Explanation

These graphs are based of actual zombie/bot counts from botnets that we have tracked. When a botnet goes inactive, those numbers are subtracted from the total. So these do represent all the current active zombie/bots that we are aware of. NOTE: This is MOST of the nets that we are monitoring.

There has been a lot of different speculation on what causes the ups and downs of these graphs, and if certain large events might be causing these affects, such as an environmental impact, or some large change of an install base. While all of these are valid reasons for the number of botnets and even Command and Control servers (C&C) to come and go and cause an affect to our graphs, there is only one reason that will cause a sharp decrease or as we call it a chunk. Since we are very strict in our method of counting bots and their relationship to specific C&C servers, a chunking will occur when a C&C server is considered in a down or closed state. All the counted bots for that specific C&C server will be subtracted from the totals that the graphs represent. If that C&C is seen alive again, we will begin counting again for it.

When a C&C starts losing or gaining bots, there has always been a clear growth/loss period represented by some slope. In some cases that slope has been very sharp, but always a noticeable and definable slope over a period of time while chunking occurs in a period of time that is near instant. The graph may show a sharp slope because of the minimum time increment we use to aggregate the data, but the chunking is usually very clear when it occurs.

↑ Contents

How Entropy is Calculated

There has been a lot of discussion on what the time to life for any single infected system might be. This value has a huge influence on the actual bot counts that not only that we have, but any others that you might read about. When someone provides a very specific count of a botnet or infected systems, how is that derived, and over what time frame was that count created? Because there is not any consensus on what that lifespan might be, we have created an entropy value for all of our counts. We actually implemented it in the middle of 2007 to deal with the rampant increase of our bot/infected system counts. We realized that we may have artificially inflated the numbers that we were presenting. We suspect a lot of the values that are seen in the press or the many security reports are inflated for the same reasons.

We have three entropy values that we present for each of our graphs. The first is the one that we have been using since we started aging the data, which is a 30-day entropy. This assumes that if no activity on a specific IP was seen within 30-days, that IP should be considered dead for the purposes of counting infected systems. To further this analysis, we have also added in a 10-day and 5-day entropy charts to reflect even smaller expected lifespans of an infected system. We do not know what the correct value may be, but we suspect it is somewhere between the 10-day and 30-day charts.

The formula is simple enough. We count the number of days since we last saw a specific IP address that we counted as a bot, and if it is outside of the stated entropy value the count is decremented for it. If at any time that IP address is seen again, the count starts over again. This causes a lot of our UTC midnight count drops since that is when we do our accounting. There is no smoothing of the charts or anything more elegantly done.

We are using a simple concept of calling entropy the loss of energy (ie bots) over a certain time. We have arbitrarily chosen three values to represent that. Five days, ten days and 30 days. There is no real math there, just a simple count down for the decrement.

So we are not using the normal mathematical concept of entropy, just the base definition to describe our practical methodology of decrementing the bot counts.

↑ Contents

Updates

These reports are updated every 15 minutes.

↑ Contents

Graphs

Note that all the graphs are clickable to the larger versions.

Day

30-Day Entropy

10-Day Entropy

5-Day Entropy


Week

30-Day Entropy

10-Day Entropy

5-Day Entropy


Month

30-Day Entropy

10-Day Entropy

5-Day Entropy


60-Days

30-Day Entropy

10-Day Entropy

5-Day Entropy


90-Days

30-Day Entropy

10-Day Entropy

5-Day Entropy


180-Days

30-Day Entropy

10-Day Entropy

5-Day Entropy


Year

30-Day Entropy

10-Day Entropy

5-Day Entropy


Two Years

30-Day Entropy

10-Day Entropy

5-Day Entropy


Three Years

30-Day Entropy

10-Day Entropy

5-Day Entropy

↑ Contents

<< Bots | Statistics | Drone Maps >>