ENISA botnet study
Saturday, December 1. 2007
ENISA (European Network and Information Security Agency) published a few days ago a study of the botnet phenomenon: Botnets – The Silent Threat
The study provides a good overview of the current botnet problem and show some interesting numbers. According to the measurements (carried out by S21sec), the most common infection methods are browser exploits (65%), email attachments (13%,) operating system exploits (11%), and downloaded Internet files (9%). Thus more research in the area of client honeypots is needed - the weakest link in the security chain is nowadays the enduser who does not patch his Internet Explorer and opens every e-mail attachment.
Furthermore, the study also contains some more interesting numbers:
The measurements at our lab indicate that there could be even more botnets. However, we observe that an average C&C server controls significantly less than 20.000 compromised machines, often only a few hundred or at most a few thousand machines are controlled by a given server. Even Storm Worm has nowadays less than 80.000 machines online. It would be nice to get a better insight of how they estimate the 53,000 new bots per day - after all, node churn and other effects make such measurements hard.
The study also contains an overview of countermeasures at various levels. Besides some glitches (Storm does not always use UDP port 4000, Rock phish and Fast-Flux networks are only partially related to botnets, ...) the study is worth reading.
The study provides a good overview of the current botnet problem and show some interesting numbers. According to the measurements (carried out by S21sec), the most common infection methods are browser exploits (65%), email attachments (13%,) operating system exploits (11%), and downloaded Internet files (9%). Thus more research in the area of client honeypots is needed - the weakest link in the security chain is nowadays the enduser who does not patch his Internet Explorer and opens every e-mail attachment.
Furthermore, the study also contains some more interesting numbers:
Estimations show that there are at least 1.000 different Botnet C& C servers running constantly. An average C&C server controls 20.000 compromised computers (ranging from 10-300.000). Estimations indicate ca 53.000, new, active bots/day. A spam bot can send up to 3 spam emails/s (ca 259.000 emails/day).
The measurements at our lab indicate that there could be even more botnets. However, we observe that an average C&C server controls significantly less than 20.000 compromised machines, often only a few hundred or at most a few thousand machines are controlled by a given server. Even Storm Worm has nowadays less than 80.000 machines online. It would be nice to get a better insight of how they estimate the 53,000 new bots per day - after all, node churn and other effects make such measurements hard.
The study also contains an overview of countermeasures at various levels. Besides some glitches (Storm does not always use UDP port 4000, Rock phish and Fast-Flux networks are only partially related to botnets, ...) the study is worth reading.
".
