Microsoft Names US As Botnet Central

Most botnet-infected computers reside in the US, according to figures released by Microsoft.

In version 9 of its Security Intelligence Report, Microsoft reported finding 2.2 million computers in the US under the control of botnets during the second quarter of the year. That figure represents roughly a third of all the bots Microsoft detected and approximately four times more than Brazil, which had the second highest total at roughly 550,000.

Favoured Hosts For Cyber Crime

The most prevalent pieces of botnet malware detected during the second quarter of the year are Rimecud, Alureon and Hamweq, all of which witnessed a decline. The fourth most prevalent however was Pushbot and detections for that malware increased 24 percent compared to the first three months of the year. Pushbot (also known as Palevo by Symantec) is a family of malware that spreads via MSN Messenger, Yahoo Messenger and AIM.

“Botnets are the launch pad for much of today’s criminal activity on the Internet,” blogged Adrienne Hall, general manager of Microsoft Trustworthy Computing. “In many ways, they are the perfect base of operations for computer criminals. Botnets are a valuable asset for their owners – bot herders – who make money by hiring them out to other cyber criminals to use as a route to market for cybercrime attacks such as phishing attacks, spam attacks, identity theft, click fraud and the distribution of scam emails.”

According to the report, a botnet known as Lethic was responsible for 56.7 percent of the botnet spam between March and June of 2010 using just 8.3 percent of known botnet IP addresses.

“Lethic is a closely controlled botnet that uses a custom binary protocol for C&C [command and control],” the report states. “A takedown of the Lethic C&C servers in January 2010 disrupted the attackers’ ability to send spam, although they subsequently regained control of the botnet.”

Spam of course is just one activity associated with botnets. Pushbot, for example, is a malware family based on a kit called Reptile and is therefore not a single botnet. As a result, the malware has been associated with a variety of capabilities, including distributed denial of service attacks.

“Over the past several years, cybercriminals have focused their efforts on monetising their malicious activities by victimising computer users,” said Elias Levy, senior technical director of Symantec Security Response. “Thus, they target countries that have a high personal net worth, advanced financial systems that allow the online transferring of funds and those with a lot of online shoppers. The US fits that profile quite well.”

Security researchers have increasingly turned to botnet takedowns as a way to fight back. Microsoft took the operators of Waledac to court, seeking to take control of 276 Waledac domains.

“Bot herders guard their botnets jealously and invest huge amounts of time, effort and money in them,” Hall blogged. “They spread their bots by a central command to masses of computer users through malicious software and user deception. By keeping a low profile, bots are able to infiltrate computers and devices and can quietly operate in the background, often undetected for years.”