Press Releases

Browse our press release archive

07 Feb 2007

Did your PC try to bring down the internet last night? asks Sophos

More action needed to stop computers becoming zombies, in wake of attack on the internet's heart

Address book
The Domain Name System acts as an address book for the internet.

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have challenged internet users as to whether they unwittingly played a part in last night's major attack against key root servers which form the backbone of the internet.

Sophos experts suggest that users' computers are likely to have been taken over by hackers to create zombie networks or 'botnets', in order to bombard the internet's Domain Name System (DNS) servers with traffic. They note that while the computer owners may have been unaware that their PCs were compromised, had the attack been successful then all website access and email delivery would have been suspended globally.

"These zombie computers could have brought the web to its knees, and while the resilience of the root servers should be commended, more needs to be done to tackle the root of the problem - the lax attitude of some users towards IT security," said Graham Cluley, senior technology consultant at Sophos. "Society is almost totally reliant on the internet for day-to-day communication - it's ironic that the people who depend on the web may have been the ones whose computers were secretly trying to bring it down."

Root servers, which manage the internet's Domain Name System, help to convert website names such as to their numeric IP address - essentially acting as an address book for the internet. UltraDNS, which manages traffic for websites ending with the suffix .org and .info, confirmed that it had witnessed an unusual increase in traffic. In all, three of the 13 servers at the top of the DNS hierarchy are said to have felt the impact of the attack, although none are thought to have stopped working entirely.

"If the DNS servers were to fall over then pandemonium would ensue, emphasising the importance of properly defending all PCs from being taken over by hackers," continued Cluley. "A denial-of-service attack like this swamps web-connected servers with traffic from many computers around the globe. It's a bit like twenty hippos trying to get through a revolving door at the same time - there's no route through and everything clogs up. Fortunately the system is designed to be extremely resilient to these kind of attacks, and the average man in the street won't have noticed any impact."

Some reports have suggested that much of the attack traffic may have come from computers based in South Korea. However, the motivation for the attack remains unclear.

"The hackers responsible for this attack may have been doing it through mindless malice rather than have had financial reward in mind," continued Cluley. "Whatever the motives of the people responsible for this assault, everyone needs to properly defend their PC from being taken over by hackers and used for criminal purposes."

According to reports, last night's incident was the most significant attack against the DNS backbone since October 2002.

Zombie computers - are your PCs under someone else's control?

Zombie computers can be used by criminal hackers to launch distributed denial-of-service attacks, spread spam messages or to steal confidential information.

As spammers become more aggressive, collaborating with virus writers to create armies of zombie computers, legitimate organizations with hijacked computers are being identified as a source of spam. This not only harms the company's reputation, but can also cause the business's email to be blocked by others.

Sophos ZombieAlert™ advises service subscribers when any computer on their network is found to have sent spam to Sophos's extensive global network of spam traps, and provides rapid notification to customers if their Internet Protocol (IP) addresses are listed in public Domain Name Server Block Lists (DNSBL). This information helps customers locate, disinfect, and protect these systems from future attacks.

Sophos recommends that computer users ensure their anti-virus software is up-to-date, and that companies protect themselves with a consolidated solution which can defend them from the threats of spam, spyware and viruses.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at