According to Rick Wesson, “we are losing this war badly.” He is not speaking of the war against insurgents in Iraq but the war against malicious programs that secretly install themselves on millions of home and business computers and then do all sorts of nasty things, such as steal data and generate spam. These programs are more than a nuisance. They are a very real threat to the integrity of the Internet and the considerable (and still growing) commerce and communication that occurs thereon. If this threat continues unabated, conventional terrorism may eventually seem as quaint as toilet-papering someone’s house.

From the New York Times:

Attack of the Zombie Computers Is Growing Threat

In their persistent quest to breach the Internet’s defenses, the bad guys are honing their weapons and increasing their firepower.

With growing sophistication, they are taking advantage of programs that secretly install themselves on thousands or even millions of personal computers, band these computers together into an unwitting army of zombies, and use the collective power of the dragooned network to commit Internet crimes.

These systems, called botnets, are being blamed for the huge spike in spam that bedeviled the Internet in recent months, as well as fraud and data theft.

Security researchers have been concerned about botnets for some time because they automate and amplify the effects of viruses and other malicious programs.

What is new is the vastly escalating scale of the problem — and the precision with which some of the programs can scan computers for specific information, like corporate and personal data, to drain money from online bank accounts and stock brokerages.

“It’s the perfect crime, both low-risk and high-profit,� said Gadi Evron, a computer security researcher for an Israeli-based firm, Beyond Security, who coordinates an international volunteer effort to fight botnets. “The war to make the Internet safe was lost long ago, and we need to figure out what to do now.�

Last spring, a program was discovered at a foreign coast guard agency that systematically searched for documents that had shipping schedules, then forwarded them to an e-mail address in China, according to David Rand, chief technology officer of Trend Micro, a Tokyo-based computer security firm. He declined to identify the agency because it is a customer.

Although there is a wide range of estimates of the overall infection rate, the scale and the power of the botnet programs have clearly become immense. David Dagon, a Georgia Institute of Technology researcher who is a co-founder of Damballa, a start-up company focusing on controlling botnets, said the consensus among scientists is that botnet programs are present on about 11 percent of the more than 650 million computers attached to the Internet.

Plagues of viruses and other malicious programs have periodically swept through the Internet since 1988, when there were only 60,000 computers online. Each time, computer security managers and users have cleaned up the damage and patched holes in systems.

In recent years, however, such attacks have increasingly become endemic, forcing increasingly stringent security responses. And the emergence of botnets has alarmed not just computer security experts, but also specialists who created the early Internet infrastructure.

“It represents a threat but it’s one that is hard to explain,� said David J. Farber, a Carnegie Mellon computer scientist who was an Internet pioneer. “It’s an insidious threat, and what worries me is that the scope of the problem is still not clear to most people.� Referring to Windows computers, he added, “The popular machines are so easy to penetrate, and that’s scary.� [full text]

Scary, indeed. Fortunately, as the companion article suggests, “using a non-Windows-based PC may be one defense against these programs.” So ditch that mediocre PC, and get a Mac. You may never look back.