Oct. 16 (Bloomberg) -- The number of zombies out there lurking on desktops is growing. And to fight them, a band of Internet security experts is using a ``neighborhood watch'' approach and every honey pot it can muster.

The Shadowserver Foundation's worldwide daily count of zombie computers, which are infected with viruses and bent to malevolent purposes, doubled this month to 300,000 from 150,000 a year earlier. The spurt comes from more hackers linking machines to form botnets, networks they use to steal identities, attack Web sites and sell pilfered e-mail addresses to spammers.

Internet crimes cost consumers and businesses $239 million in 2007, up 20 percent from the year before, according to U.S. government data. Botnets are growing in popularity and sophistication as tools for hackers, and Shadowserver's research helps law enforcement and security companies such as McAfee Inc. identify emerging threats.

``It's becoming an increasingly common mechanism the bad guys are using,'' said John Pescatore, an analyst at researcher Gartner Inc. in Ashton, Maryland, who used to build secure computer systems for the U.S. Secret Service. Shadowserver is ``like neighborhood watch groups that are a great help to local police.''

Working in shifts around the clock, Shadowserver's 10 members set up ``honey pot'' computers designed to attract malicious software. They monitor zombie machines and hackers, and report their findings to law enforcement and Internet- service providers such as Philadelphia-based Comcast Corp.

Zombie Armies

In the weeks leading up to Georgia's military conflict with Russia in August, Shadowserver was among the first to report that hackers attacked Georgian President Mikheil Saakashvili's Web site, taking it down for 24 hours. The hackers used a botnet to swamp the site with requests.

``We see dozens of such attacks on a daily basis,'' Shadowserver director André DiMino, who co-founded the group almost four years ago, said in an interview.

Such zombie-computer armies began as the work of lone hackers and evolved into sophisticated tools used by organized crime groups, said DiMino, 42, who goes by the online name SemperSecurus.

Dealing with bot-infected computers cost organizations an average of almost $350,000 this year, according a survey by the Computer Security Institute, an industry group that promotes computer-security education.

`Significant Risk'

``Botnets pose a significant risk because they're the Swiss Army knife of malicious code,'' said Nicholas Ianelli, an analyst at the CERT Coordination Center, which studies Internet security as part of Carnegie Mellon University's Software Engineering Institute. ``They can do so many things with one compromised host.''

As of Aug. 26, Shadowserver had detected more than 157,000 botnet attacks on Web sites in 105 countries this year. DiMino said the group is probably finding only a small fraction of botnet activities.

The average daily number of active bot-infected computers rose 17 percent to 61,940 from the first half of 2007 to the second, according to Symantec Corp., the biggest maker of security software. Arbor Networks Inc., which often works with Shadowserver, detected more than 1,800 active botnets per day in September, up as much as 20 percent from a year ago, said senior security researcher Jose Nazario.

``We've been tracking botnets for years and we're seeing a dramatic rise,'' Nazario said. Lexington, Massachusetts-based Arbor provides security for more than 300 companies including Yahoo! Inc. and Verizon Communications Inc.'s business unit.

Operation Bot Roast

A year ago, the Federal Bureau of Investigation said an investigation of botnets, dubbed Operation Bot Roast, uncovered more than 1 million infected computers and more than $20 million in economic losses from crimes related to botnets.

Shadowserver's members spend anywhere from 5 to 40 hours a week tracking Internet-security threats. DiMino, a native of New York who now lives in New Jersey, said Shadowserver's members are not vigilantes and don't ``hack the hackers,'' as some other volunteers do.

``It gets us pretty jazzed when we can see that things we've worked on have had a tangible result in Internet safety,'' he said. ``That's really a key motivator for all of us.''

In February, the group said it uncovered an attack on 32 gambling sites, including one run by PartyGaming Plc, the owner of the PartyPoker.com Web site.

Day Jobs

Organizations such as Shadowserver are ``another weapon in our armory'' against hackers, supplementing PartyGaming's own investment in Internet security, spokesman John Shepherd said. Shadowserver appears to be ``very good at what they do,'' he said, declining to comment on the February report.

While Shadowserver wants to publicize its findings, group members keep low profiles -- and not just because of the potential for retaliation from hackers who don't want their botnets exposed, DiMino said.

Members have regular day jobs working in computer security. Shadowserver accepts new members only after months of interviews and evaluations of their work, to make sure they are serious about fighting cybercrime and can be trusted with sensitive data, DiMino said. The self-funded group, which has filed to be a nonprofit, may seek grants to expand its work, he said.

``What's surprising is that they keep doing it for free,'' Gartner's Pescatore said. Many security researchers start out as volunteers, then begin running ads and charging for some services as their Web sites grow in popularity, he said. ``Shadowserver has stayed away from that.''

To contact the reporter on this story: Molly Peterson in Washington at mpeterson9@bloomberg.net

Last Updated: October 16, 2008 00:01 EDT