botnets: web servers, end-systems and Vint Cerf [LONG, sorry]

Tue Feb 20 16:35:18 UTC 2007

On Mon, Feb 19, 2007 at 02:04:13PM +0000, Simon Waters wrote:
> I simply don't believe the higher figures bandied about in the discussion for 
> compromised hosts. Certainly Microsoft's malware team report a high level of 
> trojans around, but they include things like the Jar files downloaded onto 
> many PCs, that attempt to exploit a vulnerability that most people patched 
> several years ago. Simply identifying your computer downloaded (as designed), 
> but didn't run (because it was malformed), malware, isn't an infection, or of 
> especial interest (other than indicating something about the frequency with 
> which webservers attempt to deliver malware).

I don't understand why you don't believe those numbers.  The estimates
that people are making are based on externally-observed known-hostile
behavior by the systems in question: they're sending spam, performing
SSH attacks, participating in botnets, controlling botnets, hosting
spamvertised web sites, handling phisher DNS, etc.  They're not based
on things like mere downloads or similar.  As Joe St. Sauver pointed
out to me, "a million compromised systems a day is quite reasonable,
actually (you can track it by rsync'ing copies of the CBL and cummulating
the dotted quads over time)".

So I'm genuinely baffled.  I'd like someone to explain to me why this
seems implausible.

BTW #1: I'm not asserting that my little January experiment is the basis
for such an estimate.  It's not.  It wasn't intended to be, otherwise
I would have used a very different methodology.

BTW #2: All of this leaves open an important and likely-unanswerable
question: how many systems are compromised but not as yet manifesting
any external sign of it?  Certainly any competent adversary would hold
a considerable fraction of its forces in reserve.  (If it were me,
that fraction would be at least "the majority".)

---Rsk