Botnets use Windows for wicked work

Botnet researchers have found that Microsoft Windows is the preferred vehicle for zombie armies

Despite Microsoft's renewed focus on security, latest research shows that computers running Microsoft Windows XP and 2000 form the bulk of networks of compromised computers, commonly called botnets.

The study carried out by the German Honeynet Project found more than 80 percent of Web traffic from botnets used four ports designated for resource sharing by various versions of Windows. The research also found that the vulnerabilities behind some of the exploits used to take over a PC can be found by searching for information on Microsoft's security bulletins.

The report stated: "Clearly most of the activity on the ports... is caused by systems with Windows XP (often running Service Pack 1), followed by systems with Windows 2000. Far behind, systems running Windows 2003 or Windows 95/98 follow."

Microsoft responded with an emailed press statement that said: "Creating malicious IT and data threats is a criminal offence that affects everybody. This type of criminal activity is usually driven by financial motive, and criminals often target the Microsoft platform and its applications because of its large installed base. This is however a serious cross-industry issue where no organisation is immune from the threat. Security is a top priority for Microsoft and it is committed to engineering platforms that are more secure and trusted "

The most exploited Windows ports found in the research were: port 445/TCP (used for file sharing); port 139/TCP (used to connect to file shares); port 137/UDP (used to find information on other computers); and 135/TCP (used to execute code remotely).

Botnets are commonly used for denial-of-service (DoS) attacks, where a target computer is overloaded with data and falls over. They are also used for spamming, spreading malware, manipulating online polls and mass identity theft.

From the beginning of November 2004 until the end of January 2005, researchers saw 226 DoS-attacks against 99 unique targets. They looked at 100 botnets in the four-month period and saw 226,585 unique IP addresses involved with at least one of the botnets monitored.