Size matters - measuring a botnet operator's pinkie

Gunter Ollmann Damballa

  download slides (PDF)

Every year anti-virus vendors release reports detailing malware distribution rates, Internet infection rates and the prolificacy of key malware families. In most cases, estimates of botnet size and their relative risk to the Internet are extrapolated from host infection data. In exceptional cases, botnet sizes are derived from interpreting sample capture rates or the malicious attack traffic sourced from previously compromised systems. Unfortunately these sources of measurement fail to establish the true size of the threat and the risks a particular botnet represents to Internet users. Despite some botnet operators managing to infect millions of computers with their particular flavour of malware, the number of botnet assets that they can really control and leverage in an attack is considerably smaller - often orders of magnitude less.

This paper will analyse how criminal botnet operators really assemble, rally, manage and coordinate their collective of victim computers, and how the number of systems at their direct disposal is considerably smaller than is often touted in the mainstream media. We will also examine how Internet botnets differ greatly from enterprise network botnets, how their relative sizes compare, and where measurement discrepancies adversely affect the way businesses seek to respond to a particular botnet threat.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.