Bot probe exposes over 1m infected PCs

Over one million net-connected Windows PCs are infected with botnets that are open to exploit by malicious hackers for a large-scale attack, according to researchers in Germany.

Security experts at the Honeynet Project say the problem of compromised machines under third party control has until now been underestimated by businesses, despite Windows XP being the most vulnerable system.

A study from the group found that XP Service Pack 1 and Windows 2000 are the most affected software versions overall, followed by a distant Windows 2003, Windows 98/95.

On compromising a PC, evidence shows the likeliest path for a hacker is to install a so-called IRC (internet relay chat) bot, allowing remote control of the system and a doorway to “fun and also profit.”

Such botnets tested by the Project exposed a serious potential threat to internet and corporate communities alike, as some networks housed up to 50,000 infected systems.

They warned that while some botnets have 1,000 infected computers, the better-resourced hacker could have over 50,000 hosts - capable of launching a wide of array of attacks including, denial of service, keylogging, malware, mass ID theft and spamming.

Botnets can also attack IRC networks, manipulate online games and tamper with online polls.

Even in “unskilled hands,” botnets are a “loaded and powerful weapon” that once leveraged by the hacker can take down almost any website or network instantly, the researchers said.

“These 1000 bots have a combined bandwidth (1000 home PCs with an average upstream of 128KBit/s can offer more than 100MBit/s) that is probably higher than the Internet connection of most corporate systems,” said the report.

“The IP distribution of the bots makes ingress filter construction, maintenance, and deployment difficult. In addition, incident response is hampered by the large number of separate [rogue] organisations involved.”

Having tested the web traffic over a number of months, the Project exposed the runners of botnets as individuals from two different groups.

The first category is the botnets controlled by young males possessing limited programming skills, who “often achieve a good spread of their bots, but their actions are more or less harmless.”

The second group, however, are noted for professionally updating their bots and are likely to sell their services for commercial usage, as part of the “advanced” breed of hackers.

Yet the Project added that while there are only a “very small percentage of botnet runners [who seem] highly skilled,” there is research to suggest that some attackers are highly organised, and potentially belong to established crime structures.

Out of 100 tracked botnets in the first four months, the researchers identified 226,185 unique IP address as joining at least one of the channels they tracked.

In examining all web traffic, results showed that bots spread to the ports used for resource sharing on all versions of Microsoft Windows.