By Mark Ward Technology Correspondent, BBC News website

How the trap was sprung

If every hour a burglar turned up at your house and rattled the locks on the doors and windows to see if he could get in, you might consider moving to a safer neighbourhood.

And while that may not be happening to your home, it probably is happening to any PC you connect to the net.

An investigation by the BBC News website has established the scale of the dangers facing the average net user.

Using a computer acting as a so-called "honeypot" the BBC has been regularly logging how many potential net-borne attacks hit the average Windows PC every day.

Attack traffic

Honeypots are forensic tools that have become indispensable to computer security experts monitoring online crime. They are used to gather statistics about popular attacks, to grab copies of malicious programs that carry out the attacks and to get a detailed understanding of how these attacks work.

HI-TECH CRIME PLANS The BBC News website is running a series of features throughout the week Tuesday: What did we catch in our honeypot? Wednesday: Anatomy of a spam e-mail and hackers face to face Thursday: How to spot a phishing scam

To the malicious programs scouring the web these honeypots look like any other PC. But in the background the machines use a variety of forensic tools to log what happens to them.

Perhaps one indicator of how useful these tools have become is seen in the fact that the most sophisticated attackers make their malicious programs able to recognise when they have trespassed on a honeypot.

The BBC honeypot was a standard PC running Windows XP Pro that was made as secure as possible. This ran a software program called VMWare which allows it to host another "virtual" PC inside the host. Via VMWare we installed an unprotected version of Windows XP Home configured like any domestic PC.

VMWare is useful as it makes it easy to pause the "virtual" PC or roll it back to an earlier configuration. This proved essential when recovering from an infection.

SEVEN HOURS OF ATTACKS 36 warnings that pop-up via Windows Messenger 11 separate visits by Blaster worm 3 separate attacks by Slammer worm 1 attack aimed at Microsoft IIS Server 2-3 "port scans" seeking weak spots in Windows software Glossary of hi-tech crime Net safety campaign re-launches Tips to stay safe online

This guest machine, once armed with some forensic software, became the honeypot.

When we put this machine online it was, on average, hit by a potential security assault every 15 minutes. None of these attacks were solicited, merely putting the machine online was enough to attract them. The fastest an attack struck was mere seconds and it was never longer than 15 minutes before the honeypot logged an attempt to subvert it.

The majority of these incidents were merely nuisances. Many were announcements for fake security products that use vulnerabilities in Windows Messenger to make their messages pop-up. Others were made to look like security warnings to trick people into downloading the bogus file.

Serious trouble

However, at least once an hour, on average, the BBC honeypot was hit by an attack that could leave an unprotected machine unusable or turn it into a platform for attacking other PCs.

HAVE YOUR SAY Just like I lock my doors and windows on my house, my PC has appropriate protection Arthur, Newbury Send us your comments

Many of these attacks were by worms such as SQL.Slammer and MS.Blaster both of which first appeared in 2003. The bugs swamp net connections as they search for fresh victims and make host machines unstable.

They have not been wiped out because they scan the net so thoroughly that they can always find another vulnerable machine to leap to and use as a host while they search for new places to visit.

Their impact is limited now because Windows is now sold with its firewall turned on and the patch against them installed. Recently Microsoft said it was cleaning up hundreds of PCs hit by these machines every day.

Many of these worms were launched from different PCs on the network of a French home net service firm but others were from machines as far away as China.

There were also many attempts to probe the BBC honeypot to see how vulnerable it was. Hijacked machines in Brazil as well as at the Indiana offices of a public accounting and consulting firm carried out "port scans" on the BBC honeypot to see if it could get a response that would reveal how vulnerable it was.

Via the honeypot we could see these machines sending test data in sequence to the ports, or virtual doors to the net, that the PC had open.

Windows is the favourite target of malicious and criminal hackers

More rarely, once a day on average, came net attacks that tried to subvert the honeypot to put it under the control of a malicious hacker.

Again these attacks came from all over the world - many clearly from hijacked machines. The BBC honeypot was attacked by a PC at a Chinese aid organisation, a server in Taiwan and many machines in Latin America.

Via the forensic tools installed on the honeypot we could see the booby-trapped data packets these bugs were trying to make our target machine digest.

By using carefully crafted packets of data, attackers hope to make the PC run commands that hand control of it to someone else.

Via this route many malicious hackers recruit machines for use in what is known as a botnet. This is simply a large number of hijacked machines under the remote control of a malicious hacker.

Botnets are popular with hi-tech criminals because they can be put to so many different uses. The slaves or bots in a botnet can be used to send out spam or phishing e-mails.

They can become the seeding network for a new virus outbreak or act as a distributed data storage system for all kinds of illegal data. Spammers, phishing gangs and others often rent a botnet to use for their own ends.

Often once a machine has fallen under someone else's control, a keylogger will be installed to capture information about everything that the real owner does - such as login to their online bank account.

This stolen information is often sold as few of those that steal it have the criminal connections to launder stolen cash.