Trend Micro: Thousands Of Government Computers Infected By Bots
InformationWeek has learned Trend Micro is researching how PCs, including computers in defense agencies, are infected with software that can be used to mine confidential data, send spam, or launch denial-of-service attacks. But government IT managers challenge those findings, and Trend Micro is backing down on some.
Thousands of government computers may be under the control of cybercriminals. Software bots—malicious code that turns PCs and servers into remotely controlled "zombies"—have dug into the computers of federal and state agencies, security experts say. Once infected, those computers can be used to distribute spam, launch denial of service attacks, and even direct sensitive information into the wrong hands.
Security vendor Trend Micro, which has been studying the phenomenon and is pushing a service to detect bots, reports finding a bot infestation in government computers. Its list of bot-bitten organizations includes the Department of Defense, the Navy Network Information Center, the Pittsburgh Supercomputing Center, Argonne National Laboratory, and the Navy Regional Data Automation Center. At the state level, its list includes the Alabama Supercomputer Network, Arkansas Department of Information Systems, Iowa Communications Network, and Connecticut's Department of IT.
Trend Micro planned to disclose its findings this week -- ostensibly in the interests of public awareness. But as InformationWeek followed up with organizations cited by Trend Micro, some of the vendor's conclusions were called into question, owing in part to the complexity of tracking these zombie computers. One national laboratory, for example, was initially identified as having compromised machines, but the lab disputed those findings and subsequent analysis by Trend Micro revealed that the spam in question doesn't appear to have come from computers that were hosted at the lab. Trend Micro has since postponed its announcement and is double-checking the 60 terabytes of data it used to trace spam to bot-infected computers.
At the time this article was filed, Trend Micro said that data pointing to the presence of bots at the Pittsburgh Supercomputing Center and the Navy Network Information Center remained uncertain.
Trend Micro attempts to identify compromised machines by analyzing spam samples received from customers of its filtering service. It's tricky work, because bot creators employ techniques for covering their tracks. "You have no idea how complex this is," says Dave Rand, Trend Micro's CTO. After initially claiming that "tens of thousands" of government computers had bots within them, Rand this week downgraded the tally to 7,000.
That doesn't mean bots aren't a problem—they most certainly are for government agencies and businesses alike. Trend Micro estimates there are 70 million subverted computers worldwide and that 8 million to 9 million are used to send spam in a given month. In general, about 60% of zombies are used to send spam and 40% for more destructive means, including phishing, pharming, click fraud, distributing adware or malware, denial of service attacks, surreptitious data theft, and temporarily storing illegal, malicious or stolen files.
While most everyone agrees that the attacks are getting larger, more frequent, and more sophisticated, not everyone sees evidence that bots are a growing problem among government computers. Network security specialist Prolexic says there's been an increase in the size of distributed denial of service attacks from 3.5 gigabits per second last year to over 10 Gbps in 2006, yet a data sample from the company's clients doesn't show evidence of those attacks originating from government Internet addresses. That finding is based on about 40 DDoS attacks monitored by Prolexic in the first seven months of 2006.
After being contacted by InformationWeek, Prolexic operations VP Matt Wilson did a quick search of the company's computer logs for evidence of bot attacks originating from government computers. "I didn't see anything that would have indicated mass bot infections within any government agencies or networks," he says. "That is not to say that they do not exist, simply that they aren't being used to attack our customer base."
It's small comfort, however, because if government systems are being hijacked, it could be for more devious purposes. "Something like that would be much more valuable for targeted mining of things like passwords, e-mail addresses, mapping out government networks," Wilson says.
Data maintained by e-mail security vendor IronPort confirms the presence of spam-sending bots on government networks. IronPort reports a 40% increase in spam volume since February across government and business accounts. Craig Sprosts, a senior product manager at IronPort, notes that the percentage of spam coming from government accounts is minor—1% to 2% of the overall problem—compared to what is originating from ISPs and other compromised networks.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.