How Big is Big? Some Botnet Statistics

Discussion in 'Anti-Virus' started by Virus Guy, May 24, 2011.

  1. Virus Guy

    Virus Guy Guest

    How Big is Big? Some Botnet Statistics

    Published on May 23, 2011 in Malware & Virus Analysing and Monitoring &

    There is a lot of malware out there, and sometimes it’s very difficult
    for security researchers or AV-vendors to estimate the extent of such a
    threat (eg. a trojan). One technique to do is called sinkholing: The
    goal is to register malicious botnet domains proactively or reactively
    to prevent the criminals exerting command and control over
    hijacked/infected computers, and at the same time warn ISPs of infected

    Some of you might already know that I am running a sinkhole. Therefore I
    thought it might be interesting to reveal some botnet Statistic based on
    the drone data I have collected on my sinkhole.

    The following data has been collected over a period of 2 months. During
    this time I’ve sinkholed several botnets. To generate the statistics
    shown below I have picked out the highest peak of each malware family
    and printed it to the bar chart. In short this means that the chart
    shows the highest peak of each malware family during the past two months
    (within a 24 hour period).

    First of all, let’s have a look at each malware family I’ve sinkholed
    during this time.

    Trojan Aliases Reference

    Artro Renos, CodecPack Kaspersky Lab
    Carberp - Symantec
    Gbot - Sonicwall
    Gozi - SecureWorks
    Ponmocup Swisyn, Changeup Microsoft
    Ramnit -
    SpyEye EyeStye Symantec
    TDSS Alureon, Tidsserv, TDL4 ESET
    ZeuS Zbot, WSNPoem, ntos Symantec

    As shown in the table above we have some banking trojans (Carberp, Gozi,
    SpyEye and ZeuS), some trojan droppers (Gbot, Ponmocup), a worm (Ramnit)
    and some Click fraud trojans (Artro, TDSS).

    Note: The numbers of infected IPs for each trojan mentioned below does
    not necessarily reflect the exact botnet size. It does however work
    fairly well as a relative indication. Some trojans are malware kits
    being used to run several different botnets (Like ZeuS or SpyEye), where
    all are not being sinkholed.

    Let’s take a look at the sinkhole statistics:

    The chart above shows the total number of new and total IPs seen within
    24hrs for each malware family. What really sticks out is the fact that
    the trojans that are being used to attack financial institutions
    (banking trojans) has a relatively small amount of infected computer
    (drones) compared to Gbot (that is used to drop/install additional
    malware on the victims computer) and the well-known click fraud rootkit
    called TDSS. The size of the TDSS botnet is 6 times the size of the
    Carberp botnet.

    Why is this the case? It’s not very difficult to infect computers today.
    The trick is to find a good way to monetize the botnet. For banking
    trojans, the problem becomes getting money mules that the criminal can
    use for transferring/laundering the stolen money. A cybercriminal won’t
    benefit from a big botnet if he’s not able to cash out the money from
    the bank accounts of the victims. Also, banking trojans rather quickly
    gets attention from both Law Enforcement and individuals in the infosec

    Doing click fraud is much easier: Who cares about click fraud? Nobody,
    except the companies that are actually offering/selling online
    advertisement. If you call someone and tell him “Hey, your computer is
    infected with a click fraud trojan” you will most probably get a answer
    like “WTF is click fraud?!?” and even if you explain the situation to
    him I’m pretty sure you will get an answer like “Well I don’t care, I
    hate online advertisements anyway. They only distract me when I’m
    surfing on porn sites… *erm* when I’m doing online shopping”.

    Still, I’m not surprised that there are botnets out there that are even
    bigger than TDSS/TDL:

    The chart above shows a botnet that is called Artro. It is also known as
    “The advertisement botnet” (Kaspersky) or Renos/CodecPack. It is 1,5
    times bigger than TDSS. However, Artro is also doing some click fraud
    stuff. I sinkholed the Artro botnet a year ago. Back then, the botnet
    had a size of 330’000 infected computers (of course within 24hrs)!

    So I’m asking myself: Does this answer our question “How Big is Big”? If
    we are serious we can say that 330’000 infected computers is quite
    enough and really big. That’s nearly the same amount of computers as
    there are inhabitants in the largest Swiss city (Zurich).

    What would you say if I told you that there is a botnet out there that
    is much bigger than the Artro botnet?

    Some weeks ago I came across a huge botnet that was pretty unknown to me
    and that I never had heard of before. Doing some research I came to the
    conclusion that this trojan was known as Ponmocup. When I’ve started to
    sinkhole this botnet I was shocked as I saw that more than 1,2 million
    (yes, 1’200’000) unique IPs connected to my sinkhole just within 24

    Probably most of you don’t even know Ponmocup, so you may ask yourself
    how this botnet became that big. Well you already answered this
    question: The criminal obviously managed to stay under the radar for
    months (maybe even years). I’m sure there are even more botnets out
    there (like Artro and Ponmocup) that are quite big and still under the
    radar of the AV-industry / infosec community.

    *** Conclusion ***

    We have learned that the botnet sizes doesn’t really matter. The
    criminals don’t need to have a big botnet to make a lot of money: It
    always depends on the business model the criminals wants to adopt (doing
    ebanking fraud, clickfraud or whatever).

    But what do we have to do to mitigate these threats? My approach is to
    try to identify such botnets and sinkhole them. Doing so I’m able to
    collecting data from the connecting bots, which are being fed into the
    Shadowserver Drone database. If you are an ISP, a company or running
    your own network/AS you can obtain free-of-charge Drone feed from
    Shadowserver for your AS. This allows you to get informed about infected
    computers within your network on a daily basis.

    If you are an ISP/network owner I highly recommend you to subscribe to
    Shadowservers Drone feed (if you are not already subscribed).

    You can subscribe and/or obtain more information about Shadowserver’s
    Reporting Service here:
    Virus Guy, May 24, 2011
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.