Botnets on the Rise, Despite Aggressive Law Enforcement
The number of compromised computers actively being used in botnets to launch attacks on any given day last year was about 75,000, according to a new report on Internet threats from security firm Symantec Corp.
"That number actually went up about 31 percent from 2007," said Zulsikar Ramzan, technical director for Symantec. That was due largely to aggressive action against botnet operators by the FBI in 2007, he added. "What we're seeing is a long-term game of whack-a-mole," in which operators knocked down in one place quickly reappear somewhere else.
The figures appear in Symantec's 2008 Government Internet Security Threat Report, culled from the company's broader annual Internet threat report. Data for the reports were gathered from Symantec's global network of 250,000 network sensors.
The report paints a picture of a fluid world in which people who launch attacks -- which can include hackers, as well as organized criminal syndicates and possibly even nation-states using their services -- adapt to changing conditions to stay at least a step ahead of security companies and law enforcement.
Law enforcement is becoming better educated in dealing with online crime and international cooperation appears to be improving, Ramzan said. However, there still is room for improvement; better public awareness is also needed as attacks become stealthier.
"The threats we're seeing today are much more silent but much more deadly," Ramzan said. Persons whose computers are being exploited often are not aware of the compromise.
The overall number of threats is increasing quickly. Ramzan said that the number of signatures for malicious code maintained by Symantec for more than 20 years doubled in 2008. Surprisingly, only 3 percent of code exploits identified in 2008 exploited vulnerabilities in IT systems, down sharply from 2007. Most malicious code relied on social engineering or was downloaded from a command-and-control server onto an already compromised computer.
Malicious online activity usually is being driven now by an increasingly sophisticated underground economy in which specialized services, malware and botnets of compromised computers are offered for sale, and the resulting stolen information is wholesaled and retailed on underground servers. Credit card information is the most common commodity being offered for sale, accounting for 32 percent of the total last year, up from 21 percent the year before. Two-thirds of the stolen accounts were from the United States.
Government networks accounted for 20 percent of breaches of personally identifiable information in 2008, in second place behind the educational community with 27 percent. The average cost of a data breach was estimated at $6.7 million, and by the end of the year 44 states and the District of Columbia, Puerto Rico and the U.S. Virgin Islands had data breach notification laws.
Despite the profit motives, the most common attack against government systems last year was denial of service, accounting for 48 percent. Attacks against e-mail servers accounted for 18 percent and against Web servers 11 percent. The Domain Name System accounted for just 4 percent of attacks, but because DNS underlies so much Internet activity that is a particularly sensitive area. The U.S. government is in the process of implementing DNSSEC within the .gov top-level domain this year.
China was identified as the top source of attacks against government systems in 2008, accounting for 22 percent of the total, up from just 8 percent in 2007.
"The United States ranked second in 2008 for attacks targeting government, with 12 percent of the total, a decrease from 20 percent in 2007," the report said. "This drop is likely due to the shutdown of two ISPs in September and November 2008, which resulted in a dramatic drop in both bot [command and control] servers and bot-infected computers."
The origin of attack is determined by the IP address of the computers being used to deliver the attacks, Ramzan said. Because the person controlling those computers could be anywhere in the world, it is difficult to know how much importance to give to country-of-origin figures.
"The origin of the attacks might not be the same as the origin of the attacker," Ramzan said, and source figures might say more about the country as a victim of attacks rather than as a perpetrator.
William Jackson is the senior writer for Government Computer News (GCN.com).