Size matters - measuring a botnet operator's pinkie presented at Virus Bulletin 2010

by Gunter Ollmann (Damballa),

Tags: Security


Summary : Every year anti-virus vendors release reports detailing malware distribution rates, Internet infection rates and the
prolificacy of key malware families. In most cases, estimates of botnet size and their relative risk to the Internet are
extrapolated from host infection data. In exceptional cases, botnet sizes are derived from interpreting sample capture
rates or the malicious attack traffic sourced from previously compromised systems. Unfortunately these sources of
measurement fail to establish the true size of the threat and the risks a particular botnet represents to Internet users.
Despite some botnet operators managing to infect millions of computers with their particular flavour of malware, the
number of botnet assets that they can really control and leverage in an attack is considerably smaller - often orders of magnitude
This paper will analyse how criminal botnet operators really assemble, rally, manage and coordinate their collective of
victim computers, and how the number of systems at their direct disposal is considerably smaller than is often touted in
the mainstream media. We will also examine how Internet botnets differ greatly from enterprise network botnets, how their
relative sizes compare, and where measurement discrepancies adversely affect the way businesses seek to respond to a
particular botnet threat.