Botnets: Hi-tech crime in the UK

About 6% of Britain's home computers have been hijacked by criminals and formed into networks known as botnets.
This chart shows how much spam each network is pumping out each week.

Home net providers

Select ISP to highlight data

Click and drag in the chart to zoom in


More than one million households in the UK are believed to be harbouring criminals inside their family PC.

A large-scale global study suggests 5-10% of all domestic computers are regularly linked to criminal networks called botnets.

The figures suggest that about 6% of the UK's 19 million net-using households are enrolled in botnets.

Hijacked PCs could be sending spam, attacking websites or surrendering bank details to criminals.

Trapping spam

The data on the botnet infestations was gathered by a team of Dutch researchers looking into ways to limit the spread of these criminal tools.

"We are talking really big numbers here," said Prof Michel van Eeten, from the Delft University of Technology who headed the team which gathered the survey data.

Topping the list of infection rates were Greece and Israel where about 20% of all broadband subscribers are thought to be regularly recruited into a botnet.

Cash by computer keyboard Cyber criminals plunder machines under their control for credit cards and other saleable data

The data was gathered from several different sources. The bulk of it came from spam traps - fake email addresses set up solely to receive junk mail.

Dave Rand of Trend Micro has run spam traps for decades and has a database of billions of spams revealing the origins of junk messages. The majority of spam, more than 90%, is sent through botnets whose internet addresses are a good guide to where the drone machines are located.

The Dutch researchers took the spam-sending IP addresses and then traced each one to an ISP. To this it added data about the Conficker botnet, one of the biggest, as well as incident reports from computer security company DShield which showed other criminal net activity likely to have originated on botnets.

Prof van Eeten said there was little duplication between the three data sets which suggested that true infection rates are even higher. Together, the sources gave a good overview of the scale of the botnet problem.

The information has been shared with many agencies tackling cyber-crime and ISPs. They have been surprised by how pervasive botnets have become.

"The ISPs were quite shocked when they saw the discrepancy between what we saw and what they saw," he told the BBC. The discrepancy arose, he said, because net firms did not seek out the available data on infections in their networks.

Another complication was that botnet herders did not use all the machines under their control at once. Instead, he said, they used a subset of the thousands or millions they controlled for each task they were paid to carry out. Only by conducting a long-term study would it possible to get a sense of the real numbers.

   
Spam peaks

The UK occupies the number 19 position in the top 20 nations with the biggest botnet problem. The statistics provided to the BBC revealed that almost no ISP in the UK, be it one that provides net services to homes, businesses or the government, has been free of the scourge of botnets over the past few years.

A glance through the spreadsheets documenting which network has sent spam shows that, for some, the problem was relatively brief. This suggests that infected PCs, the vast majority of which run Windows, were discovered and cleared up. Others, however, have persisted in being sources of spam and are unwittingly working on behalf of the criminal gangs to this day.

Hi-tech crime terms

  • Bot - one of the individual computers in a botnet. Bots are also called drones or zombies.
  • Botnet - a network of hijacked home computers typically controlled by a criminal gang.
  • Malware - An abbreviation for malicious software ie a virus, trojan or worm that infects a PC
  • DDoS - Distributed Denial of Service - an attack that knocks out a computer by overwhelming it with data. Thousands of PCs can take part hence the "distributed".
  • Drive-by download - a virus or trojan that starts to install as soon as a user visits a particular website.
  • IP address - the numerical identifier every machine connected to the net needs to ensure data goes to the right place.

Unsurprisingly, the biggest networks have the biggest problem. For instance the figures for the UK suggest that the peak of spam from BT's network came towards the end of July 2010 when drones were sending out more than 30 million junk mail messages per week.

Figures have fallen sharply from this peak thanks to work by anti-cyber crime researchers who have struck blows at some of the biggest botnets. One takedown saw spam traffic drop by a huge percentage when just one network, called Rustock, stopped sending junk.

In the statistics gathered by the Dutch team there are also indicators that the bad guys are branching out. Some of the networks spotted sending spam are those of mobile operators.

Kevin Mahaffy, chief technology officer of mobile security firm Lookout, said this was because some botnet herders are starting to subvert phones to help them steal cash.

"Criminals have been doing this for a long time on PCs and they are starting to bring their techniques to bear on mobile devices," he said.

A variant of Zeus, one of the most threatening botnets, has been produced that can take over a mobile. This happens, said Mr Mahaffy because many banks are using mobiles as an authenticator of online transactions.

The Zitmo (Zeus In The Mobile) malware lurks on a phone and springs to life moments after its PC-based element notices that its victim has ended their session with an online bank.

Mr Mahaffy predicted this was just the start of the bad guys putting botnets on mobiles. The threat is potentially more stark, he said, because phones are always connected.

"They could be using it to send spam or they could be renting out my telephone to someone for malicious purposes," he said. "There's a lot of potential for bad things on a mobile network."

Botnet takedown

In gathering the data, Prof van Eeten's team has been investigating the methods ISPs have used to tackle botnets and clean up their networks.

Mobile in trouser pocket Some criminals are branching out and starting to target mobiles

Finnish ISPs have turned to automatic systems that tell owners of infected PCs to clean up their machine. Owners get two warnings about the infection before they are temporarily disconnected.

Germany and Japan operate call centres that give people impartial advice about anti-virus and cleaning their PC once they are identified as being on a botnet.

"There's a great desire among large ISPs to tackle botnets," said Michael O'Reirdan, chair of Messaging Anti-Abuse Working Group (MAAWG), a group initially set up by US net firms to tackle spam.

"By and large the spam issue, in terms of stopping it getting into inboxes, is fairly well sorted," he said, "We're seeing a lot more focus on how we deal with botnets and malware."

Much of the initial work of MAAWG has been in working out just how bad the problem is, said Mr O'Reirdan. ISPs, security firms and governments count infections in different ways leading to real confusion about numbers, he said.

Staying safe online

  • Use anti-virus software and keep it updated.
  • Use a firewall and keep it updated
  • Let Windows apply updates automatically
  • Apply updates for other programs, such as web browsers, as soon as they appear
  • Be wary of clicking links in messages you are not expecting
  • If an offer looks too good to be true it probably is

With that work done, efforts will focus on how to fix the problem and clean up infected PCs. Eventually, he predicted, customers will choose an ISP on how well they tackle botnets.

"What's going to become evident over time is that if you do not have an active anti-bot program as an ISP you are going to be equivalent to an ISP with no spam protection now," he said.

Progress is also being made as industry, law enforcement and security experts unite to tackle botnets, said Steve Santorelli, director of global outreach for Team Cymru - an independent group which specialises in finding and logging botnets and their command and control systems.

"Everyone has finally realised that they cannot do it in isolation," Mr Santorelli told the BBC. "Law enforcement do not have the technical skills, and companies and ISPs have realised they cannot get things done with regard to the law being enforced."

Not all of that effort is about putting people in jail, he said.

"It's also about disruption," he said. "It's about increasing the cost of doing business for the bad guys, its all about changing the equation of risk versus benefit."

A significant number of takedowns, raids and mitigation strategies have got the criminals looking over their shoulders, he said. Eavesdropping on the forums where the botnet herders hang out shows they are getting concerned.

"It used to be the only thing they worried about was another gang stealing their botnet," he said. "Now they are worried about takedowns and Microsoft filing lawsuits."

"There's a significant amount of resources being put in place," he said. "These are exciting times."

The BBC would like to extend its thanks to Prof Michel van Eeten, Prof Johannes Bauer, Hadi Asghari and Shirin Tabatabaie for providing the data for this project.

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features