USA (and IE) Number 1 for Botnet Mayhem

Research from security vendor Finjan Inc. suggests enterprise IT shops are losing the war against those who would hijack company computers for botnets. Almost half the victims appear to be in the U.S. -- most using Microsoft's Internet Explorer (IE) browser.

Finjan's Malicious Code Research Center (MCRC) uncovered a network of 1.9 million Trojan horses running on corporate, government and consumer computers around the world during an investigation of command-and-control servers run by botnet herders from the Ukraine and elsewhere. One server, launched in February but later shut down, was hosted in the Ukraine and controlled by an online gang of six people who managed to establish a vast Trojan distribution network. [Related: What a Botnet Looks Like:]

"Hackers keep looking for improved ways to distribute malware and Trojans are winning the race. The sophistication of the crimeware and the staggering amount of infected computers proves these people are raising the bar," Finjan CTO Yuval Ben-Itzhak said. "Corporate and governmental data remain prime targets, especially computers in the U.S. and the U.K. which are under attack, and need to protect themselves." [Podcast: Botnet Battle: How to Fight Back, Part 1]

Based on posts found on various hacking forums, researchers believe 1,000 hijacked computers are being rented out for US$100-$200 a day. The bad guys can make US$190,000 a day for renting a botnet of 1.9 million infected computers.

The Trojan horse programs are silently dropped on computers when the user visits compromised websites that hide the malware. The giant command-and-control server researchers uncovered includes the IP addresses of infected machines as well as the computers' name inside corporate and government networks that are running the Trojan horse.

Computers in 77 government-owned domains (.gov) from the U.S., U.K., Brazil, Turkey and India have been compromised and are running the Trojan horse. The malware is remotely controlled by hackers who use them to deliver almost any command on the end-user computer as they see fit, including reading e-mails, copying files, recording keystrokes, sending spam, and making screenshots.

Here's the global spread of infected computers in percentages, based on Finjan's findings:

* U.S.: 45 percent

* U.K.: 6 percent

* Canada: 4 percent

* Germany: 4 percent

* France: 3 percent

* Other: 38 percent

The Trojan horse is infecting computers running Windows XP and using the following browsers to hunt its prey:

* Internet Explorer: 78 percent

* Firefox: 15 percent

* Opera: 3 percent

* Safari: 1 percent

Finjan's findings square with what other researchers are seeing.

Alex Lanstein, senior security researcher at FireEye Inc., a security vendor based in the San Francisco Bay area, said some of the larger botnets out there get no press, because their overlords don't want to make news and let people know their machines are infected. Cimbot, for example, is a piece of malware that has been used to create a botnet that now accounts for about 15 percent of the world's spam, he said.

Among the problems security researchers have encountered when trying to track and shut down botnets is that the newer worms used to build botnets are using strong cryptography to protect the command-and-control centers, said Paul Kocher, president and chief scientist at Cryptography Research.

"It used to be you could track how a botnet was getting its commands and send out fake commands to take it out," he said. "It's getting a lot harder to do that."

The newer botnets are also building their own P2P networks to communicate and have gotten good at snuffing out a machine's security controls.

"We're also watching more sophisticated efforts among botnet-building worms to evade detection," Kocher said. "They're more polymorphic, changing from copy to copy. It makes it more difficult for an antivirus author to craft a signature to block it."

Gunter Ollmann, vice president of research at Atlanta-based security vendor Damballa, Inc., said enterprise IT shops would do well to ramp up efforts to detect the lesser known malware being used to such devastating effect these days. In the last 2 years, he said, IT shops have deployed a broad range of detection and prevention technologies. Each layer of defense has gotten better at fending off certain attacks.

"The more common the threat, the better the protection," he said. "But the bad guys are very much aware of how these defenses work, so they're using more sophisticated, targeted social engineering attacks. Looking at the malware used, a high percentage is IDS and AV proxy aware."

Ollmann and others offer the same advice: Since attackers are so successful at using social engineering tricks -- luring users with fake headlines that play on current events and duping them into clicking on malicious links -- one of the best defenses remains user education.

Show the average user what they're up against every time they go online and they are less likely to be duped into downloading the bot-building code, experts say.