More Than 1 Million Bots On The Attack

Using only three computers as "honeypots," machines deliberately left open to attack, thus attracting hackers and their bots so researchers can capture data on their actions, German security analysts at Aachen University were able to identify more than 100 botnets during a three-month project. Those botnets ranged in size from only a few hundred compromised PCs to several of up to 50,000 systems.

The volume, the Honeynet Project researchers said, was staggering. Even using conservative estimates, they projected over a million PCs worldwide are currently under the control of hackers running botnets.

"That number wouldn't surprise me," said Ken Dunham, the director of malicious code research at iDefense, a Reston, Va.-based security intelligence firm.

The number of bots in attacker botnets is hard to pin down, added Dunham, but the figures cited by the Germans, he said, are probably conservative. "In just the last six months, the numbers of botnets surged from only a few hundred to over 6,000 total by our count," Dunham said. "It's not uncommon to see botnets with more than 50,000 PCs, so there could easily be a million or more total."

The largest botnet that iDefense has tracked was one in 2003 that controlled a whopping 120,000 machines.

These massive collections of compromised PCs are used by attackers primarily for profit, and are the root of most denial-of-service (DoS) attacks against corporate networks, the foundation of most spamming, as well as leveraged to infect other PCs with worms and viruses ("in most cases, botnets are used to spread new bots," wrote the researchers), to host the bogus Web sites that phishers rely on to trick users into giving up personal information, and to distribute spyware.

"The explosion of botnets is a huge problem," said Dunham.

The vast majority of botnets are made up of Windows systems, said the honeypot researchers. More than 80 percent of the traffic captured by the honeypot machines was directed at four ports used by common services in Windows, such as RPC (Remote Procedure Call) and the NetBIOS Name Service.

In fact, the bulk of the botnets were assembled using just a handful of exploits that take advantage of a few Windows vulnerabilities.

"It's the easy-to-use tools now available to hackers, as well as the source code for some exploits, that's behind the growth of botnets," said Dunham. "We've seen as many as a dozen exploit families, not exploits, but entire families, appear in just days after source code is made public. All [hackers] do is pick up [the code], and copy and paste."

As an example of the serious threat posed by botnets, the German researchers noted that a mid-sized botnet of 1,000 machines sports a combined bandwidth of more than 100 megabits per second, "higher than the Internet connection of most corporate systems," they wrote. That bandwidth can be put to many uses, including spamming and DoS attacks.

"You read what these guys post on their underground boards," said Dunham, "and they're claiming that all you need is 500 to 1,000 machines in a botnet, and you can take out the average corporate network with a denial-of-service attack."

The full report of the honeypot researchers is available on the Web here.</>