Gunter Ollmann Damballa
download slides (PDF)
Every year anti-virus vendors release reports detailing malware distribution rates, Internet infection rates and the prolificacy of key malware families. In most cases, estimates of botnet size and their relative risk to the Internet are extrapolated from host infection data. In exceptional cases, botnet sizes are derived from interpreting sample capture rates or the malicious attack traffic sourced from previously compromised systems. Unfortunately these sources of measurement fail to establish the true size of the threat and the risks a particular botnet represents to Internet users. Despite some botnet operators managing to infect millions of computers with their particular flavour of malware, the number of botnet assets that they can really control and leverage in an attack is considerably smaller - often orders of magnitude less.
This paper will analyse how criminal botnet operators really assemble, rally, manage and coordinate their collective of victim computers, and how the number of systems at their direct disposal is considerably smaller than is often touted in the mainstream media. We will also examine how Internet botnets differ greatly from enterprise network botnets, how their relative sizes compare, and where measurement discrepancies adversely affect the way businesses seek to respond to a particular botnet threat.