fyi: Storm Worm botnet numbers, via Microsoft

' =JeffH ' Jeff.Hodges at KingsMountain.com
Mon Oct 15 19:02:54 EDT 2007 

pgut001 at cs.auckland.ac.nz said:
> I have two problems with this report. 

thanks for commenting on it. I pointed to it in order to see what denizens of 
this list might have to say about it. I'm simply curious.

Also, as I'd noted, I haven't really seen any estimates of Storm's extent -- 
other than that article [0] -- that actually go into any details about how the 
number is arrived at (however bogus or not the approach might be).

Also, I'm personally mostly just curious and have done only modest searches 
for info. And based on that, I've only come across the (typically) 
unsubstantiated "one or two million zombies" [1] to "(breathless) maybe /50 
million/ out there" [2] articles/posts.


> Firstly, I don't think this is a very
> representative sampling technique compared to the estimates from security
> companies. 

I haven't come across any detailed Storm extent analysis, even with having 
Google search specific security company sites (e.g. using 
"site:sec-corp.com"). So if anyone has pointers to pages (other than the MSFT 
blog article pointed to in an earlier post) that present a sane and 
substantiated analysis of Storm extent, please post 'em. Maybe folks don't 
want to (post 'em or point to 'em)? Are there papers in submission? ;-)


> If you look at the sample that's being used, "Windows machines
> that have automatic updates turned on", then the typical machine is going to
> be configured with something like Windows XP SP2 with all available hotfixes
> and updates applied, in other words the very systems that are (one would hope
> :-) the *least* likely to be affected by malware.

agreed.


>  If you take the rule-of-
> thumb estimate that's sometimes used on MSDN blogs of 1B Windows machines out
> there then 2.6M machines is < 0.3% of that total.  Now this in itself
> wouldn't be so bad if it was an unbiased sample, but in fact it's probably a
> rather non-representative 0.3%. 

..as compared to the overall population of windows machines, on the Internet, 
globally.

agreed.


> Although some of the numbers from security
> companies for infections may be just guesswork, they also use broad sampling
> across all Windows machines (not just ones with Windows Defender), honeypots,
> monitoring of botnet traffic patterns, and other methods as well.

pointers?


>  So while it's valid to say that this [the Anti-Malware Engineering 
> Team blog post [0]] provides data for Storm on fully patched,
> up-to-date machines running Windows Defender, I don't think this generalises
> for all Windows machines.

agreed.


> Secondly, the text completely contradicts the figures given.  If the figures
> really are accurate and not a typo, then 274K machines infected out of 2.6M
> puts Storm on 10% of Windows PCs, which would make the worldwide infection
> rate 100M systems, or ten times larger than the previous worst-possible case
> estimate.  

a resonably-substantiated worst-case estimate? Because it's only twice as many 
as the 50M number thrown around in the likes of [2].

But yes, it'd be alarming if there's really 1B windows machines on the 
Internet (one way or another) and there's a reasonable probability of 10% 
being Storm zombies.


> Storm may be big, but it's not *that* big.  I think there's
> something wrong with the figures.

Yeah, one hopes so.

So, it'd seem to me (tho I'm not a statistician) that if one could get a set 
of articles wrt Storm extent that say at least something to substantiate how 
they arrived at the numbers, and then do some back-of-the-envelope calcs, we'd 
have  a better idea of what's going on, at least here in the public domain. I 
have to believe that there's folks working hard on this given the 
down-the-road risks, and are just keeping the info close to their collective 
chest.


=JeffH

[0] http://blogs.technet.com/antimalware/archive/2007/09/20/storm-drain.aspx

[1] http://www.secureworks.com/media/press_releases/20070802-botstorm

[2] http://www.neoseeker.com/news/story/7103/



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list