On one day last month, the prolific Macintosh Flashback botnet was counted at anywhere from more than half a million to 1 million bots worldwide. One security firm later reported infections dropping to tens of thousands, while another found 700,000 bots still phoning home to the botnet operator infrastructure. Yet another said the total number of infected Macs was even higher than was originally reported.
So why the discrepancy in size estimates of the Flashback Trojan botnet, and does anyone really care? The wide ranges of counts on the game-changer botnet for Macs was a case study for how gauging the size of a botnet is less a science than an art. Different research groups set up their own sinkholes to lure unsuspecting bots in order to get a handle on the size and activity of a botnet, but each basically sees just a snapshot of the overall botnet, and botnets are notoriously fast-moving targets as infections come and go. That's why Jose Nazario, senior security researcher for Arbor Networks, wants to come up with standard sinkholing methods.
"Some who are actively sinkholing [bots] are good at it, and some are not," Nazario said. "Some of us are working behind the scenes of how to come up with standardization for sinkholing methodologies."
Part of the problem, he said, is that sometimes marketing trumps science in botnet data. And when government officials quote botnet sizes, they rely on data generated by security researchers, many of whom work for security vendors, he said. "If we're going to inform [policy-makers], we need to come with numbers that we believe are legitimate," Nazario said.
The catch with bot-counting is that, for the most part, you can only measure a snapshot of infected machines or IP addresses during a specific period of time, and then that information is used to generate an estimate of the total number of infected machines making up the botnet. Botnet population data can help researchers prioritize which threats to focus on and create the appropriate defenses, as well as pinpoint the geographic areas most hit by the infection, for instance, according to Nazario.
The Messaging Anti-Abuse Working Group (M3AAWG), under a new Federal Communications Commission project, hopes to offer up more accurate bot counts. It will begin publishing quarterly reports of the total number of bot infections out there, based on numbers provided by Internet service providers, which arguably have a more comprehensive view of the problem.
From clouds to mobile to software development, threats may be everywhere, but they're not equally dangerous. The new, all-digital IT Strategic Security Survey issue of InformationWeek will help you prioritize. Also in this issue: IT must decide how to deal with consumer cloud storage being used in businesses. (Free registration required.)
