News Blog

Last week, the FBI announced the end of the second phase of Operation Bot Roast, an ongoing investigation into botnets, and the criminal activity associated with them. I recently asked Dr. Jose Nazario of Arbor Networks where in the world the bot herders, the people who control the botnets, might be. Here are some excerpts:

We see a few major groups. We see Americans and Western Europeans often interested in using the botnet to make money either directly or indirectly by selling services, or stealing information from those botnets to sell and use credit card information bank information, etc.

There are some botnets out of South America, but mostly South America seems dominated by the Brazilian, what folks used to call the banker Trojan, the browser helper object that steals information right out of the browser from banks from online banking or e-commerce transactions. Some of the more high-profile botnets we've dubbed TeamUSA and Peruvian Power. These have been long running and relatively successful. But they're not exactly household names.

The botnet community is also taking off in the Russian language part of the Internet. Lately I've been watching a lot of DDoS attacks come out of Russia, commanded by Russians. Possibly for pay, as retribution, or as punishment to those who try an stop some of the other illegal activities, such as fraud and theft.

I have been tracking lately Russian DDoS bot code run by different groups. The code itself is bought and shared between them. One of the big ones is a code base called Black Energy. The author is a Russian language speaker who offers his help files and other things in the Russian language and sells it on the Russian language forums anywhere from $40 on up. Black Energy is strictly a DDoS botnet

We have watched some botnets from China but I don't see a whole lot of botnet activity coming out of there.

You can read more of Nazario's comments in this Security Watch column. And you hear more of my interview with Dr. Nazario in this Security Bites podcast.

It's September, so it's time for Internet security companies to release their annual reports and surveys about the threats seen in the first six months of the year. The reports from IBM, Arbor Networks (free registration required), and Symantec (in PDF) each looked at different areas of the Internet in specific but generally found that botnets are on the rise, and that the tools used for attack have gone professional with less noise from mere amateurs. Two of the reports went to find the top three vendors most affected by newly disclosed vulnerabilities were Microsoft, Apple and Oracle, that the United States hosts the most spam-related Web sites, and the sites most-often phished were financial sites.

Arbor Network reported that botnets, at 29 percent, has replaced denial-of-service attacks, at 24 percent, as the No. 1 threat among its respondents. The ISPs contacted by Arbor Networks for their survey also report that the number of professional denial-of-service attacks have increased markedly over "amateur" attacks. The attacks seem to be targeting specific industries, a finding echoed by Symantec and IBM.

In the first half of 2007, the IBM survey showed a total of 3,273 software vulnerabilities, a 3.3 percent increase over the same period in 2006. Oddly, Symantec showed only 2,461 vulnerabilities, and reported that figure was 3 percent less than during the same period in 2006. The differences between reports can be accounted for by the methodologies used by IBM and Symantec to categorize vulnerabilities and the specific vendors they include in that count; for example, Symantec didn't track the Oracle operating system in its report.

The IBM report showed January was the busiest month for reporting new vulnerabilities with 600 disclosed. January 15 to 21 was the busiest week, responsible for 149 vulnerabilities. IBM also said the top three vendors reporting the most vulnerabilities were Microsoft, Apple and Oracle; together they accounted for 12.6 percent of the total. Symantec said that Microsoft reduced its time-to-patch from 21 days in December to only 18 at the end of July, while Apple only reduced its time-to-patch from 49 days in December to 43 days at the end of July. Symantec did not track Oracle in its report. IBM also noted that an amazing 21 percent of the Microsoft, Apple and Oracle vulnerabilities remained unpatched at the end of July.

On the subject of spam, IBM reported that the United States, Poland and Russia were responsible for most of the world's spam content. Symantec said the top three spam producers were the U.S., "undetermined" EU countries, and China. IBM said the U.S. alone accounts for one-eighth of all spam traffic, and hosts more than one-third of all spam-related Web sites, results similar to those found by Symantec.

IBM also said the U.S. hosts almost half of all the phishing sites located in the United States; again, Symantec's results were similar. Of the phishing sites, 9 of the 10 listed by IBM were financial, a finding shared by Symantec. IBM also reported that pornographic Web sites constitute 9 percent of all the Web sites. The U.S. remains host to a majority of sites focused on violence, crime, pornography, sex, computer crime and illegal drugs. This is unchanged from 2006.