Gadi Evron wrote:

Numbers
I can't speak for others, but I can try to answer better than I did
on the botnets mailing list on whitestar.

individual honey nets, even rather large ones, the number of unique
samples often assembled can be somewhere between 200 and 800
a month depending on how wide it is spread and the networks it sits
on. Which is why many of us cooperate.
>
>From cumulative honey nets monitoring of such smaller (yet very
effective) nets, and some larger nets, we get to a number of about
15K new bot samples every month (Alan Solomon and myself wrote 12K,
so we underplayed it a bit due to statistics being a bit shaky). So
the real avg number is somewhere around 15K new unique samples a
month.

Can you go into detail about the methodology you're using here? How do
you "get to a number" of 15,000 from a number "between 200 and 800"? Is
this a statistical extrapolation, or are you saying that your honeynet gets
200 to 800 unique samples a month, and so does that one over there, and that
one, and that one and they all add up to 15000? Do you attempt to
correct for variants that are simply re-packed using a different compressor,
or other trivial changes? Do you attempt to correct for complex polymorphic
variants?

Further, the anti virus world sees about the same numbers.

The Microsoft anti malware team (and Ziv Mador specifically) spoke of
15K avg bot samples a month, as well.

Got a link/quote/reference to that? Does Ziv explain the methodology that
they are using?

I don't know what others may be seeing, but this is our best estimate
as to what's going on with the number of unique samples released
every month.

Jose Nazarijo from Arbor replied on the botnets list that he sees
similar numbers.

I hope this helps what are you looking to hear?

Some kind of explanation for the huge disjunction between these numbers
and our instinctive ideas about what's possible. course, being
un-worked-out intuitive estimates, such ideas are of course entirely likely
to be off the mark, but off the mark by two orders of magnitude? Hence the
request for more methodological details.

cheers,
DaveK

9/14/06, Gadi Evron <ge (AT) linuxbox (DOT) orgwrote:
This counts bot samples. Whether they are variants (changed) or
insignificant changes such as only the IP address to the C&C, they are
counted as unique.

So if you have multiple machines NAT'ed under one IP, that is one pot.
err bot eh? K.

This is why we now run different sharing projects between established
honey nets.

So you dont count botnets that detect honeynets eh?

or other trivial changes? Do you attempt to correct for complex polymorphic
variants?

Nah, just contributors who dont all have publicly routable IP's and
this herders that know about VMware/Honeywall

There aren't many of those really. :)

Really?

Further, the anti virus world sees about the same numbers.

Using the same methods?

The Microsoft anti malware team (and Ziv Mador specifically) spoke of
15K avg bot samples a month, as well.

Gotcha, you MS and Symantec share numbers based of who doesnt know how
to disable your detection methods

I am just saying, the larger the organization, the sharper the focus
from the other side. Maybe a loose coalition of known non-bull****ters
would have a more accurate picture.

still love ja tho Gadi,
-JP<the douchebg>

Got a link/quote/reference to that? Does Ziv explain the methodology that
they are using?

Nope, but I will ask. Most of the numbers I get are at 15K. I can only
prove *on my own* without relying on other sources, as reliable as they
may be, 12K, which is the number we mentioned in the article. We were
being conservative due to that reason, but the number is higher.

I don't know what others may be seeing, but this is our best estimate
as to what's going on with the number of unique samples released
every month.

Jose Nazarijo from Arbor replied on the botnets list that he sees
similar numbers.

I hope this helps what are you looking to hear?

Some kind of explanation for the huge disjunction between these numbers
and our instinctive ideas about what's possible. course, being

I followed you this far, but to be honest, your ideas (what are
they?) are indeed very far from reality :)

un-worked-out intuitive estimates, such ideas are of course entirely likely
to be off the mark, but off the mark by two orders of magnitude? Hence the
request for more methodological details.

No problem, I quite understand. There is not that much science into it
really:
"Yo, how many unique samples do you see?" as a lone dataset if they won't
share.
"Yo, how many unique samples do we all see?" if they share.
"Yo, how many unique samples do others see?"

AVG is 15K, I can prove *on my own* 12K counting banking/phishing
trojan horses, general purpose trojans, dialers, etc (from the large bot
families).

Gadi.
>
>
>
cheers,
DaveK

I cant' present data, but I'll opinion that Gadi is pretty much on track
with figures and numbers. In fact his stat's are on the lower side

our current intel reports indicates overall incidents by " Zombie machines
on organization's network/ bots/use of network by BotNets" = 20%. which is
ANY NET based data sets for incident mngt.

this indiates a 36% increase from July 2004 - June 2005 with a mean
"unknown base" being equated to 15.1%. This pecent implies the rate of fresh
nodes being propagated, or rather the rate of growth for Botnets!!

hypothecially, you can if flatline these stats against whatever date sets
you have I'll leave you all to you better judgements :)-
/pd

9/14/06, Gadi Evron <ge (AT) linuxbox (DOT) orgwrote:

Thu, 14 Sep 2006, Dude VanWinkle wrote:
9/14/06, Gadi Evron <ge (AT) linuxbox (DOT) orgwrote:
This counts bot samples. Whether they are variants (changed) or
insignificant changes such as only the IP address to the C&C, they are
counted as unique.

