Botnet criminals have taken control of almost 12 million new IP addresses since January, according to a quarterly report (.pdf) from anti-virus firm, McAfee. The United States has the largest number of botnet-controlled machines, with 18 percent of them based here.

The number of zombie machines represents a 50-percent rise over last year.

Researchers attribute the explosion to botnet controllers trying to recoup spamming abilities after authorities took down a hosting facility last year that catered to international firms and syndicates involved in spamming and botnet control.

Researchers estimated that spam levels dropped about 60 percent after the hosting facility was closed. Last year at this time, an average of 153 billion spam messages were sent per day, while numbers in March this year show that the rate was on average about 100 billion messages per day. But researchers say the spam numbers will return to normal as criminals re-build their networks of captured computers.

"The question is not whether spam will return to previous levels, but rather

when it will return," the report says. "There is data regarding new zombie and botnet creation that suggest the time may not be too far in the future."

In terms of the numbers of zombie machines by country, China came in second after the United States, with about 13 percent. After this, the numbers dropped precipitously to 6 percent in Australia, 5.3 percent in Germany and 4.7 percent in the United Kingdom. Russia, where many cyber criminal syndicates are based, accounted for only 2.5 percent of the compromised computers.

But botnets aren't only used for spam. A separate report was issued this week (.pdf) by researchers at the University of California at Santa Barbara who spent 10 days in control of the so-called Torpig botnet and observed 70 gigabytes of data being stolen from computers remotely-controlled by the botnet, including financial data. The harvested data included 1.2 million Windows passwords and 1.2 million e-mail items, such as e-mail addresses and log-in credentials.

“In ten days, Torpig obtained the credentials of 8,310 accounts at 410 different [financial] institutions," the researchers write. "The top targeted institutions were PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E*Trade (304), and Chase (217).”

Torpig's malware attacks e-mail clients and other applications to record every keystroke entered by a victim, including passwords before they're encrypted. The purloined data is uploaded every 20 minutes in bundles sent to the botnet's controllers.

The botnet is controlled by the Mebroot rootkit, which "takes control of a machine by replacing the system’s Master Boot Record (MBR)," the researchers write. "This allows Mebroot to be executed at boot time, before the operating system is loaded, and to remain undetected by most anti-virus tools."

Photo: Jonathan

Pobre/Flickr