ENISA warns of growth in bot network activity

The number of botnets will continue to grow and they could soon turn up in mobile communications. That is the warning in a report (PDF file) by the European Network Information and Security Agency (ENISA). In view of the flexibility demonstrated by botnet distributors, ENISA fears that mobile devices will soon be manipulated in the same way as traditional PCs and used to initiate a variety of attacks such as DDOS attacks.

"For instance, there are currently worms that use Instant Messaging (IM) networks like MSN or Skype to distribute themselves, but there are also worms that distribute themselves using MMS (e.g. Commwarrior), SMS or Bluetooth communications," says the paper entitled "Botnets - The Silent Threat". With continuous internet connectivity commonplace on mobile devices (Blackberry, Windows Mobile and Symbian devices), "we might soon see malicious code targeting those devices." One of ENISA's suggestions is to consider a central European organization for combating cyber crime.

The security agency estimates that there are around six million bot-infected computers worldwide. Germany has the third largest number of infected computers, according to the report. Only in China and the USA have more PCs joined the world's estimated population of 1,000 botnets. The size of the these networks varies between 10 and 300,000 compromised computers. Spanish software developer S21sec, which led the ENISA report, says that "browser exploits" are now the most common infection method. 65 percent of compromised computers are infected by the botnet operators during surfing. HTTP is increasingly replacing the IRC protocol as the preferred means of communication used by the bots.

Uninformed users must be educated as a matter of urgency to realize that slow connections to the Internet, strange browser behaviour, anti-virus programs shutting down or programs starting up automatically are likely signs that their computer is running malicious software. Around 30,000 malicious websites appear every day trying to infect visitors, says ENISA, based on figures provided by Sophos. A recent study carried out by Google revealed that that 10,000 out of 4.5 million URLs analyzed were malicious.

As well as the browser infection method, ENISA mentions e-mail attachments (13 percent), operating system exploits (11 percent) and downloading files from the Internet (9 percent) as other common distribution methods. The problem will not disappear on its own, warns ENISA, which proposes a range of countermeasures. As well as mentioning the continued need to educate users and for vendors to do better, ENISA considers the question of how ISPs could better protect their customers.

The experts believe the greatest need is advice and guidance from privacy authorities, since inspecting and blocking outbound and inbound traffic could lead to privacy issues. "Guidance should be provided on the extent to which ISPs can inspect users' e-mail traffic to detect and block botnet communications." reads one of the recommendations. Only if the bot problem worsens should policy-makers consider drawing up rules to permit the removal of infected computers from the internet. But the report emphasises that "this would be an extreme measure". Nevertheless the French government has already laid plans to disconnect internet users who engage in illegal file sharing, so the way has been paved for such controls despite the reservations of ENISA.

The ENISA report also provides a number of recommendations on the early detection of local honeypots on LANs, as well as advice for users. (Monika Ermert) /

(mba)