Botnet with 10,000 Machines Shut Down

A huge IRC "botnet" controlling more than 10,000 machines has been shut down by the security staff of Norwegian provider Telenor, according to the Internet Storm Center. The discovery confirms beliefs about the growth of botnets, which were cited in the recent distributed denial of service (DDoS) attack upon Akamai and DoubleClick that sparked broader web site outages.

Bot networks aggregate computers that have been compromised with trojans, allowing them to be remotely controlled by hackers. In the past year, the proliferation of e-mail borne viruses and auto-downloading trojans has dramatically increased the number and size of botnets, which now have economic value as Spam engines and tools in DDoS blackmail schemes. Compromised "zombie" machines were recently found on the networks of the U.S. Defense Department and Senate.

IRC (Internet Relay Chat) is a live chat system that allows users to create private discussion rooms. While IRC has a lengthy history of legitimate use, it is also a medium for discreet communication between hackers. In February the FBI shut down a large IRC provider, Ohio-based CIT/Foonet, saying it was operating a DDoS-for-hire scam. CIT operator Jay Echouafni is now a fugitive, charged with paying hackers to use botnets of between 5,000 and 10,000 hosts to launch crippling digital attacks on the websites of business rivals.

The CIT case demonstrates the difficulty of defending against DDoS attacks from huge botnets. One of the victims, WeaKnees.com, shifted its hosting to Rackspace, which has touted its ability to defend against DDoS attacks. The attackers subsequently changed tactics and launched an attack that kept WeaKnees offline for two weeks, according to affidavits filed with the court case.

"There are enormous bot networks out there that can do a lot of damage," Akamai chief scientist Tom Leighton said after the attacks on his company. "It's a tremendous problem, and presents a threat to the Internet."