Honeynet: At Least 1 Million Machines in use as Botnets

"Botnets" of compromised computers launched 226 distributed denial of service (DDoS) attacks on 99 different targets in a three-month period from November to January, according to new research from The Honeynet Project.

"The threat posed by botnets is probably worse than originally believed," concludes the report, Know your Enemy: Tracking Botnets, which estimates that more than 1 million hosts are being remotely controlled by hackers. The report analyzed data from a network of "honeypots," computers that are intentionally compromised and monitored. That data, along with activity in IRC channels used to direct the attacks, offers a window into the world of botnets.

The project tracked more than 100 active botnets, including one containing 50,000 compromised "zombie" machines. In the three-month tracking period, Honeynet detected 226,585 unique IP addresses joining at least one of the IRC channels being monitored. Since the project sees only a portion of active botnets, the report said that even by conservative estimates, "this would mean that more then one million hosts are compromised and can be controlled by malicious attackers,"

Botnets are being used for a variety of scams, including spamming, phishing, sniffing network traffic for unencrypted passwords, and even click fraud targeting Google's AdSense program. The paper also offers details on the most common trojan infections and controller bots, and how they work together to compromise and control a computer.

Bot networks aggregate computers that have been compromised with trojans, allowing them to be remotely directed by hackers. Their use in DDoS attacks dates to 1999 in Europe, followed by a series of high-profile attacks on Yahoo, eBay and other major web sites in February 2000. In the past year, the proliferation of e-mail borne viruses and auto-downloading trojans has dramatically increased the number and size of botnets, which now have economic value as Spam engines and tools in DDoS blackmail schemes. Numerous estimates suggest MyDoom compromised in excess of 500,000 machines worldwide, installing backdoors and trojans that "phoned home" in all of them.

"Our research shows that some attackers are highly skilled and organized, potentially belonging to well organized crime structures," the report concludes. "Leveraging the power of several thousand bots, it is viable to take down almost any website or network instantly. Even in unskilled hands, it should be obvious that botnets are a loaded and powerful weapon."