Online outlaws are growing botnets so fast that they're now able to take down the electronic infrastructure of entire nations, and Windows machines are their favorite accomplices. That's the gist of two new reports from McAfee and Microsoft.
Meanwhile, a handful of security suppliers have formed a resource-sharing alliance to fight back.
The first report (.pdf), from McAfee focused on a series of attacks earlier this year in which botnets crippled the electronic infrastructure of a Central American country.
Ken Baylor, McAfee's director of risk management, said a global telecommunications company with a business unit in Central America experienced multiple network outages - some lasting up to six hours -- that blocked internet connectivity throughout the country and rendered automated teller machines useless. McAfee determined that botnets had taken down the infrastructure by launching distributed denial-of-service attacks. The telecom company deployed McAfee's IntruShield Network Intrusion Prevention System (IPS) to investigate what was causing the outages and prevent them in the future.
McAfee studied bot activity against the telecom company from April to September and found more than 6 million bot attacks per week in the country, which Baylor declined to name.
"All this bot activity created so much noise on the network that it knocked down internet access across the whole country," Baylor said. "It also cut off the ability to use VoIP and withdraw money from ATM machines. This would last six hours at a time, two or three times a week."
He said the findings are sobering for all nations, including the US. "The US has an advantage in that it has more bandwidth, so it would take more botnets to take the electronic infrastructure of the entire US offline," he said. "But at the rate these botnets are growing, the bad guys could be within a year of that capability."
The second report (.pdf), from Microsoft, shows that Windows machines remain the target of choice for botnet herders.
Using intelligence it gathered using its Windows Malicious Software removal tool, Microsoft found that:
- Backdoor Trojan horse programs and bots continue to be the top threat to Windows systems, with more than 43,000 new variants found in the first half of 2006.
- Attackers are putting a significant amount of effort into these kinds of malware because of the potential for financial gain.
- Of the 4 million computers Microsoft cleaned, approximately 2 million machines contained at least one backdoor Trojan.
The scope of the threat has convinced a handful of suppliers that the only way to gain the upper hand is to share resources.
To that end, Simplicita Software, Cloudmark, Habeas, Sophos and an organisation called Shadowserver have teamed up to create a global monitoring system internet service providers can use to identify, quarantine and disinfect bot-infested computers on their networks. The new alliance is led by Simplicita via its Reputation Data Partner (RDP) Programme.
"Early botmasters were unprofessional, but now they are intensely organised," said Simplicita CTO Rob Fleischman. "The bots are run by real and powerful criminals and it's a problem providers must address. The fight will swing in our favor if we fight them at the firewall, in the network and if we have partnerships like the one we've announced."
Danny Winokur, Simplicita's vice president of business development, said the companies involved were chosen because Simplicita saw their products as best-of-breed.
"Cloudmark has been a leader in antispam war, Habeas has an in-depth sender index and block list and has a lot of data on zombie machines and the Shadow Server Foundation has done a lot of research on command-and-control servers, which in turn helps them identify whole botnets," he said. "And Sophos is sharing a zombie alert service and phishing data."