March 14, 2005 1:31 PM PST

Zombie PCs being sent to steal IDs

Botnets, collections of compromised computers controlled by a single person or group, have become more pervasive and increasingly focused on identity theft and installing spyware, according to a Honeynet Project report.

The report, released on Monday, summarizes the findings of researchers who have tapped into more than 100 different botnets since last summer. Some of the networks were made up of more than 50,000 computers, said the Honeynet Project, a security group that sets up heavily monitored systems, or honeypots, and allows them to be attacked.

While many of the networks had been used to hit other botnets with denial-of-service attacks, others had been used to gather sensitive identity information and install adware and spyware, a practice that is increasing, said Thorsten Holz, a computer science research student at RWTH Aachen University of Technology in Germany and one of the primary authors of the paper.

"Our research shows that some attackers are highly skilled and organized, potentially belonging to some well-organized crime structures," Holz, a member of the Honeynet Project, wrote in the paper. "Even in unskilled hands, it should be obvious that botnets are a loaded and powerful weapon."

Over the past year, security experts have become increasingly wary of botnets. Once used mainly by online vandals to attack each other, the large networks of compromised computers are now a tool for groups of criminals bent on making money through identity fraud or adware installation. A person whose computer is infected with bot software runs the risk of having sensitive information such as account passwords and credit card numbers sent to the controller of the network.

A botnet onslaught is believed to have caused an outage at Internet service provider Akamai Technologies last summer.

At least a million computers worldwide are unwitting hosts to bot software, Honeynet researchers calculate--but that's a conservative estimate, Holz wrote in the report. A typical bot could be connected to 10,000 other computers, use the old-school Internet chat system--known as IRC--for command and control, and have a plug-in architecture that allows new features to be quickly added, he noted.

The report also describes how the researchers monitored the bots and intercepted communications. The Honeynet Project plans to release the software programs it developed to the community at large.

Some interesting applications of the malicious networks have been noticed by researchers, Holz said in an interview. In one case, bot software detected whether the game "Diablo II" was installed on the host PC. If the game was present, the program would steal items from the player's characters and drop them at preplanned places in the online game world. The botnet's controller would then collect the items and sell them on auction site eBay, Holz said.

"It was pretty clever and hard to detect," he said.

Future botnets will likely move to peer-to-peer communications, which are harder to intercept and shut down, Holz said. Moreover, there is a trend toward smaller numbers of bots in each network--a measure that makes the collection of compromised computers that much harder to detect, he said. While a network of 3,000 to 8,000 computers is harder to detect than one of 20,000, it can be as damaging, he added.

"Even those small botnets can cause much harm, especially if the compromised machines have good Internet connectivity or are located within interesting places," Holz said.

See more CNET content tagged:
bot, researcher, identity theft, online game, adware

2 comments

Join the conversation!
Add your comment
In the future botnets would crack ciphers for organized crime
A big enough botnet would be able to use parallel computing to break encryption that is considered safe. Organized crime is experimenting now in what would let them in the future have supercomputers to be able to penetrate secure computer systems used by banks...
Posted by hadaso (468 comments )
Reply Link Flag
Spyware and adware....
....are easy to stop. Identity theft will remain a problem but spyware and adware are commercial endeavors. That means the companies served by the ads are paying to have the bot nets install them. These companies know who they are paying. We simply need to bring criminal charges against the companies first and they'll give up their subcontractors. Charging corporations with criminal misconduct...in the US...who am I kidding?
Posted by Michael Grogan (308 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.