So if you have multiple machines NAT'ed under one IP, that is one pot.
err bot eh? K.

And if I see 10 bots usingthe same address on a dynamic range ever heard
of DHCP? The number crunching schemes arenever perfect but they are pretty
good.

I count, much like many others, unique IPs. A bot is defined as an
instance of an installed Trojan horse. machine mayhave (and probably
does have) several. We can count IPs and we do.

3.5 Million hosts, note, for spam alone. The total population count is
mind-boggling. I believe spamhaus has it pinned at 3.2 millions, other
have higher numbers. That's about where it is for EMAIL based spam, per
day.
>
>
>
This is why we now run different sharing projects between established
honey nets.

So you dont count botnets that detect honeynets eh?
--
Honey pot detection is an interesting field, I am familiar with it and
even consider myself somewhat of a knowledgable person on it, but there
are those who research it actively.

As interesting as it may be, it's not much of a field yet, sorry to
say. Honey pots of different kinds work marvelously.

Not all our sources for samples are the same. It would be silly of me to
divulge them all (especially as personally I have no use for samples these
days and others do). Still, we can only report what we see, what do you
see?

or other trivial changes? Do you attempt to correct for complex
polymorphic
variants?

Nah, just contributors who dont all have publicly routable IP's and
this herders that know about VMware/Honeywall
--
There aren't many of those really. :)

Really?

Further, the anti virus world sees about the same numbers.

Using the same methods?
--
And their reporting user-base, alliances and sharing artners, and what
not. Yes. D o you think all bots are extremely smart rootkits? I am
quite happy to say most botnets are nothing if not the re-use of old code,
which is freely available, using the same old methods.

There are other types of malware out there.

The Microsoft anti malware team (and Ziv Mador specifically) spoke
of
15K avg bot samples a month, as well.

Gotcha, you MS and Symantec share numbers based of who doesnt know how
to disable your detection methods

You assume too much Dude.
Still, you are right, 100%. I can only detect what I know how to
detect. But samples are not the only way to follow botnets, and there are
many ends on how to approach one problems.

Cryptic? I suppose, but hey, Google for methods, see what you find, and
tell me what you think. I believe we have pretty good coverage, but I also
need to admit most anti viruses do not cover bot detection very well.

I am just saying, the larger the organization, the sharper the focus
from the other side. Maybe a loose coalition of known non-bull****ters
would have a more accurate picture.

The picture you got is pretty accurate. Don't take my word for it
though. I am happy to examine and share (as much as I can, which is more
than enough to show the numbers (lower numbers) we chose to show in the
article.

What numbers do you need? What makes you doubt what we have given? I'd be
more than happy to answer any question you have or counter-numbers you
have, but your love for me is as irrelevant as you calling me a
when you don't show your own data or challange mine with
actual questions like Dave (the other dave) did.

Thanks,

Gadi.

still love ja tho Gadi,

-JP<the douchebg>
--
Got a link/quote/reference to that? Does Ziv explain the
methodology that
they are using?

Nope, but I will ask. Most of the numbers I get are at 15K. I can only
prove *on my own* without relying on other sources, as reliable as
they
may be, 12K, which is the number we mentioned in the article. We were
being conservative due to that reason, but the number is higher.

I don't know what others may be seeing, but this is our best
estimate
as to what's going on with the number of unique samples released
every month.

Jose Nazarijo from Arbor replied on the botnets list that he sees
similar numbers.

I hope this helps what are you looking to hear?

Some kind of explanation for the huge disjunction between these
numbers
and our instinctive ideas about what's possible. course, being

I followed you this far, but to be honest, your ideas (what are
they?) are indeed very far from reality :)

un-worked-out intuitive estimates, such ideas are of course entirely
likely
to be off the mark, but off the mark by two orders of
magnitude? Hence the
request for more methodological details.

No problem, I quite understand. There is not that much science into it
really:
"Yo, how many unique samples do you see?" as a lone dataset if they
won't
share.
"Yo, how many unique samples do we all see?" if they share.
"Yo, how many unique samples do others see?"

AVG is 15K, I can prove *on my own* 12K counting banking/phishing
trojan horses, general purpose trojans, dialers, etc (from the large
bot
families).

Gadi.
>
>
>
cheers,
DaveK

what about the inverted question:
how much of the internet connected computers are *not* part of botnets?
since exact number are hard to prove, the ratio BTNETTED/NNBTNETTED seems
easier to be found.