Microsoft: U.S. Home to Most Botnet PCs

Microsoft identified the most prevalent pieces of botnet malware on the Web - as well as the country many botnet-controlled computers call home.

Most botnet-infected computers reside in the United States, according to figures from Microsoft.

In Version 9 of its Security Intelligence Report, Microsoft reported finding 2.2 million computers in the United States under the control of botnets during the second quarter of the year. That figure represents roughly a third of all the bots Microsoft detected, and approximately four times more than Brazil, which had the second highest total at roughly 550,000.

The most prevalent pieces of botnet malware detected during the second quarter of the year were Rimecud, Alureon and Hamweq, all of which witnessed a decline. The fourth most prevalent however was Pushbot, and detections for that malware increased 24 percent compared with the first three months of the year. Pushbot (also known as Palevo by Symantec) is a family of malware that spreads via MSN Messenger, Yahoo Messenger and AIM.

"Botnets are the launch pad for much of today's criminal activity on the Internet," blogged Adrienne Hall, general manager of Microsoft Trustworthy Computing. "In many ways, they are the perfect base of operations for computer criminals. Botnets are a valuable asset for their owners-bot herders-who make money by hiring them out to other cyber criminals to use as a route to market for cybercrime attacks such as phishing attacks, spam attacks, identity theft, click fraud and the distribution of scam emails."

According to the report, a botnet known as Lethic was responsible for 56.7 percent of the botnet spam between March and June of 2010, using just 8.3 percent of known botnet IP addresses.

"Lethic is a closely controlled botnet that uses a custom binary protocol for C&C [command and control]," the report states. "A takedown of the Lethic C&C servers in January 2010 disrupted the attackers' ability to send spam, although they subsequently regained control of the botnet."

Spam, of course, is just one activity associated with botnets. Pushbot, for example, is a malware family based on a kit called Reptile, and is therefore not a single botnet. As a result, the malware has been associated with a variety of capabilities, including distributed denial-of-service attacks.

"Over the past several years, cybercriminals have focused their efforts on monetizing their malicious activities by victimizing computer users," said Elias Levy, senior technical director of Symantec Security Response. "Thus, they target countries that have a high personal net worth, advanced financial systems that allow the online transferring of funds and those with a lot of online shoppers. The U.S. fits that profile quite well."

Security researchers have increasingly turned to botnet takedowns as a way to fight back. Microsoft took the operators of Waledac to court, seeking to take control of 276 Waledac domains.

"Bot herders guard their botnets jealously and invest huge amounts of time, effort and money in them," Hall blogged. "They spread their bots by a central command to masses of computer users through malicious software and user deception. By keeping a low profile, bots are able to infiltrate computers and devices and can quietly operate in the background, often undetected for years."