Are there 6.8 million — or 24 million — botted PCs on the Internet?

April 20th, 2010

Alfred Huger, VP of engineering at Immunet and a former Symantec executive, says he takes issue with a key metric in Symantec’s 2009 Internet Security Threat Report released Tuesday, 20April2010.

Huger says Symantec’s very specific detection of 6,798,338 distinct bot-infected computers globally is misleading — several magnitudes of order too conservative. Huger’s critique is noteworthy since he says he is one of the creators of Symantec’s ISTR. Here’s what he told LastWatchdog:

I do not have enough data to accurately count the number of bots in play in the wild. Nor do I think Symantec has that data. I believe the generalized approach to identifying bots used by the report . . .is not likely to derive an accurate estimation of real live bot infected systems. I think it’s very conservative but it’s as best a bet as you can hope for with real empirical data. Yet bot networks using peer-to-peer, private authenticated IRC, undiscovered C&C & IRC (due to fast flux etc) will forever be invisible to these methods of data collection.

Our data shows that 7 out of 10 threats, which we collect, have the ability to download software. It’s our belief that nearly all of these threats will bring software down to allow them to be centrally controlled, therefore becoming bots. So it’s our estimation that 70% or more of all infected machines become, at some point, centrally controlled. We also see that 7.6% of all users who install our software have a virus already. Those two numbers lead me to believe that the number of active bots is indeed magnitudes higher than what Symantec is reporting (and I bet they would agree). How much higher? I do not know, certainly 4 or 5 times higher if not much more.

While ultra-competitive  security vendors squabble about how best to convey the scale of the botnet plague, cybercriminals — from novices to elite gangs — continue to saturate the Internet with infections that allow them to take full control of Windows PCs.

Gunter Ollmann, a leading expert on botnets for years at IBM before he joined Damballa, where he now serves as vice president of research, has volumes of research data to back up his estimates of botnet activity. On any given day, 12% to 15% of the 1.6 billion computers connected to the Internet are bots, according to security firm Damballa.

That would put the number of botted PCs at 19.2 million to 24 million.

“Getting hold of new botnets, or building a new botnet from scratch has never been easier,” says Ollmann. “Specialist providers for botnet building, bot agent design and bot delivery are plentiful and it has already become largely a commoditized service industry.”

Adam Swidler, senior product marketing manager with Google’s Postini group, asserts that botnets operators are thriving and staying one step ahead of the best efforts of security companies, law enforcement and ISPs to keep them in check. Here’s Swidler’s reasoning:

In November 2008, the ISP McColo was taken offline, and we saw an immediate 70% drop in spam levels. By the second half of March 2009, seven-day average spam volume was at the same volume we saw prior to the blocking of the McColo ISP in November 2008. It took 4 months for spammers to recover.

On June 4 2009, another large ISP spam source, 3FN, was reported to have been dismantled. Spam volume immediately dropped 30% – not as extreme as McColo, but still significant. Although this created a sudden dip in spam levels, it also created an open invitation for opportunistic spammers to once again seize a market opportunity. Within a month, spam level were back to pre 3FN levels.

Real Host, a large Latvia-based ISP that was disconnected by upstream providers on August 1, 2009. This takedown didn’t have the same drastic effects of McColo (last November), but it was comparable to 3FN. Ultimately, the effects of the Real Host takedown lasted only two days, with an initial 30% drop in spam followed by a quick resurgence.

Meanwhile, efforts led by security firms to temporarily knock out specific botnets, Mega-D, Waledac, Mariposa and ZeuS, cause a negligible drop in spam volume. These developments underscore how organized and efficient botnet operators have become about keeping their botnet inventories replenished.

–By Byron Acohido

Sort by:   newest | oldest | most voted

Generally speaking, an “order of magnitude” greater means a factor of 10. If an estimate of 6.7M bots was several orders of magnitude too conservative, then the second estimate would be at least 670M bots, or 42% of the computers connected to the internet using the figures above.

6.7M to 28M is a difference of ~0.3 orders of magnitude.

Paul Moriarty

I think you missed a zero there Byron. 12 to 15% of 1.6 billion computers being zombies means that there are 192 to 240 million infected PC’s out there. It’s a global pandemic and it’s getting worse, not better.

With all due respect to Symantec, they are the company that pegged the total number of botted computers in 2006 at 57,000.