By: George Spohr
Talk about a dubious honor.
In its most recent "Security Update" report, Symantec - a provider of
anti-virus software - lists Princeton as the hemisphere's most
"adbot"-ridden city. The company said it traced 17 percent of adbot
attacks in the Americas to computers in the Princetons.
That number is so high, it makes the second- and third-place cities in
North and South America - New York and Sao Paulo, Brazil - look like
also-rans. Both cities played host to 3 percent of adbot attacks in
the Americas, Symantec said.
When all continents are taken into consideration, Princeton is the
second-most adbot-ridden city, with 7 percent of all adbot attacks
being traced here. Cambridge, in the United Kingdom, topped the list
at 8 percent. New York was in 12th place, credited with just 1 percent
of the world's attacks.
Adbots, short for "advertisement-driven robots," are programs that are
covertly installed on your computer, allowing hackers to remotely
control it for a wide variety of malicious purposes, said Brian
Watkins, a Symantec spokesman. The end result sometimes is referred to
as a "payload."
Attackers often command large groups of bot-controlled systems known
as bot networks, Mr. Watkins explained. Those networks, which often
are available for rent by Internet thieves, can be used to conduct
coordinated attacks. College networks are particularly vulnerable.
"As Princeton University is located there, Symantec believes that this
may be related to the beginning of a new school year," the company
said in explaining Princeton's rank.
But that explanation - indeed, the very findings themselves - are
baffling, said Anthony Scaturro, Princeton University's IT security
"The report stated that the city of Princeton has the second-largest
bot population - 7 percent of the world's bots, to be exact," Mr.
Scaturro said. "All of New York City, with its 8 million-plus
population, paled at a mere 1 percent. Clearly, with results such as
these, the credibility of the Symantec report is questionable."
The report's methodology also leaves much to be desired, he said.
Symantec traces the origin of adbots by examining the bits of
identifying data that attach themselves to whatever kind of file the
bots produce - an e-mail message, a Web page or malicious piece of
software. When you receive an e-mail, for example, a quick check of
the message's "header" can tell you the general area from which the
e-mail was sent.
"In today's modern attacks, the source of many attacks is forged,"
Mr. Scaturro explained. "So if the hacker programmed in the address of
a Princeton computer in the bot program, when it spreads to a million
computers and they start sending out their payload, it will appear
that all of the attacking computers are from Princeton, even though 50
are in Tokyo, 100 are in Los Angeles, three are in Vermont, et
That Symantec, which - perhaps ironically - is the provider of
computer security software for all Princeton University faculty, staff
and student computers, would publish this report without mentioning
its questionable methodology is surprising, Mr. Scaturro said.
Mr. Scaturro said the university has taken a multi-pronged approach to
protecting those computers from worms, viruses and adbots by:
* Being an early adopter of technology that examines the network
traffic going to and from the Internet on the campus. "Any piece of
network traffic that appears to carry a destructive virus or worm is
blocked - both coming into the campus and going out to the
Internet," Mr. Scaturro said.
* Using firewall technology to protect critical devices.
* Constantly monitoring for the latest security-related updates from
* Communicating with the campus about the importance of using strong
passwords and installing anti-virus and anti-spyware software.
"I am very proud of the technical staff that we have at Princeton
University and have personally never worked with a team that has been
more security aware," Mr. Scaturro said. "Their efforts in setting up
and maintaining our systems in a secure manner and ensuring that any
offending computer is removed from the network as soon as it is
detected are the primary reason that we do not see a lot of attack
traffic exiting our network."
InfoSec News v2.0 - Coming Soon!