News

U.S. Tops List as Source for Botnet Attacks

The United States was the top source of distributed attack traffic, originating nearly three times as many attacks as second-place China, according to a recent study by security service provider SecureWorks Inc.

The figures are based on identified attacks attempted against the company's 2,000 customers so far in 2008. The bad guys launching the attacks were not always based in this country, but they used compromised computers in the United States to form botnets as platforms for the attacks.

According to SecureWorks, 20.6 million attacks originated from U.S. computers and 7.7 million from Chinese computers.

"It clearly shows that the United States and China have a lot of vulnerable computers that have been compromised and are being used as bots to launch cyberattacks," said Hunter King, a security researcher at SecureWorks. "This should be a warning to organizations and personal computer users that not only are they putting their own computers and networks at risk by not securing them, they are providing these cybercriminals with a platform from which to compromise other computers."

The rest of the top 10 sources of attack traffic were:

  • South Korea with 162,289 attempted attacks.
  • Poland with 153,205.
  • Japan with 142,346.
  • Russia with 130,572.
  • Taiwan with 124,997.
  • Germany with 110,493.
  • Canada with 107,483.
  • Brazil with 16,987.
The vulnerabilities exploited to compromise botnet computers do not necessarily have anything to do with the attacks launched from them. Once compromised, computers can be updated with malicious code and instructions for sending spam or other attack traffic.

Because the attacks can make use of address lists on compromised computers, malicious code can appear to come from trusted sources, which makes it difficult to screen e-mail traffic by address. Computers can also be compromised by malicious code hosted on legitimate Web sites and in third-party applications.

The ability of botnet activities to cross national borders complicates the job of blocking hostile traffic, said Don Jackson, director of threat intelligence at SecureWorks.

"The Georgia/Russia cyber conflict was a perfect example of this," Jackson said. "Many of the Georgian [information technology] staff members thought that by blocking Russian IP addresses they would be able to protect their networks. However, many of the Russian attacks were actually launched from IP addresses in Turkey and the United States, so consequently they were hit hard."

Hacking patterns in China appear to differ from those in other countries, Jackson said. Although hackers still assemble distributed networks of computers, they tend to use entire networks they control with the help of insiders at schools, data centers and companies. But the technique of wholesale compromise is not unique to China, he added. "We also see many local hacker groups in Japan and Poland compromise hosts within their own country to use in cyberattacks, so the Chinese hackers are not alone in using resources within their own borders."

In addition to keeping up-to-date with security protocols, administrators can seek protection by using security services that block traffic from known or suspected malicious sources. They can also monitor outgoing network traffic to detect suspicious activity from computers that have been compromised.

About the Author

William Jackson is the senior writer for Government Computer News (GCN.com).

Featured