U.S. Computers Top Botnet Source

Responsible for three times the attacks as second-place source -- China

The United States was the top source of distributed attacktraffic, originating nearly three times as many attacks assecond-place China, according to a recent study by security serviceprovider SecureWorks Inc.

The figures are based on identified attacks attempted againstthe company’s 2,000 customers so far in 2008. The bad guyslaunching the attacks were not always based in this country, butthey used compromised computers in the United States to formbotnets as platforms for the attacks.

According to SecureWorks, 20.6 million attacks originated fromU.S. computers and 7.7 million from Chinese computers.

“It clearly shows that the United States and China have alot of vulnerable computers that have been compromised and arebeing used as bots to launch cyberattacks,” said Hunter King,a security researcher at SecureWorks. “This should be awarning to organizations and personal computer users that not onlyare they putting their own computers and networks at risk by notsecuring them, they are providing these cybercriminals with aplatform from which to compromise other computers.”

The rest of the top 10 sources of attack traffic were:

  • South Korea, with 162,289 attempted attacks
  • Poland, with 153,205
  • Japan, with 142,346
  • Russia, with 130,572
  • Taiwan, with 124,997
  • Germany, with 110,493
  • Canada, with 107,483
  • Brazil, with 16,987
The vulnerabilities exploited to compromise botnet computers do notnecessarily have anything to do with the attacks launched fromthem. Once compromised, computers can be updated with maliciouscode and instructions for sending spam or other attack traffic.

Because the attacks can make use of address lists on compromisedcomputers, malicious code can appear to come from trusted sources,which makes it difficult to screen e-mail traffic by address.Computers can also be compromised by malicious code hosted onlegitimate Web sites and in third-party applications.

The ability of botnet activities to cross national borderscomplicates the job of blocking hostile traffic, said Don Jackson,director of threat intelligence at SecureWorks.

“The Georgia/Russia cyber conflict was a perfect exampleof this,” Jackson said. “Many of the Georgian[information technology] staff members thought that by blockingRussian IP addresses they would be able to protect their networks.However, many of the Russian attacks were actually launched from IPaddresses in Turkey and the United States, so consequently theywere hit hard.”

Hacking patterns in China appear to differ from those in othercountries, Jackson said. Although hackers still assembledistributed networks of computers, they tend to use entire networksthey control with the help of insiders at schools, data centers andcompanies. The technique of wholesale compromise is not uniqueto China, he added. “We also see many local hacker groups inJapan and Poland compromise hosts within their own country to usein cyberattacks, so the Chinese hackers are not alone in usingresources within their own borders.”

In addition to keeping up-to-date with security protocols,administrators can seek protection by using security services thatblock traffic from known or suspected malicious sources. They canalso monitor outgoing network traffic to detect suspicious activityfrom computers that have been compromised.

-- William Jackson