Massive UK and US botnet uncovered

Finjan said the botnet was under the control of six people based in the Ukraine

A botnet of nearly two million compromised computers, most of them in the UK and US, has been discovered by web security firm Finjan.

The botnet is notable not just because of its scale, but also the speed with which it was formed and the fact that many government and corporate PCs, as well as consumer devices, were infected.

According to Finjan's chief technology officer, Yuval Ben-Itzhak, the average size of botnets last year was around 500,000 machines. He said this particular network has only been in use since February this year, controlled by just six people using a server hosted in the Ukraine.

"They managed to infect so many people by compromising legitimate web sites and inserting malware code, so when people visited the sites, their browser was exploited," said Ben-Itzhak.

"They can send commands to each of the [infected computers] recording keystrokes and passwords, and stealing data, and can also use them for sending spam, or for denial-of-service attacks."

He added that only four of the 39 anti-virus scanning tools they tested were unable to detect the malware used to infect the machines in the botnet.

"Our recommendation is to take a multi-layered approach, including traditional anti-virus and real-time content analysis tools to inspect content without a signature, and data leak prevention in and outbound," advised Ben-Itzhak.

He added that web site owners should put in place web application firewalls to minimise the risk of SQL injection and cross-site scripting attacks.

Finjan said it has now provided information about the Ukraine-based command and control server to UK and US law enforcers, and told those government agencies and companies whose computers are infected.

Rik Howard, director of intelligence at managed security services firm iDefense, said the news highlights the fact that some government agencies have the same problems securing their computer systems as commercial organisations.

"In my estimation, government patching cycles are maybe not always as aggressive as commercial organisations, and they may want to consider that," he advised.

"You should also never underestimate the power of the machine that has been offline for a while and hasn't been brought up to speed with patches before it's brought online again."

Howard added that the size of the botnet was somewhat surprising, given that the trend iDefense has observed appears to be of online criminals using smaller networks which are more nimble and harder to detect.