fyi: Storm Worm botnet numbers, via Microsoft
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Oct 4 06:27:28 EDT 2007
Jeff.Hodges at KingsMountain.com writes:
>food for consideration. yes, #s are from MSFT as he notes, but are the only
>ones we have presently wrt actual Storm extent, yes? If not, pls post
>pointers...
I have two problems with this report. Firstly, I don't think this is a very
representative sampling technique compared to the estimates from security
companies. If you look at the sample that's being used, "Windows machines
that have automatic updates turned on", then the typical machine is going to
be configured with something like Windows XP SP2 with all available hotfixes
and updates applied, in other words the very systems that are (one would hope
:-) the *least* likely to be affected by malware. If you take the rule-of-
thumb estimate that's sometimes used on MSDN blogs of 1B Windows machines out
there then 2.6M machines is < 0.3% of that total. Now this in itself wouldn't
be so bad if it was an unbiased sample, but in fact it's probably a rather
non-representative 0.3%. Although some of the numbers from security companies
for infections may be just guesswork, they also use broad sampling across all
Windows machines (not just ones with Windows Defender), honeypots, monitoring
of botnet traffic patterns, and other methods as well. So while it's valid to
say that this provides data for Storm on fully patched, up-to-date machines
running Windows Defender, I don't think this generalises for all Windows
machines.
Secondly, the text completely contradicts the figures given. If the figures
really are accurate and not a typo, then 274K machines infected out of 2.6M
puts Storm on 10% of Windows PCs, which would make the worldwide infection
rate 100M systems, or ten times larger than the previous worst-possible case
estimate. Storm may be big, but it's not *that* big. I think there's
something wrong with the figures.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list