Finjan discovered the large-scale network of malware-infected computers in February as part of its research into the command-and-control servers operated by cybercriminals, said Ophir Shalitin, director of marketing at the San Jose, California-based security vendor. The command-and-control server for the botnet is hosted in the Ukraine and operated by six cybercriminals, he said.
The botnet, which continues to grow, has infected computers from 77 government domains, including 61 from the U.S., and large corporations, along with large U.S. banks, Shalitin said. Finjan notified law enforcement officials about the compromised systems as well as affected companies and government agencies.
Finjan researchers said the botnet's command-and-control server has a backend management application that makes it easy for attackers to manage the infected machines and order the bots to download additional malware. The malware allows attackers to remotely read emails, copy files, record keystrokes, launch spam attacks and take screen shots.
"They could do almost anything with the infected computer," Shalitin said.
Compromised websites, many of them legitimate, were the source of the malware, he said. Of the computers infected, 45% were from the U.S., according to Finjan.
Web-based attacks were the primary source of malware infections in 2008, according to Symantec's Internet Security Threat Report XIV released earlier this month. Most of these attacks are launched against users who visit legitimate websites rigged with malware, the Cupertino, Calif.-based security vendor said.
Last year, 63% of vulnerabilities documented by Symantec affected Web applications. That's up from 59% in 2007.
Shalitin said there are several steps organizations can take to protect themselves, including installing a secure Web gateway (which Finjan sells), and making sure Web vulnerabilities are patched. Researchers tested one of the botnet's Trojans against 39 antivirus products and found that only four detected it, he said.