March 16, 2005 10:32 AM PST

Botnets use Windows for wicked work

Despite Microsoft's renewed focus on security, recent research shows that computers running Windows XP and 2000 form the bulk of botnets.

The study, carried out by the German Honeynet Project, found that more than 80 percent of Web traffic from the networks of compromised computers used four ports designated for resource-sharing by various versions of Windows. The research also indicated that the vulnerabilities behind some of the exploits used to take over a PC can be found by searching for information on Microsoft's security bulletins.

"Clearly most of the activity on the ports...is caused by systems with Windows XP (often running Service Pack 1), followed by systems with Windows 2000. Far behind, systems running Windows 2003 or Windows 95/98 follow," Honeynet Project researchers wrote in the report.

Microsoft responded by reiterating its commitment to secure engineering platforms in the face of botnet attacks, which it said were often carried out for illegal ends.

"Creating malicious IT and data threats is a criminal offense that affects everybody. This type of criminal activity is usually driven by financial motive, and criminals often target the Microsoft platform and its applications because of its large installed base," the company said in an e-mailed statement. "This is however a serious cross-industry issue, where no organization is immune from the threat."

The most exploited Windows ports found in the research were: port 445/TCP (used for file sharing); port 139/TCP (used to connect to file shares); port 137/UDP (used to find information on other computers); and 135/TCP (used to execute code remotely).

Botnets are commonly used for denial-of-service attacks, where a target computer is overloaded with data and fails. They are also used for spamming, spreading malicious software, manipulating online polls and mass identity theft.

From the beginning of November 2004 until the end of January 2005, researchers saw 226 denial-of-service attacks against 99 unique targets. They looked at 100 botnets in the four-month period and saw 226,585 unique IP addresses involved with at least one of the botnets monitored.

Dan Ilett of ZDNet UK reported from London.

See more CNET content tagged:
denial of service, researcher, Microsoft Corp., Microsoft Windows, security

14 comments

Join the conversation!
Add your comment
This is news?
With an OS that any kind can breeak into within seconds, are we suposed to be surprised?

<">

<The most exploited Windows ports found in the research were: port 445/TCP (used for file sharing); port 139/TCP (used to connect to file shares); port 137/UDP (used to find information on other computers); and 135/TCP (used to execute code remotely).>

Not to nitpick, but ports are not tied to a platform, although some ports are used by certain OSes. Ports are an unsigned short integer, anlogous to a process ID, nothing more. There is nothing inherently unsecure about a number. Sloopy and/or rushed programming in windows is what makes it insecure.

Microsoft products are used to exploit and attack because it is the easist, by miles.
Posted by Bill Dautrive (1179 comments )
Reply Link Flag
This is news?
With an OS that any kind can breeak into within seconds, are we suposed to be surprised?

<">

<The most exploited Windows ports found in the research were: port 445/TCP (used for file sharing); port 139/TCP (used to connect to file shares); port 137/UDP (used to find information on other computers); and 135/TCP (used to execute code remotely).>

Not to nitpick, but ports are not tied to a platform, although some ports are used by certain OSes. Ports are an unsigned short integer, anlogous to a process ID, nothing more. There is nothing inherently unsecure about a number. Sloopy and/or rushed programming in windows is what makes it insecure.

Microsoft products are used to exploit and attack because it is the easist, by miles.
Posted by Bill Dautrive (1179 comments )
Reply Link Flag
No kidding!
The most preferred target is the one that gets the most use? No way! What a totally amazing discovery.

That's like saying thieves that want big scores rob museums and not the halls of elementary schools. What a real shocker.
Posted by Jeff Putz (302 comments )
Reply Link Flag
No kidding!
The most preferred target is the one that gets the most use? No way! What a totally amazing discovery.

That's like saying thieves that want big scores rob museums and not the halls of elementary schools. What a real shocker.
Posted by Jeff Putz (302 comments )
Reply Link Flag
Registry!
I agree with the previous replies. The bottom line is that
although it isn't legal to use these bot nets as they are used
does NOT make it right to have an indefensible file system core!
The face that Microsoft bulletins are used to reveal ways to
exploit windows computers is such a nod to the concept; it's the
best way to understand and locate registry keys to circumvent
Microsoft's useless attempts at security! Firewall and virus and
all other software that impede the exploits can be easily
defeated by their registry keys! It will never end as long as there
is the worthless registry!
Posted by (22 comments )
Reply Link Flag
Not a Registry problem
The Registry is simply a place where configuration options are stored. It's a clever system that would be beneficial to Unix systems where the configuration information is scattered to the four winds.

It's what is allowed by the code and what the code defaults to allowing that are behind much of the problem. Blaming the problem on the "registry" is no more intelligent than blaming it on the "disk drive".
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
Registry!
I agree with the previous replies. The bottom line is that
although it isn't legal to use these bot nets as they are used
does NOT make it right to have an indefensible file system core!
The face that Microsoft bulletins are used to reveal ways to
exploit windows computers is such a nod to the concept; it's the
best way to understand and locate registry keys to circumvent
Microsoft's useless attempts at security! Firewall and virus and
all other software that impede the exploits can be easily
defeated by their registry keys! It will never end as long as there
is the worthless registry!
Posted by (22 comments )
Reply Link Flag
Not a Registry problem
The Registry is simply a place where configuration options are stored. It's a clever system that would be beneficial to Unix systems where the configuration information is scattered to the four winds.

It's what is allowed by the code and what the code defaults to allowing that are behind much of the problem. Blaming the problem on the "registry" is no more intelligent than blaming it on the "disk drive".
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.