Research out this week from Symantec places the UK at the top of the league table of countries that have lots of PCs participating in networks of bots — compromised computers that malicious hackers can control to send spam or attack others.
Symantec’s Internet Security Threat Report for the second half of 2004 said that 25.2% are located in the UK. That now puts the country ahead of the US (24.6%), China (7.8%), Canada (4.9%) and Spain (3.8%), Symantec said.
It’s the boom that’s doing it, Symantec speculated. There are millions more broadband subscribers in the UK now than there were a year ago, but not enough have yet learned that a raw, unfiltered, permanent internet connection is a security risk.
Last week, the UK government’s office of National Statistics said that the number of subscribers to permanent internet connections, as opposed to dialup, had jumped 86.2% to 41% of total internet subscriptions by December 2004.
Symantec believes that new broadband customers may not be aware of the additional security precautions that need to be taken when using an always-on high-speed internet connection, the company said in its report.
The geographic distribution numbers are based on Symantec’s observations from the logs of devices it controls under its managed security services offerings. While only a sampling, the company does have a decent insight into trends from these logs.
The company said its research also showed a significant decline in the number of active botnets in the period, from 30,000 in the first half of 2004 to 5,000 in the second half, but executives played this down.
I expect that this will increase again over time, Symantec director of product management David Cole said. The drop is probably due to the adoption of Windows XP Service Pack 2… and also due to better procedures at the ISPs.
SP2 has several security fixes that prevent users from getting infected with malware. ISPs are also better at identifying compromised users and alerting them. However, this may not have taken off in the UK yet.
The addition of many new customers, with the corresponding increase in infrastructure and support costs may slow the response of [UK ISPs] to reports of network abuse and infection, the Symantec report says.
Bots are typically used by crackers to either launch denial of service attacks for kicks or extortion, or to send spam, or to relay further attacks against third parties. Compromised users are rarely aware their computers are being used in such a way.
Symantec said that bots are becoming more sophisticated too. In the past, most bost have used Internet Relay Chat servers to receive orders from their master. Taking down the server can take down the network.
But Symantec said it has now observed bots using their own peer-to-peer networks on random ports, and even POP3, to talk, making them decentralized and harder to shut down.