The project tracked more than 100 active botnets, including one containing 50,000 compromised “zombie” machines. In the three-month tracking period, Honeynet detected 226,585 unique IP addresses joining at least one of the IRC channels being monitored. Since the project sees only a portion of active botnets, the report said that even by conservative estimates, “this would mean that more then one million hosts are compromised and can be controlled by malicious attackers,”
Botnets are being used for a variety of scams, including spamming, phishing, sniffing network traffic for unencrypted passwords, and even click fraud targeting Google’s AdSense program. The paper also offers details on the most common trojan infections and controller bots, and how they work together to compromise and control a computer.
Bot networks aggregate computers that have been compromised with trojans, allowing them to be remotely directed by hackers. Their use in DDoS attacks dates to 1999 in Europe, followed by a series of high-profile attacks on Yahoo, eBay and other major web sites in February 2000. In the past year, the proliferation of e-mail borne viruses and auto-downloading trojans has dramatically increased the number and size of botnets, which now have economic value as Spam engines and tools in DDoS blackmail schemes. Numerous estimates suggest MyDoom compromised in excess of 500,000 machines worldwide, installing backdoors and trojans that “phoned home” in all of them.
“Our research shows that some attackers are highly skilled and organized, potentially belonging to well organized crime structures,” the report concludes. “Leveraging the power of several thousand bots, it is viable to take down almost any website or network instantly. Even in unskilled hands, it should be obvious that botnets are a loaded and powerful weapon.”