Home / Blogs

Household Botnet Infections

Gunter Ollmann

Pinning down the number of infected computers is really, really hard. I'd go as far as saying it's practically impossible to calculate, let alone observe. Still, that's not going to stop people from attempting to guess or extrapolate from their own observations. Over the years I've heard "reliable" numbers ranging from 10% through to 60% — and I don't trust any of them.

There's a whole gaggle of reasons why the numbers being thrown out to the public are inaccurate and should ideally be interpreted with a lot of skepticism by any right-minded folks. If I had to boil it down to only a couple of categories of reasons they'd be semantics and observational bias. Semantic, because terms such as "infected computers" and "compromised devices" are different from "compromised users" and "victims", and observational bias because no vendor is omnipresent and their perspective of the threat is represented only by their category of customer and the tools they employ.

These problems represent hurdles for a number of collaborative projects seeking to measure and track the botnet menace. There are several initiatives (e.g. the Online Trust Alliance) and working groups (e.g. the Messaging, Mobile, and Malware Anti-abuse Working Group) striving to collate disparate datasets and views of botnet infections with the hope that the industry can baseline the problem in order to track and measure the success of other initiatives designed to reduce the threat. The premise being if you can't measure it, how do you know you've been successful in fixing the problem?

Given Damballa's unique perspective of the botnet threat and participation in various working groups on the topic, I thought I'd share a little of what we're observing — and the bounds of what that means.

First of all, it's important to note that Damballa has two major product lines — one catering for large enterprise networks (Damballa Failsafe), and the other focused on ISP's and Telco's (Damballa CSP , for communications service providers). Given the nature of these products and the types of customers that purchase them, there are effectively two major "infection" statistics of note for this first part of 2012:

  • When we deploy Damballa Failsafe we find that, on average, between 3-7% of assets within enterprise networks are identified as being infected and are actively searching for, or successfully connecting to, a cybercriminals C&C server.
  • Within the ISP/Telco world that have chosen to deploy the Damballa CSP product, between 18-22% of unique subscriber IP addresses are actively seeking to connect to known C&C servers.

These infection statistics are not directly comparable. In the case of Damballa Failsafe deployments, we're able to track and identify the unique device that has been infected by any number of crimeware instances, and separate out all of the C&C and data leakage communications, and differentiate between infections. In the case of the Damballa CSP product, because of ISP-level restrictions on deep packet inspection (DPI) and the fact that a subscriber IP address encompasses any and all devices within that subscribers personal network, we're only able to deduce that at least one device within that subscriber's network is part of a particular botnet (but we can enumerate each of the multiple botnets that may be operating within that subscribers network).

For the sake of this being a blog, let's focus on the topic of "household botnet infections". For all intents and purposes in the residential ISP world, a subscriber's IP address is pretty close to being analogous to a "household". Out of the aggregated 125 million subscriber IP addresses that Damballa CSP product monitors from within our ISP customer-base from around the world, the vast majority of those subscriber IP's would be classed as "residential" — so it would be reasonable to say that roughly 1-in-5 households contain botnet infected devices.

From previous observations we also know that approximately 40% of infected devices have two or more botnet infections within them (see the H1 2011 Damballa Threat Report). Now if only we knew what the average number of devices within residential home networks is. Alas, I can't find out that information (send me the info if you happen to know!). When I last looked at my poor wireless router's admin panel at home, it would appear that I have something like 40 IP enabled devices chatting away and connecting to the Internet. Who knows, but I suspect that my household probably isn't typical — and shouldn't be used for any kind of extrapolation.

Anyhow, with all those numbers in mind, where in this "10% through to 60%" scale of global infected computers do I think the true numbers lie? Well there's one more caveat to all this — it's the semantic piece — infected computers is a superset of botnet infected devices. What Damballa product deployments are capable of enumerating (since they sit at the network level, and not at the host) are infected devices that are actively trying or successfully engaging with a criminals C&C infrastructure — and not all malware does this, and not all devices are "computers". So malware that cannot be controlled or tasked remotely by a criminal, and malware that doesn't upload stolen data somewhere over the network, aren't going to appear in my observation statistics.

Given that the average number of devices within a residential subscriber network is going to be greater than one (let's say "two" for now — until someone has a more accurate number), I believe that it's reasonable to suggest that around 10% of home computers are infected with botnet crimeware.

With regards to "infected" computers (i.e. all types of malware — not just botnet malware), I don't know what the ratio of botnet malware is to the overall malware installation problem. Of all the malware caught and shared globally amongst commercial antivirus vendors, the majority of malware samples would certainly seem to be "droppers" and "downloaders" (choose your terminology) — mostly because of serial variant production systems. Perhaps the desktop antivirus statistics are right with the 60%+ of computers being infected — but I doubt it (since the desktop antivirus products are only going to report the stuff they're capable of detecting and stopping — not the slippery stuff).

By Gunter Ollmann, Chief Security Officer at Vectra

Related topics: Cybersecurity, Malware, Networks


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper


Sponsored by Verisign

Mobile Internet

Sponsored by Afilias Mobile & Web Services

DNS Security

Sponsored by Afilias

IP Addressing

Sponsored by Avenue4 LLC

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

Mobile Web Intelligence Report: Bots and Crawlers May Represent up to 50% of Web Traffic