Botnets use Windows for wicked work

Honeynet Project research finds that Microsoft's OS is the preferred vehicle for zombie armies.

May 1, 2006 1:07 p.m. PT

2 min read

Despite Microsoft's renewed focus on security, recent research shows that computers running Windows XP and 2000 form the bulk of botnets.

The study, carried out by the German Honeynet Project, found that more than 80 percent of Web traffic from the networks of compromised computers used four ports designated for resource-sharing by various versions of Windows. The research also indicated that the vulnerabilities behind some of the exploits used to take over a PC can be found by searching for information on Microsoft's security bulletins.

"Clearly most of the activity on the ports...is caused by systems with Windows XP (often running Service Pack 1), followed by systems with Windows 2000. Far behind, systems running Windows 2003 or Windows 95/98 follow," Honeynet Project researchers wrote in the report.

Microsoft responded by reiterating its commitment to secure engineering platforms in the face of botnet attacks, which it said were often carried out for illegal ends.

"Creating malicious IT and data threats is a criminal offense that affects everybody. This type of criminal activity is usually driven by financial motive, and criminals often target the Microsoft platform and its applications because of its large installed base," the company said in an e-mailed statement. "This is however a serious cross-industry issue, where no organization is immune from the threat."

The most exploited Windows ports found in the research were: port 445/TCP (used for file sharing); port 139/TCP (used to connect to file shares); port 137/UDP (used to find information on other computers); and 135/TCP (used to execute code remotely).

Botnets are commonly used for denial-of-service attacks, where a target computer is overloaded with data and fails. They are also used for spamming, spreading malicious software, manipulating online polls and mass identity theft.

From the beginning of November 2004 until the end of January 2005, researchers saw 226 denial-of-service attacks against 99 unique targets. They looked at 100 botnets in the four-month period and saw 226,585 unique IP addresses involved with at least one of the botnets monitored.

Dan Ilett of ZDNet UK reported from London.