Thousands of government computers may be under the control of cybercriminals. Software bots--malicious code that turns PCs and servers into remotely controlled "zombies"--have dug into the computers of federal and state agencies, security experts say. Once infected, those computers can be used to distribute spam, launch denial-of-service attacks, and even direct sensitive information into the wrong hands.

Security vendor Trend Micro, which has been studying the phenomenon and is pushing a service to detect bots, reports finding bot infestations in government computers. Its list of bot-bitten organizations includes the Department of Defense, Argonne National Laboratory, Alabama Supercomputer Network, Arkansas Department of Information Systems, Iowa Communications Network, and Connecticut's Department of IT. The Pittsburgh Supercomputing Center and Navy Network Information Center may end up on the list, too; Trend Micro last week said data pointing to bots in those two organizations was inconclusive.

Trend Micro planned to disclose its findings last week--ostensibly in the interest of public awareness. But as InformationWeek followed up with organizations cited by the vendor, some of its conclusions were called into question, owing in part to the complexity of tracking these zombie computers. One national laboratory, for example, was initially identified as having compromised machines, but the lab disputed those findings, and subsequent analysis by Trend Micro revealed that the spam in question doesn't appear to come from its machines. Trend Micro has since postponed its announcement and is double-checking the 60 terabytes of data it used to do its analysis.

Trend Micro attempts to identify compromised machines by analyzing spam samples received from customers of its filtering service. It's tricky work, because bot creators employ techniques to cover their tracks. "You have no idea how complex this is," says Dave Rand, Trend Micro's CTO. After initially claiming that "tens of thousands" of government computers had bots within them, Rand last week revised that tally to 7,000.

That doesn't mean bots aren't a problem--they most certainly are for government agencies and businesses alike. Trend Micro estimates there are 70 million subverted computers worldwide and that 8 million to 9 million are used to send spam in a given month. Bots can remain dormant for weeks or months at a time. In general, about 60% of zombies are used to send spam and 40% for more destructive reasons, including phishing, pharming, click fraud, distributing adware or malware, denial-of-service attacks, data theft, and temporarily storing illegal, malicious, or stolen files.

While most everyone agrees that the attacks are getting larger, more frequent, and more sophisticated, not everyone sees evidence that bots are a growing problem on government computers. Network security specialist Prolexic says there's been an increase in the size of distributed denial-of-service attacks, from 3.5 Gbps last year to more than 10 Gbps in 2006, yet a data sample from the company's clients doesn't show evidence of those attacks originating from government Internet addresses. That finding is based on about 40 distributed DoS attacks monitored by Prolexic in the first seven months of 2006.

After being contacted by InformationWeek, Prolexic operations VP Matt Wilson did a quick search of the company's computer logs for evidence of bot attacks originating from government computers. "I didn't see anything that would have indicated mass bot infections within any government agencies or networks," he says. "That's not to say that they don't exist, simply that they aren't being used to attack our customer base."

It's small comfort, however, because if government systems are being hijacked, it could be for more devious purposes. "Something like that would be much more valuable for targeted mining of things like passwords, E-mail addresses, mapping out government networks," Wilson says.

Data maintained by security vendors MX Logic and IronPort confirms the presence of spam-sending bots on government networks. IronPort reports a 40% increase in spam volume since February across government and business accounts. Craig Sprosts, a senior product manager at IronPort, notes that the percentage of spam coming from government accounts is minor--1% to 2% of the overall problem--compared with what's originating from Internet service providers and other compromised networks.

Not Immune
Bots land on computers in a dozen ways, including operating system or application vulnerabilities, dictionary attacks that guess passwords, a pre-existing back door created by a prior computer virus, and malicious files downloaded via E-mail, instant message, or peer-to-peer applications. Bots frequently are installed as a result of human error--opening a malicious file or visiting an unsafe Web site, for example. Once installed, bots may be able to update themselves or install other malicious software. They're typically controlled though commands received from an Internet Relay Chat server, and any compromised PC can be turned into an IRC server that can then be used to coordinate a bot network.

Increasingly, bots are using encrypted or covert channels of communication rather than IRC, which can easily be blocked, and they come with key-logging and screen capture capabilities, says Sam Masiello, director of threat management at MX Logic.

A spokesman for the Defense Department declined to address specific security concerns, including bots, but he acknowledged that the department's computer systems are attacked daily. "The DoD aggressively responds to deter all intrusions," says Maj. Patrick Ryder via E-mail. "We're not immune, but we have a layered defense." Among the steps it takes: intrusion-detection software, firewalls, and increased awareness training of personnel.

Mike Skwarek, cybersecurity program manager and deputy CIO at Argonne National Labs, hadn't seen the Trend Micro findings nor talked to the security vendor early last week as this story was being researched. But based on the description of Trend Micro's findings--that spam received from the vendor's customers points to Argonne as one source--Skwarek doesn't believe the assertions and points to spoofing as a possible explanation. "You can forge where E-mails are coming from. It's quite easy," he says.

Once or twice a week, Argonne gets complaints about being a source of spam. Usually, however, its own analysis of the evidence shows that the lab wasn't at fault, that a PC suspected of sending spam was actually turned off at the time, for instance. If an Argonne PC gets infected by a bot, all E-mail is blocked from the infected PC. "We have an early warning, and that's effective," Skwarek says. Argonne has had two viruses in the past year and a half that may have been related to bots, but those viruses were quickly detected and removed. "We do a good job on the desktop fighting this," Skwarek says.

TAKE OUR POLL How does bot activity on your network today compare with one year ago?

While it may be tempting to discount the warnings of security vendors as self-serving--bot fever means more business for Trend Micro and others--there's unanimity about the growing risk of cybercrime. In its list of the top 10 computer security developments to watch for in 2007, released last week, the SANS Institute warns that targeted attacks will become more prevalent, particularly against government agencies. "Targeted cyberattacks by nation states against U.S. government systems over the past three years have been enormously successful, demonstrating the failure of federal cybersecurity activities," SANS director of research Alan Paller says in an E-mail. "Other antagonistic nations and terrorist groups, aware of the vulnerabilities, will radically expand the number of attacks. "

Network security vendor Arbor Networks last month reported that distributed DoS attacks and botnets are the most significant security threat facing ISPs. Arbor contends that bot command-and-control networks are harder to infiltrate and that today's bots are more powerful than their ancestors, as well as more difficult to find and remove.