Inside Symantec's nuclear bunker

...with other anti-malware vendors to speed up the process of issuing patches. "We encourage responsible sharing of information. I helped create the NIAC , [a US body] which encourages responsible disclosure of vulnerabilities, so people can come up with a solution or patch," adds Wong.

The threat of botnets
Given its role as one of the leading IT security vendors, Symantec is well positioned to identify future threats. Some of the biggest offenders on the radar at the moment are botnets. These are extensive networks of compromised computers controlled by hackers. The botnets are usually used to launch distributed denial of service attacks — effectively flooding Web servers or mail boxes with traffic until they fall over.

The growth of botnets is a major problem, according to Symantec. There has been a 100 percent increase in botnets year on year in the UK since 2004. Moreover, Symantec believes that the UK currently contains the highest number of botnets in the world. "Just over a third of the botnets we've seen are in the UK," says Wong, quoting figures from Symantec's Internet Security Report VIII, published in September 2005. This is higher than the US, which has traditionally had more botnets.

The high incidence of botnets in the UK is probably to do with the recent explosion in broadband usage and the fact that most UK home users wouldn't know if their computer was compromised. "Maybe there's a slightly lower awareness level in Britain of botnets," he says. "The IP addresses could come from legitimate machines that have been compromised by hackers. Maybe the machines don't have patches, or are not running up-to-date anti-malware products. Plus, if you have 10,000 machines in a botnet it's difficult to track back to each IP address," says Wong.

Taking control
On average, it takes eight minutes for a new machine to be compromised when hooked up to the Web for the first time, according to Symantec tests on a Windows box not running XP Service Pack 2 or antivirus software.

There is a particular danger for businesses using the same network as a compromised machine, as once one box has been infected behind the firewall, hackers can use the machine to infect others. "If attackers manage to infect a machine within an organisation, they can profile additional machines within that subnet. Executable code can be injected onto other machines to profile the users," says Symantec's Ogden.

Symantec does not tell those people with compromised IP addresses that their computers are being controlled by hackers, due to the sheer scale of the problem. "A botnet can consist of thousands of machines, and we just don't have the time to contact everyone. Our first priority is our customers," says Ogden.

However, when it comes to serious incidents, Symantec does support the police. But the company is keen to point out that it doesn't supply any direct customer information. "The information we supply to our customers belongs to them, and it's up to them to provide information to law enforcement agencies regarding any suspect activity. When companies are targeted, it's the customer who initiates giving information about the offending individuals," says Ogden.

It also supports the police in its efforts to counter botnets. "In the UK the National Hi-Tech Crime Unit has been proactive in trying to close down botnet activity. We welcome any initiative which closes down botnets," says Ogden. "We have had some contact with the authorities in the past and it works quite successfully."

If a company is the subject of an attack, Symantec recommends it goes to the police, if it is aware of the attack. "The focus of managed security services is to protect the customer. In the extortion cases last year, for example, data was fed back to the authorities by those organisations. In such a circumstance we can recommend that the companies contact the relevant authorities," says Ogden.

But Symantec will only go so far with chasing potential criminals. If an attack has been unsuccessful, they are unlikely to be hunted down, says Ogden. "If we have controlled and closed down a particular threat to a customer, there's not a great deal of benefit in tracking down the individuals who mounted the attack."