The volunteer white hats of , a nonprofit organization dedicated to battling the bot scourge, maintain a count of how many bot-infected PCs they see with their distributed Internet sensors. In mid-June that count began to climb dramatically, eventually exploding from a sample set between 100,000 and 200,000 for most of the year to a peak of about 500,000 in mid-September.
Since Shadowserver's sensors don't see every botnet, the total number of bot-infected machines is almost certainly a good deal larger. And some of the apparent increase stems from Shadowserver's having launched more sensors. But "there are clearly more bots and infected PCs," says AndreĀ“ M. DiMino, a Shadowserver founder. "There's a rise in the surface area of infections and consequently the number of bots we're seeing."
Some experts tie the botnet rise to a recent wave of Web-based attacks. , a type of assault against online applications, can crack open vulnerable but otherwise benign Web sites and allow a malicious hacker to insert booby-trapped code. When someone unknowingly browses a poisoned site, the triggered booby trap invisibly hunts for exploitable software holes through which it can install a bot or other malware. Once it infects a PC, a bot contacts a server on the Internet to pick up commands, such as to steal financial-site log-ins, from its thieving controller.
"At the time when this jump [in the number of bot-infected machines] started," says John Bambenek, an incidence handler at the , "there was a round of SQL injection attacks against thousands of Web sites." The ISC is another volunteer organization that tracks widespread Internet attacks.
Innocent Sites Suffer
Much like the bot software they install, SQL injection and similar Web attacks force victim sites to do their bidding. And they have a growing number of holes to target: In 2007 one security company, SecureWorks, found 59 flaws in applications that allowed for SQL injection attacks. So far in 2008, it has found 366.
Tracking down and closing those holes before crooks find them can be a real challenge. Just ask BusinessWeek.com. That site was only the latest big-name online property to suffer an attack. When we checked at the end of September in our research for the print-magazine version of this story, the report said that among BusinessWeek.com's 2484 pages the search giant had found 213 that "resulted in malicious software being downloaded and installed without user consent" over the past 90 days. The report didn't list the site as suspicious overall, and stated that "the last time suspicious content was found on this site was on 09/11/2008." In reply to our inquiries, a BusinessWeek spokesperson wrote that "the attack affected only one application within a specific section of our website, and that application has been removed."
The Big Risk: Web Exploits
According to Joe Stewart, director of malware research at SecureWorks, for a would-be botnet criminal these Web exploit attacks are by far the preferred choice for distributing evil code. "It's almost unheard of these days for these guys to try and send the attachment in e-mail," he says. "Even e-mails will typically direct you to an infected site."
Stewart hasn't noticed any major growth in the large botnets that he watches, but he says he typically sees an ebb and flow in the size of distributed malware networks. When IT workers and antivirus companies catch on to bot infections and clean them up, the crooks respond by infecting a new batch of PCs. "They're having to keep up these seeding campaigns to keep up their botnet size," Stewart says.
Those seeding campaigns typically employ Web attacks that target outdated browser plug-ins and other vulnerable software. "Flash and RealPlayer [plug-ins]--those are the big ones," Stewart says. The attacks are often successful because it can be hard for users to know when a plug-in is old and susceptible, especially if it's so old as to predate automatic updates.
The free can make that task easier. It will scan for outdated software and also provide links to patches or updated versions. A good will also help, of course, and a capable of blocking a bot's phone-home connections can provide a secondary layer of defense.