Botnets quadruple in size

In the past three months, the size of "botnets" – groups of virus-compromised "zombie" PCs – has increased by a factor of four, according to statistics published by the ShadowServer Foundation. The Foundation's members include a number of security specialists that monitor botnets, malware and phishing activity, but the experts aren't sure why the number of infected PCs has risen so quickly.

The Internet Storm Center (ISC) believes that widespread SQL injection attacks on web sites are behind it all. These attacks compromise the database server behind an otherwise-harmless web site, so that site visitors using unpatched browsers are served malware. Another explanation is that bot-herders may simply be able to keep control of a compromised PC for longer before users discover an anomaly or a virus scanner detects the infection.

Thorsten Holz, cofounder of Germany's Honeynet Project, believes that email attacks in the past few months have brought about these changes. During this time, malware has been circulating as forged UPS invoices, Angelina Jolie videos, reports about the US invading Iran and most recently as Olympic screensavers. Holz pointed out to heise Security that ShadowServer mainly monitors IRC botnets, which are not related to SQL injection attacks – a fact that further bolsters his interpretation.

Recently, security service providers FireEye and SecureWorks also reported some interesting findings about botnets. It turns out that the two botnets which vie for the title of King of the Hill, Srizbi and Rustock, have some things in common. Apparently, one client is using both networks to send spam email. It is also unusual that emails that distribute Srizbi bots are being sent from the Rustock network.

(lghp)