Botnet army massing in China - Prolexic

 

Gallery

By Matt Whipp

Posted on 29 Jan 2007 at 11:21

China is now the most infected country in the world and Asia contains half the world's infected computers, according to security company Prolexic.

The figures come from the company's Denial of Service (DDoS) Weather Report, which reports on the botnet activity around the globe from infected computers.

Countries in Asia account for five of the six most infected territories around the world, with the US in second place. The UK is tenth.

Net use in China is exploding. According to figures for 2006 released by the China Internet Networks Information Centre (CNNIC), the People's Republic now boasts 137 million Internet users, up 23.4 per cent year on year.

There are a number factors exacerbating the China problem, said Keith Laslop, President of Prolexic. One is 'because of the high use of pirate software, which Microsoft refuses to protect,' he said, which leaves systems open to virus infection.

Others include online criminals in China 'being able to exploit weak cybercrime legislation,' he said. 'If you commit a cybercrime in China, you face execution. If you do the same thing outside of China, the government won't bat an eyelid.'

Furthermore, the business landscape in China can be far from friendly. Laslop said that successful startups in China will soon come to the attention of the authorities, who are likely to move their own personnel in to key positions. 'It's more prudent to start an illegitimate business in China than a legitimate one.'

The other reason botnets are growing is because the DDoS attacks using them are successful. Laslop said that the infrastructure of web-facing systems are too often inadequate to cope with the threat. In particular, he noted that the Linux Apache MySQL PHP (LAMP) open-source systems are vulnerable when not configured properly.

'LAMP is not built defensively,' he said. 'It makes it a very easy target. You have to be very careful about how you configure it. You have burn some defensibility on to it. What it takes is planning, and right now there's no planning out there.'

The nature of attacks is also changing. They no longer rely on the brute force method of throwing masses of traffic at a server, but take a more targeted approach.

'They have moved from consumption type attacks to targeted http or application based attacks, trying to bring the CPU load to 100 per cent, maybe through an advanced search, or via registration pages,' he said. 'These new attacks appear legitimate. They sidestep firewalls, DDOS mitigation boxes, IDS services and so on.'

The report claims such attacks can use https to sidestep built in DDoS and IPS systems, and relatively low bandwidth - sub 50Mb - to succeed.

Paul Sop, CTO of Prolexic, said: 'A botnet is like a Swiss-army knife in that it has many tools which the attacker can implement. Attackers have started finding ways around many common DDoS defence systems and are adding those capabilities to their botnets. Their new tactics involve countermeasures of a previously unheard of level of sophistication. The challenge in stopping these attacks requires identifying, to a great level of detail, the usage patterns of normal users versus simulated bot users.'