How big is the botnet problem?

How big is the botnet problem? Watchdog organization Shadowserver Foundation calls it "gigantic."

Gigantic. Watchdog organization Shadowserver Foundation monitors the number of detected command-and-control servers -- which indicates how many individual botnets are out there -- and the number of clients these servers control.

From November 2006 through May 2007, Shadowserver reported roughly 1,400 command-and-control servers active at any given time, though the number varied hourly and ranged from 1,100 to more than 1,700.

If that sounds like small potatoes, consider that the real problem for enterprises isn't the number of networks but the skyrocketing number of drones they control. From March through May, active drones grew at an alarming rate from about a half million to more than 3 million, the organization says.

Shadowserver doesn't claim this is a count of all the bots and botnets out there, just the ones it detected in active use. No one knows how many machines lie dormant. Some researchers even have made the controversial claim that as many as 11% of the 1.1 billion computers worldwide with Internet access are infected and part of the available bot pool.

Symantec says it found 6 million infected bots in the second half of 2006. Currently, about 3.5 million bots are used to send spam daily, says Gadi Evron, a well-known botnet hunter.

The point is that the scale now is so vast that trying to count bots has become irrelevant, "The number doesn't matter," Evron says. "The bad guys control as many bots as they need to."

In fact, the Department of Justice and FBI have identified more than 1 million victims of botnet crimes.

Types of attacks

Cross-site scripting: Inserting malicious JavaScript into the header of an otherwise legitimate Web site.

DNS cache poisoning: Hacking a DNS so that it directs people who enter legitimate URLs to the hacker's malicious Web site.

iFrames: The "inline frame" HTML element that can create invisible frames capable of executing malware.

Pharming: Creating an illegitimate copy of a real Web site and redirecting traffic to the phony site to obtain information or download malicious code.

Pretexting: Pretending to be a legitimate entity to lure people to malicious sites.

Toxic blogs: Uploading links to malicious Web sites, or when blogs support HTML or scripts, uploading malicious code or using iFrames.

< Return to main

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.