity on Web Site Security
Next: Scammer-Heavy U.S. ISP Grows More Isolated

Comments

I have a feeling a large portion of the increase in bots is the "Windows Antivirus 2008" Virus this thing went right through updated Symantec and McAfee defenses installed on my customers computers. This thing is growing exponentially Microsoft and the AntiVirus companies need to wake up

Posted by: ComputerPro | September 4, 2008 3:16 PM | Report abuse

Brian,
You wrote that Vista "doesn't force the user to enter her password before installing software, as does Mac OS X (which I believe has the more balanced and secure approach here ". This is not true.

In Vista, if there is a supervisory password, the system will always ask for it every time you install software as a user. In other words, It is not possible to install software as a user unless the user or the supervisor, inputs the supervisory password.

Posted by: Krishna | September 4, 2008 4:30 PM | Report abuse

"Using anti-virus software and a firewall is key, but these programs won't save you from your own poor decisions."

There's the problem. The end user is one of the most important layers of defense in keeping a computer system secure. That's why a limited user account is so important as it limits what the user can do with a system as well as what malware can do should it get past your primary defenses. Unfortunately, many Windows users seem to be quite ignorant and thus are their own worst enemy.

Posted by: TJ | September 4, 2008 4:59 PM | Report abuse

Posted by: Krishna | September 4, 2008 4:30 PM

Actually, isn't this a function of using Vista Home (no pw needed) vs. using Vista Business (pw required) when using User Access Control?

Posted by: JkR | September 4, 2008 5:05 PM | Report abuse

This was a great article. It's great to see this concept of "bot growth' explained so well. Articles like this really bring light to a scary situation. It's also great to see groups like Shadowserver that are helping to fight the problem.

Posted by: Micah | September 4, 2008 8:07 PM | Report abuse

Posted by: JKR, Sep 4, 2008 5:05 PM

The answer is No. The user can login and access control with or without a password, The supervisory password is needed to install software. For example, the user can login without a PW but to install say Adobe reader, the supervisory password is needed.

Posted by: Krishna | September 4, 2008 8:48 PM | Report abuse

Whether Vista prompts for a password depends on how the specific program is installing itself.

If a program installs itself to the "normal" location (i.e. under C:\Program Files) then yes, UAC will prompt you for a supervisor password.

On the other hand, I installed the Chrome browser on Tuesday. It installs to the user's Local Settings\AppData folder. There was no password prompt in that situation.

(I can understand why Google made that choice, but it's not one I agree with.)

Posted by: That Blair Guy | September 5, 2008 1:42 PM | Report abuse

Has anyone the percentages of users who have been "botted" and their main browser type, IE, Firefox,Opera.I have often wondered about this, all my surfing is done using Ff with Noscript, on XP with NIS 2008.

Posted by: Tommy | September 5, 2008 3:01 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company