Page last updated at 23:34 GMT, Tuesday, 21 April 2009 00:34 UK

Botnet 'ensnares government PCs'

By Darren Waters
Technology editor, BBC News website

Escape key
PCs inside a botnet can be forced to carry out instructions

Almost two million PCs globally, including machines inside UK and US government departments, have been taken over by malicious hackers.

Security experts Finjan traced the giant network of remotely-controlled PCs, called a botnet, back to a gang of cyber criminals in Ukraine.

Several PCs inside six UK government bodies were compromised by the botnet.

Finjan has contacted the Metropolitan Police with details of the government PCs and it is now investigating.

A spokesman for the Cabinet Office, which is charged with setting standards for the use of information technology across government, said it would not comment on specific attacks "for security reasons".

When we look at a similar network last year they were in the hundreds of thousands. Now were looking at mega-size botnets.
Yuval Ben-Itzhak, chief technology officer for Finjan

"It is Government policy neither to confirm nor deny if an individual organisation has been the subject of an attack nor to speculate on the origins or success of such attacks."

He added: "We constantly monitor new and existing risks and work to minimise their impact by alerting departments and giving them advice and guidance on dealing with the threat."

It is the second time in a year that PCs inside government departments have been hacked to form part of a botnet.

On this occasion, the machines were infected with software which allowed them to be taken over and enslaved in the botnet due to vulnerabilities in web browsers.

At the mercy

Once a machine has been compromised, it can be instructed to download further software, which puts the machine at the mercy of malicious hackers.

Use anti-spyware and anti-virus programs
On at least a weekly basis update anti-virus and spyware products
Install a firewall and make sure it is switched on
Make sure updates to your operating system are installed
Take time to educate yourself and family about the risks
Monitor your computer and stay alert to threats

The compromised PCs are capable of reading e-mail addresses, copying files, recording keystrokes, sending spam and capturing screen shots.

Once a single machine inside a corporate network has been made part of the botnet it puts other machines on the network at risk.

The Cabinet Office would not give details of what the compromised machines had been instructed to do, nor the names of the different government departments that had been infiltrated.

The cyber criminals, who have not been caught, were selling access to the compromised machines, thought to be mainly PCs inside companies, on a hackers' forum in Russia.

One thousand machines were being sold at a time for between $50 and $100.

Finjan reports that the botnet is under the control of six criminals who are able to remotely control the infected machines.

Different organisations

Almost half of the infected machines were in the US. Six percent of the botnet, about 114,000 machines from 52 different organisations, were from the UK, among them a single PC inside the BBC's network.

Many of the infected machines will have been caught by routine information security policies at firms, as it was in the case of the BBC, but Finjan says many of the botnet PCs are still active.

We are aware of this botnet and are taking appropriate action
Metropolitan Police spokeswoman

More than 70 different national government agencies from around the world were caught up in the malicious network.

Yuval Ben-Itzhak, chief technology officer for Finjan, told BBC News: "When we looked at the network domain names to see where the [compromised PCs] come from we were surprised to see many government networks, including UK government computers.

"Obviously we reported it and they have now dealt with it. There were six UK agencies with at least one computer in each department that was running the bot.

"I'm not at liberty to name the actual agencies - but this isn't a unique story to the UK, they were running in many other non-UK, government bodies too."

Government bodies

A number of different government bodies are responsible for IT security and deployment across the UK.

They include the Central Sponsor for Information Assurance, the National Technical Authority for Information Assurance, and the Centre for the Protection of National Infrastructure (CPNI), the government body which is part of the British Security Service and responsible for providing security advice to organisations that make up critical services in the UK.

All of the infected machines were Windows-based PCs and the vulnerability was targeting security holes in Internet Explorer and Firefox.

Mr Ben-Itzhak said: "What is unique is the number, the size of the network. When we looked at a similar network last year they were in the hundreds of thousands. Now we're looking at mega-size botnets."

In contact

A spokeswoman for the Metropolitan Police said: "This is an ongoing investigation. We are aware of this botnet and are taking appropriate action."

Large botnets can be used to co-ordinate attacks to knock parts of the network, or specific websites, offline, called a Distributed Denial of Service attack.

Last year, the CPNI told a Cabinet Office-commissioned independent review that stopping such attacks was difficult.

It said: "The attacks are relatively low in sophistication, but have been highly effective due to the large number of compromised machines involved.

"It is difficult to defend against a sophisticated Distributed Denial of Service attack without impacting legitimate business use."

The CPNI recommended that the best defence against these attacks was appropriate monitoring of the network.

Additional reporting by Daniel Emery.

Botnet graphic

Print Sponsor

Click Essentials: PC Protection
13 Mar 09 |  Click
BBC team exposes cyber crime risk
12 Mar 09 |  Click
Spam overwhelms e-mail messages
08 Apr 09 |  Technology
Jail sentence for botnet creator
12 Jun 08 |  Technology
The battle against the botnet hordes
21 Feb 08 |  Technology
Hi-tech crime: A glossary
05 Oct 06 |  UK
Caught in the net
05 Oct 06 |  Technology
Tips to help you stay safe online
07 Oct 06 |  Technology

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific