Online outlaws are growingbotnetsso fast
that they're now able to take down the electronic infrastructure
of entire nations, and Windows machines are their favorite
accomplices. That's the gist of two new reports from McAfee and
Microsoft.
 | | | | | All this bot activity created so
much noise on the network that it knocked down Internet access
across the whole country.
Ken Baylor,
director of risk managementMcAfee
Inc. |
| | | | | |
| |
|
Meanwhile, a handful of security suppliers have formed a
resource-sharing alliance to fight back.
The first
report (.pdf), from McAfee focused on a
series of attacks earlier this year in which botnets crippled
the electronic infrastructure of a Central American country.
Ken Baylor, McAfee's director of risk management, said a global
telecommunications company with a business unit in Central America
experienced multiple network outages - some lasting up to six hours
-- that blocked internet connectivity throughout the country and
rendered automated teller machines useless. McAfee determined that
botnets had taken down the infrastructure by launching distributed
denial-of-service attacks. The telecom company deployed McAfee's
IntruShield Network Intrusion Prevention System (IPS) to
investigate what was causing the outages and prevent them in the
future.
McAfee studied bot activity against the telecom company from
April to September and found more than 6 million bot attacks per
week in the country, which Baylor declined to name.
"All this bot activity created so much noise on the network that
it knocked down internet access across the whole country," Baylor
said. "It also cut off the ability to use VoIP and withdraw money
from ATM machines. This would last six hours at a time, two or
three times a week."
He said the findings are sobering for all nations, including the
US. "The US has an advantage in that it has more bandwidth, so it
would take more botnets to take the electronic infrastructure of
the entire US offline," he said. "But at the rate these botnets are
growing, the bad guys could be within a year of that
capability."
The second
report (.pdf), from Microsoft, shows that
Windows machines remain the target of choice for botnet
herders.
Using intelligence it gathered using its Windows Malicious
Software removal tool, Microsoft found that:
- Backdoor Trojan horse programs and bots continue to be the top
threat to Windows systems, with more than 43,000 new variants found
in the first half of 2006.
- Attackers are putting a significant amount of effort into these
kinds of malware because of the potential for financial gain.
- Of the 4 million computers Microsoft cleaned, approximately 2
million machines contained at least one backdoor Trojan.
The scope of the threat has convinced a handful of suppliers
that the only way to gain the upper hand is to share resources.
To that end, Simplicita Software, Cloudmark, Habeas, Sophos and
an organisation called Shadowserver have teamed up to create a
global monitoring system internet service providers can use to
identify, quarantine and disinfect bot-infested computers on their
networks. The new alliance is led by Simplicita via its Reputation
Data Partner (RDP) Programme.
"Early botmasters were unprofessional, but now they are
intensely organised," said Simplicita CTO Rob Fleischman. "The bots
are run by real and powerful criminals and it's a problem providers
must address. The fight will swing in our favor if we fight them at
the firewall, in the network and if we have partnerships like the
one we've announced."
Danny Winokur, Simplicita's vice president of business
development, said the companies involved were chosen because
Simplicita saw their products as best-of-breed.
"Cloudmark has been a leader in antispam war, Habeas has an
in-depth sender index and block list and has a lot of data on
zombie machines and the Shadow Server Foundation has done a lot of
research on command-and-control servers, which in turn helps them
identify whole botnets," he said. "And Sophos is sharing a zombie
alert service and phishing data."