As I was recently asked about botnet figures, I revisited our collections to establish some trends in this area.
In 2004 and 2005, bots were placed in a separate group of their own, separate from viruses and Trojans. Their names often ended with « bot » (W32/Sdbot, W32/Spybot, W32/Gaobot…). Based on the number of separate variants we had in our collections (the zoos) at the time, statistics showed a constant increase.
We have noted since then that a lot of malware has a remote-control feature (i.e. they are bots). Whether we are dealing with worms, viruses or Trojans, they are designed to receive commands and execute them at some point in their life. As of today, much of this remotely-controlled malware are known under various malware family names (W32/Nuwar, W32/Mytob, Spam-Samburg, Srizbi, Backdoor-DIX, etc.). Consequently our counting methods have to change.
On the Internet, various websites allow us to measure a different aspect of the threat.
For example, the Shadowserver Web Site shows us a botnet count. The following graph is a count of all the active Command and Control (C&C) servers the Shadowserver Foundation is aware of. There are approximately 2900 botnets today compared to 1400 one year ago:
Counting the infected computers is a much more arduous task. In January 2007, I reported on Vinton Cerf’s talk at the World Economic Forum in Davos, Switzerland and explained that he estimated 100 or 150 millions machines as infected represented over 10% of the PCs connected to the Internet. At the same time, some sources estimated less than 10 millions machines when others say they identify nearly 250000 new bots, or infected IPs each day.
Various techniques can be used to track zombie machines. I will only quote one to allow me the opportunity to give you some interesting links:
- Observing DNSBL queries
Method is exposed in a white paper from the College of Computing, Georgia Institute of Technology. It is based on the insight that botmasters themselves perform DNS-based blackhole list (DNSBL) lookups to determine whether their spamming bots are blacklisted or not. There are techniques and heuristic rules to distinguish botnet DNSBL reconnaissance queries from valid DNSBL traffic performed by legitimate mail servers. - Watching IRC traffic
It is one of the simplest methods of detecting IRC-based botnets. It involves sniffing IRC traffic and searching for any signatures matching known botnet commands. - Checking Behavioural Characteristics
As an example, researcher Stephane Racine demonstrated that IRC bots were idle most of the time on a Chat IRC channel but responded faster than a human upon receiving a command. - Searching for malware hashes on P2P networks
With decentralized Peer-to-Peer botnets, compromised nodes on the network can be identified by their retrieval of hashes known to be associated with botnets. The College of Computing and Informatics University of North Carolina at Charlotte proposed this method for tracking W32/Nuwar (alias Storm) infected machines. To determine which search hashes are pertinent, the bot could either be actively running on a network without a true Internet connection to determine current hashes, or the hash generation algorithm could be extracted from its binary to generate hash sets on the fly based on the limited set of random integers and the current time. - Watching attack traffic
Analysing the traffic linked to massive spam distribution or DDoS attacks can reveal the amount of compromised computers. Since January 2008, the Shadowserver graphs demonstrate a huge increase in this field.
To conclude this post, I have to say that looking at these studies did not help me in calculating how many computers are, at the moment, affected by bots! Extrapolation between 120000 or 150000 items known as active in a botnet at a given moment and a total number is hard to envisage… However, making these searches was not useless. We can certainly predict an increase in DDoS attack will be a 2008 issue and, for sure, more and more botnet will be used in the field ; perhaps 40 or 50% of them.