By Darren Waters
Technology editor, BBC News website
PCs inside a botnet can be forced to carry out instructions
Almost two million PCs globally, including machines inside UK and US government departments, have been taken over by malicious hackers.
Security experts Finjan traced the giant network of remotely-controlled PCs, called a botnet, back to a gang of cyber criminals in Ukraine.
Several PCs inside six UK government bodies were compromised by the botnet.
Finjan has contacted the Metropolitan Police with details of the government PCs and it is now investigating.
A spokesman for the Cabinet Office, which is charged with setting standards for the use of information technology across government, said it would not comment on specific attacks "for security reasons".
"It is Government policy neither to confirm nor deny if an individual organisation has been the subject of an attack nor to speculate on the origins or success of such attacks."
He added: "We constantly monitor new and existing risks and work to minimise their impact by alerting departments and giving them advice and guidance on dealing with the threat."
It is the second time in a year that PCs inside government departments have been hacked to form part of a botnet.
On this occasion, the machines were infected with software which allowed them to be taken over and enslaved in the botnet due to vulnerabilities in web browsers.
At the mercy
Once a machine has been compromised, it can be instructed to download further software, which puts the machine at the mercy of malicious hackers.
STAYING SAFE ONLINE
Use anti-spyware and anti-virus programs
On at least a weekly basis update anti-virus and spyware products
Install a firewall and make sure it is switched on
Make sure updates to your operating system are installed
Take time to educate yourself and family about the risks
Monitor your computer and stay alert to threats
The compromised PCs are capable of reading e-mail addresses, copying files, recording keystrokes, sending spam and capturing screen shots.
Once a single machine inside a corporate network has been made part of the botnet it puts other machines on the network at risk.
The Cabinet Office would not give details of what the compromised machines had been instructed to do, nor the names of the different government departments that had been infiltrated.
The cyber criminals, who have not been caught, were selling access to the compromised machines, thought to be mainly PCs inside companies, on a hackers' forum in Russia.
One thousand machines were being sold at a time for between $50 and $100.
Finjan reports that the botnet is under the control of six criminals who are able to remotely control the infected machines.
Almost half of the infected machines were in the US. Six percent of the botnet, about 114,000 machines from 52 different organisations, were from the UK, among them a single PC inside the BBC's network.
Many of the infected machines will have been caught by routine information security policies at firms, as it was in the case of the BBC, but Finjan says many of the botnet PCs are still active.
More than 70 different national government agencies from around the world were caught up in the malicious network.
Yuval Ben-Itzhak, chief technology officer for Finjan, told BBC News: "When we looked at the network domain names to see where the [compromised PCs] come from we were surprised to see many government networks, including UK government computers.
"Obviously we reported it and they have now dealt with it. There were six UK agencies with at least one computer in each department that was running the bot.
"I'm not at liberty to name the actual agencies - but this isn't a unique story to the UK, they were running in many other non-UK, government bodies too."
A number of different government bodies are responsible for IT security and deployment across the UK.
They include the Central Sponsor for Information Assurance, the National Technical Authority for Information Assurance, and the Centre for the Protection of National Infrastructure (CPNI), the government body which is part of the British Security Service and responsible for providing security advice to organisations that make up critical services in the UK.
All of the infected machines were Windows-based PCs and the vulnerability was targeting security holes in Internet Explorer and Firefox.
Mr Ben-Itzhak said: "What is unique is the number, the size of the network. When we looked at a similar network last year they were in the hundreds of thousands. Now we're looking at mega-size botnets."
A spokeswoman for the Metropolitan Police said: "This is an ongoing investigation. We are aware of this botnet and are taking appropriate action."
Large botnets can be used to co-ordinate attacks to knock parts of the network, or specific websites, offline, called a Distributed Denial of Service attack.
Last year, the CPNI told a Cabinet Office-commissioned independent review that stopping such attacks was difficult.
It said: "The attacks are relatively low in sophistication, but have been highly effective due to the large number of compromised machines involved.
"It is difficult to defend against a sophisticated Distributed Denial of Service attack without impacting legitimate business use."
The CPNI recommended that the best defence against these attacks was appropriate monitoring of the network.
Additional reporting by Daniel Emery.