Botnets infect fewer computers in China

However, China remains a top botnet host and source of spam

The number of botnets and of computers controlled by them in China has fallen in recent years, though the country remains a top host for the networks of compromised computers, according to the government and independent researchers.

Over 1.2 million computers in China were newly infected with software that enabled their control by a botnet last year, about one-third the figure for the previous year, according to a report published late last month by China's National Computer Network Emergency Response Technical Team (CNCERT).

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

That followed an equally steep fall from 2006, when the team estimated there were 10 million new infections in China.

The number of Chinese PCs in botnets has fluctuated in recent quarters but generally fallen, said Prabhat Singh, McAfee's senior director of Avert operations in the Asia Pacific. New infections remained steady between the first and second quarters at around 1.6 million, he said.

Botnets, or groups of computers controlled by an attacker, are often used to send mass spam e-mail messages and malware. They can also be used to launch distributed denial of service (DDoS) attacks, in which the PCs are all ordered to connect to a target server at once, overwhelming it with information requests and effectively shutting it down.

New bot infections have dropped in China partly because free anti-virus tools have appeared online, expanding their use by cost-sensitive Chinese PC users, said Zhao Wei, CEO of KnownSec, a Beijing security company.Protection for other PCs has come from Chinese companies offering anti-virus support for users of pirated Windows systems, Zhao said. A large portion of Chinese consumers and businesses run pirated copies of Windows XP, which can be easily bought at electronics markets across China.

Some Chinese companies are sending those users Microsoft's updates without including the Windows Genuine Advantage program, which blocks access to certain updates if a user's operating system does not validate, Zhao said.

China may still have more botnets than statistics show. The growing number of botnets controlled through Web servers, rather than through IRC (Internet Relay Chat) servers, may not be fully included in some counts, said Zhao.

Zhao's company last year found one Chinese server controlling a botnet of 4 million PCs, which could have included machines both in China and abroad, Zhao said. The botnet disappeared when Zhao's staff started tracking it, he said.

Botnets are usually much smaller, said Vu Nguyen, a McAfee Avert Labs researcher. Attackers usually keep them below 2,500 machines to avoid drawing attention by directing massive traffic, he said.

Chinese attackers sometimes rent their botnets out to customers, Nguyen said. Others advertise botnet setup services online for as little as 250 yuan (US$37), said McAfee's Singh.

CNCERT also found a drop in the number of servers controlling botnets in China. The number was 1,825 last year, sharply down from 6,660 the year before, according to the CNCERT report.

China ranks among the world's top spam generators and is home to some companies offering "bulletproof" hosting, in which domains are not closed down for activities like sending spam.