Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

USA (and IE) Number 1 for Botnet Mayhem

Researchers say IT shops aren't doing enough to protect their machines from botnet herders

By , Senior Editor

May 04, 2009CSO

Research from security vendor Finjan Inc. suggests enterprise IT shops are losing the war against those who would hijack company computers for botnets. Almost half the victims appear to be in the U.S. -- most using Microsoft's Internet Explorer (IE) browswer. [Related: Botnets: 4 Reasons It's Getting Harder to Find and Fight Them]

Finjan's Malicious Code Research Center (MCRC) uncovered a network of 1.9 million Trojan horses running on corporate, government and consumer computers around the world during an investigation of command-and-control servers run by botnet herders from the Ukraine and elsewhere. One server, launched in February but later shut down, was hosted in the Ukraine and controlled by an online gang of six people who managed to establish a vast Trojan distribution network. [Related: What a Botnet Looks Like:]

"Hackers keep looking for improved ways to distribute malware and Trojans are winning the race. The sophistication of the crimeware and the staggering amount of infected computers proves these people are raising the bar," Finjan CTO Yuval Ben-Itzhak said. "Corporate and governmental data remain prime targets, especially computers in the U.S. and the U.K. which are under attack, and need to protect themselves." [Podcast: Botnet Battle: How to Fight Back, Part 1]

Based on posts found on various hacking forums, researchers believe 1,000 hijacked computers are being rented out for $100-$200 a day. The bad guys can make $190,000 a day for renting a botnet of 1.9 million infected computers.

The Trojan horse programs are silently dropped on computers when the user visits compromised websites that hide the malware. The giant command-and-control server researchers uncovered includes the IP addresses of infected machines as well as the computers' name inside corporate and government networks that are running the Trojan horse.

Computers in 77 government-owned domains (.gov) from the U.S., U.K., Brazil, Turkey and India have been compromised and are running the Trojan horse. The malware is remotely controlled by hackers who use them to deliver almost any command on the end-user computer as they see fit, including reading e-mails, copying files, recording keystrokes, sending spam, and making screenshots.

Here's the global spread of infected computers in percentages, based on Finjan's findings:

  • U.S.: 45 percent
  • U.K.: 6 percent
  • Canada: 4 percent
  • Germany: 4 percent
  • France: 3 percent
  • Other: 38 percent

The Trojan horse is infecting computers running Windows XP and using the following browsers to hunt its prey:

  • Internet Explorer: 78 percent
  • Firefox: 15 percent
  • Opera: 3 percent
  • Safari: 1 percent

Finjan's findings square with what other researchers are seeing.

Alex Lanstein, senior security researcher at FireEye Inc., a security vendor based in the San Francisco Bay area, said some of the larger botnets out there get no press, because their overlords don't want to make news and let people know their machines are infected. Cimbot, for example, is a piece of malware that has been used to create a botnet that now accounts for about 15 percent of the world's spam, he said.

RESOURCE CENTER