Standard online safety precautions aren't saving society from increasingly sophisticated networks of infected computers under the control of criminal hackers also known as zombies, a fact which is forcing internet bodies to stronger action.
"If you had to identify the biggest single issue confronting the security and safety and the confidence of the internet these days, particularly in the commercial space, you could only point to zombie botnets as the major concern," Peter Coroneos, chief executive of the Internet Industry Association (IIA), told ZDNet.com.au.
"It's real, and people are worried and should be worried about this," he said.
The Storm botnet, first detected in 2007, peaked at somewhere between 160,000 and 1 million computers. In March 2008 it was believed to be responsible for more than 20 per cent of spam email globally. Botnets such as Srizbi and Kraken have comprised almost half a million computers. Srizbi was estimated to be able to send 60 billion spam emails a day.
But nothing matches Conficker.
First detected in November 2008, Conficker is by far the largest botnet ever seen. During 2009, the Conficker worm was infecting 18 million new computers per month, some 30 per cent of total global infections. At any one time, the botnet comprised between 7 and 10 million machines.
Conficker uses an unusually large number of advanced malware techniques combined with social engineering tricks to infect its hosts. So even though Microsoft issued a patch in October 2008 to fix the key vulnerability Conficker exploits, the worm continues to spread.
"The alarming thing about the whole zombie botnet phenomenon, and more generally just the modus operandi of the malware perpetrators, is that they're becoming so sophisticated in what they're doing," Coroneos said.
"They are themselves investing tens of millions of dollars in research and development in ways to defeat the traditional tools and antivirus and anti-spam and anti-spyware software."
"That's very scary," he said, because the usual online safety messages about behaviour change won't work in the face of these attacks.
Traditional methods failing
Users are told to keep antivirus software up-to-date. But that won't protect them when, as Verizon Business forensics chief Mark Goudie told ZDNet.com.au, 70 per cent of the malware they discover on compromised corporate systems can't be detected by antivirus software.
They're told to visit only "trustworthy" websites. But that won't protect them when, as AusCERT general manager Graham Ingram told Crikey last August, "One of the top 20 traffic sites in this country was infected with malware over about a six-week period." Or when, as happened in 2007, the Sydney Opera House website was serving out malware.
They're told to check for the padlock icon in the web browser, to confirm that SSL encryption is connecting them securely to the right website. But that won't protect them when one particularly clever piece of malware can inject extra HTML code into specific internet banking web pages, adding extra data entry fields to the bank's online forms. That additional data is transmitted straight back to the criminals, but the browser's padlock icon is still showing things to be safe.
They're told not to run unknown software. But that won't protect them when, as in the case of Conficker, the worm wears a clever disguise.