« April 2010 · October 2010 »

June 2010
MonTueWedThuFriSatSun
 010203040506
07080910111213
14151617181920
21222324252627
282930    
July 2010
MonTueWedThuFriSatSun
   01020304
05060708091011
12131415161718
19202122232425
262728293031 
August 2010
MonTueWedThuFriSatSun
      01
02030405060708
09101112131415
16171819202122
23242526272829
3031     

Calendar:

  • 15.08.2010: Spam using RU domains - Who's your nameserver?
  • 13.08.2010: Binary Whitelisting Service
  • 02.08.2010: Of Opinions and Anti-Virus Testing
  • 05.07.2010: Lies, Damn Lies, and Botnet Size
  • 09.06.2010: Shadowserver Sinkholing domain associated with SQLi attacks on IIS/ASP web servers
Newest first Oldest first

Friday, 5 September 2008

Shadowserver Bot Count Charts

The past few days have seen a great deal of attention given to several of Shadowserver's recent charts. What seems to have caught everyone's attention is the apparent rapid rise in the number of 'drone' systems, or bots. Since we've seen all kinds of speculation and conclusions, we thought we'd attempt to clarify the issue.

First, it's important to recognize what we are reporting on. There is a distinction between a 'bot' and a 'botnet'. A bot, also known as a drone, is a single compromised, or infected system that is part of a botnet. There can be many hundreds, if not thousands of bots within one botnet.

Shadowserver's monitoring systems allow us to report on the quantity of bots within the botnets that we're currently aware of. As we improve and expand our detection and monitoring systems, it naturally follows that we're able to have an increased visibility into the quantity of compromised systems. It is this increased visibility that is but one component to our reported increase in bot counts. The other component is, unfortunately the fact that the number of infected client and server systems do continue to rise.

Even with Shadowserver's expanding capabilities, we believe that we're only monitoring and reporting on a small percentage of the total problem. Botnets continue to advance in both their architecture and their methods of recruiting new bots. We have seen an alarming rate of compromise against legitimate web servers which are then used to serve up malware to unwitting web surfers. As the surface area of infection continues to expand, so will the number of compromised systems, or bots.

So while our charts may currently indicate a “quadrupling” of the number of bots over the past three months, it is important to remember that we're just looking through a few windows into a much larger structure. The structure continues to grow, but so does our ability to utilize more windows of analysis. It will be quite interesting for us as well to see how these numbers trend over time. We certainly hope that the attention our reports have received over the past few days has further raised awareness to this serious problem. We also hope it has been a motivation for others to take steps to better safeguard both server and client systems.

=>Posted September 05, 2008, at 04:39 AM by Andre' M. DiMino - SemperSecurus