While many network administrators worry about the next worm, security experts are warning that a quieter but equally damaging threat is slowly gaining control of large networks of computers Known as bot software.
The remote attack tools can seek out and place themselves on vulnerable computers,
then run silently in the background, letting an attacker send commands to the system while its owner works away, oblivious. The latest versions of the software created by the security underground let attackers control compromised computers through chat servers and peer-to-peer networks, command the software to attack other computers and steal information from infected systems.
Internet security watchers warn that the most common kind of bot software has been upgraded. A new variant incorporates publicly available code for breaching security through a vulnerability on almost every Windows system sold in the past five years.
Bot software has spread widely--just how quickly is difficult even for security experts to evaluate. Symantec puts the number of computers compromised in the hundreds of thousands. Other security experts have put the number in the millions. Moreover, with source code commonly available, bot software gets quickly updated to take advantage of the latest flaws.
Internet security watchers warned that the most common kind of bot software, Agobot, had been upgraded.
A new variant incorporates publicly available code for breaching a computer's security through a vulnerability in a security component installed on almost every Microsoft Windows system sold in the past five years.
That component is called the Local Security Authority Subsystem Service, or LSASS.
The LSASS version of the Agobot software uses a particular application data channel, or port, to attack vulnerable systems. On Thursday, Ullrich said traffic on that port had jumped in the previous 24 hours.
Security company Symantec, which, like the Internet Storm Center, monitors sensors around the Internet, also warned that the LSASS version of Agobot--or Gaobot, in Symantec's parlance--is spreading.
"The worry here is: How many hosts are out there infected with these things?" said Alfred Huger, senior director of Symantec security response.
Anxiety is understandable, given that Symantec and the Cooperative Association for Internet Data Analysis,
or CAIDA--two groups thought to have some of the best data on Internet attacks--both undercounted the extent of the MSBlast infection by an order of magnitude.
The groups' researchers had estimated that the MSBlast worm and its variants compromised half a million systems at most. Yet last month, Microsoft revealed that its Windows Update system had patched and then cleaned 8 million systems infected with the virus. On Wednesday, the software giant changed that number to
Symantec puts the number of computers compromised with bot software in the hundreds of thousands. Other security experts have put the number in the millions.