U.S. Tops List as Source for Botnet Attacks
The United States was the top source of distributed attack
traffic, originating nearly three times as many attacks as
second-place China, according to a recent study by security service
provider SecureWorks Inc.
The figures are based on identified attacks attempted against
the company's 2,000 customers so far in 2008. The bad guys
launching the attacks were not always based in this country, but
they used compromised computers in the United States to form
botnets as platforms for the attacks.
According to SecureWorks, 20.6 million attacks originated from
U.S. computers and 7.7 million from Chinese computers.
"It clearly shows that the United States and China have a
lot of vulnerable computers that have been compromised and are
being used as bots to launch cyberattacks," said Hunter King,
a security researcher at SecureWorks. "This should be a
warning to organizations and personal computer users that not only
are they putting their own computers and networks at risk by not
securing them, they are providing these cybercriminals with a
platform from which to compromise other computers."
The rest of the top 10 sources of attack traffic were:
- South Korea with 162,289 attempted attacks.
- Poland with 153,205.
- Japan with 142,346.
- Russia with 130,572.
- Taiwan with 124,997.
- Germany with 110,493.
- Canada with 107,483.
- Brazil with 16,987.
The vulnerabilities exploited to compromise botnet computers do not
necessarily have anything to do with the attacks launched from
them. Once compromised, computers can be updated with malicious
code and instructions for sending spam or other attack traffic.
Because the attacks can make use of address lists on compromised
computers, malicious code can appear to come from trusted sources,
which makes it difficult to screen e-mail traffic by address.
Computers can also be compromised by malicious code hosted on
legitimate Web sites and in third-party applications.
The ability of botnet activities to cross national borders
complicates the job of blocking hostile traffic, said Don Jackson,
director of threat intelligence at SecureWorks.
"The Georgia/Russia cyber conflict was a perfect example
of this," Jackson said. "Many of the Georgian
[information technology] staff members thought that by blocking
Russian IP addresses they would be able to protect their networks.
However, many of the Russian attacks were actually launched from IP
addresses in Turkey and the United States, so consequently they
were hit hard."
Hacking patterns in China appear to differ from those in other
countries, Jackson said. Although hackers still assemble
distributed networks of computers, they tend to use entire networks
they control with the help of insiders at schools, data centers and
companies. But the technique of wholesale compromise is not unique
to China, he added. "We also see many local hacker groups in
Japan and Poland compromise hosts within their own country to use
in cyberattacks, so the Chinese hackers are not alone in using
resources within their own borders."
In addition to keeping up-to-date with security protocols,
administrators can seek protection by using security services that
block traffic from known or suspected malicious sources. They can
also monitor outgoing network traffic to detect suspicious activity
from computers that have been compromised.
William Jackson is the senior writer for Government Computer News (GCN.com).