The growth of botnets is a major problem, with a 100 percent increase in the U.K. since 2004, according to Symantec. The company believes that right now, the U.K. contains the highest number of botnets in the world.
"Just over a third of the botnets we've seen are in the U.K.," said Wong, quoting figures from Symantec's Internet Security Report VIII, published in September 2005. This is higher than the U.S., which has traditionally had more botnets.
The high incidence of botnets in the U.K. probably has to do with the recent explosion in broadband usage and the fact that most U.K. home users wouldn't know if their computer was compromised, Wong suggested. "Maybe there's a slightly lower awareness level in Britain of botnets," he said. "The IP addresses could come from legitimate machines that have been compromised by hackers. Maybe the machines don't have patches, or are not running up-to-date anti-malware products. Plus, if you have 10,000 machines in a botnet, it's difficult to track back to each IP address."
Taking control
On average, it takes eight minutes for a new machine to be
compromised when hooked up to the Web for the first time,
according to Symantec tests on a Microsoft Windows PC not running
XP Service Pack 2 or antivirus software.
There is a particular danger for businesses using the same network as a compromised machine, because once one machine has been infected behind the firewall, hackers can use it to infect others. "If attackers manage to infect a machine within an organisation, they can profile additional machines within that subnet. Executable code can be injected onto other machines to profile the users," Ogden said.
Symantec does not tell those people with compromised IP addresses that their computers are being controlled by hackers, due to the sheer scale of the problem. "A botnet can consist of thousands of machines, and we just don't have the time to contact everyone. Our first priority is our customers," Ogden said.
However, when it comes to serious incidents, Symantec does support the police. But the company is keen to point out that it doesn't supply any direct details on customers. "The information we supply to our customers belongs to them, and it's up to them to provide information to law enforcement agencies regarding any suspect activity. When companies are targeted, it's the customer who initiates giving information about the offending individuals," Ogden said.
It also supports the police in its efforts to counter botnets. "In the U.K., the National Hi-Tech Crime Unit has been proactive in trying to close down botnet activity. We welcome any initiative which closes down botnets," Ogden said. "We have had some contact with the authorities in the past, and it works quite successfully."
If a company is the subject of an attack, Symantec recommends it goes to the police. Symantec will only go so far with chasing potential criminals. If an attack has been unsuccessful, they are unlikely to be hunted down, Ogden said.
"If we have controlled and closed down a particular threat to a customer, there's not a great deal of benefit in tracking down the individuals who mounted the attack," he said.
Tom Espiner of ZDNet UK reported from London.
