vowe dot net :: Where bots live

Where bots live

by Volker Weber

The Register quotes these figures from the latest Symantec Internet Security Threat Report. Half of all bots — virus-infected, zombie PCs under the control of crackers — live in the UK and the US:

United Kingdom (25.2 per cent)
United States (24.6 per cent)
China (7.8 per cent)
Canada (4.9 per cent)
Spain (3.8 per cent)
France (3.6 per cent)
Germany (3.5 per cent)
Taiwan (3.1 per cent)
South Korea (3.0 per cent)
Japan (2.6 per cent)

[Thanks, Nick]

More >

2005-03-22 :: email :: bookmark :: digg

Comments

Korea at 3%.

That simply cannot be true.

Chris Linfoot, 2005-03-22 15:30

Why not? You used a different methodology to measure a different subject. Your findings may as well be an indication, that there is a whole lot of infected systems in the US and the UK that aren't sending out spam. Which poses the question about what they *are* sending (mind you, Symantec's report talks about any infection including, but not limited to, bots sending spam). Maybe putting spyware on a system in the US and the UK has a lot more value to the crackers than using them as spam zombies? Who can say? Still, I'm wondering why India doesn't show up in neihter your nor Symantecs figures. Because that's definitely where *I* get the most spam from. Not that this would be representative in any way, but still ... ;-)

Stefan Rubner, 2005-03-22 16:04

@Stephan: Different methodology - same subject. I simply take as an indication of the existence of a bot net sightings of the single most common abuse arising from them (spam - a large enough sample to have statistical significance).

Symantec methodology expects to find Symantec network appliances deployed within the network fabric and this inevitably skews the result [1].

South Korea has the highest take up of domestic broadband in the world and some of the worst performing ISP helpdesks. AV hardware and software is all but unheard of there [1] with infections by malware of various types seemingly being an accepted hazard arising from Internet use.

If there is a flaw in my stats it is that I have counted individual entries in the database with equal significance - that is a /24 network has the same significance as a /8. Correcting for this, the proportion of blocked IPs here in February triggered by the use of a Korean bot net to send spam is actually a little over 97%.

Chris Linfoot, 2005-03-22 16:31

Chris,
I didn't say that your figures are wrong nor did I say that your methodology is flawed. It's just that I know what you counted but I don't know (in detail) what was counted by Symantec. From what I read, they counted other things besides spam. So, even if you say that counting spam alone has statistical significance, you just didn't run the same test. Also I know that Symantecs count was done in a different period of time than what is represented in your stats. Conclusion: the results of both statistics, interesting as they both are, aren't comparable. So, while still not doubting that your figures are accurate and may even represent the sources of spam messages as of February 2005, your statement that Symantec's findings "cannot be true" is wrong. There's a chance that they were, and, based on the methods they were using, maybe they still are.

Stefan Rubner, 2005-03-22 19:43

@Stephan - let's agree to disagree.

Fo sure, I do not claim that my method is flawless - far from it. But it is less flawed than Symantec's simply because (and you can find corroboration of this at Symantec's site if you dig for it) Symantec's findings are based on data collected by Symantec appliances in the field. Where no Symantec appliances exist, no data is collected.

What Symantec's data tells us is that they have a relatively strong market share in the UK. That is all. No other meaningful conclusion is possible or should be encouraged - and to be fair, I see no evidence that Symantec made any attempt to misrepresent their findings in this way; they were just misinterpreted by journalists.

(And as for the time period - fair comment but I have repeated the exercise over a longer period and it gives a very similar result).

Chris Linfoot, 2005-03-23 09:23

Chris,
So you are telling me, that your data was actually collected in South Korea? Or, to put it another way, that Symantecs probes only collect data that originates in the geographical region they are located in? I find this hard to believe but unfortunately I don't have the time right now to check that out further. Maybe I find some spare time later today.
For the moment, I see it this way: You counted how attractive your system(s) were to different bot nets. I don't know where the systems you are using are located. So I can't say anything about how your data may be representative for the internet as a whole.
You do have a point about the distribution of Symantecs probes. Depending on how well they eliminate duplicates and their location in relation to the major flows of data, they will give false results. Still, I believe a distributed approach to check the data flowing through a major hub for example has its merits compared to taking samples at endpoints. Now, as already mentioned, I don't know anything about how and where Symantec's appliances are located, but maybe Symantec can share some light on that. Will check ;-)

Stefan Rubner, 2005-03-23 09:57