A bot network tends to fluctuate such thatthe number of members of the network wax and wane over time. I basethis understanding on my regular observation of modern botnets and theobservations of my peers (please see pg. 41 of ISTR Volume X).In the past, IRC protocol-based botnets fell victim to an “AchillesHeel” situation if the single central server being used to control thenetwork was taken down, because the network without a controller wouldfall apart.
The miscreants that choose to build and control these bot networksbegan to develop innovative methods that could bolster theirreliability. With this goal, Fast-flux DNS tactics were employed toprovide redundancy so that these networks were more difficult to takedown. Trojan.Peacomm (also known as “Storm Worm”) employed the Overnetprotocol – a robust, decentralized, peer-to-peer network that is basedon the Kademlia algorithm.
However, all of these advancements in bot network technology stilldo not make the network bulletproof. These advancements do not protectthe botnet from bot losses that occur because the bot-infected computeris taken offline or the infection is detected by antivirus and cleaned.There is little question that Trojan.Peacomm is a sophisticatedpeer-to-peer bot network that is difficult to disable completely, butit cannot be immune to property fluctuations. Perhaps this is why someof the static numbers for the Peacomm network size are so difficult todigest. According to MessageLabsthere are 2 million bots. (They are quoted as reporting that at 2million bots, it is operating only at 10% capacity, implying that thetrue size is 20 million bots. This article also goes on to reportobservations of 50 million Peacomm bots.) A botnet of 20 million botswas also reported on zdnet.com.Are these metrics based on active bot infected computers? Or, on acumulative total that was observed since Peacomm was first detected?
Personally, I believe in applying Occam’s Razor when estimating thesize of a given botnet. It is better to assume nothing about thecurrent size of the network and instead gauge the network size basedonly on the number of active bots that can be observed for a period oftime where the network size is least likely to fluctuate. According tothe recently published Symantec Internet Security Threat Report(pg. 47), "The average lifespan of a bot-infected computer during thefirst six months of 2007 was four days, up from three days in thesecond half of 2006." This means that an accurate metric for a givenbot network, if all of the bots join the network at exactly the sametime, at very best can remain accurate for only four days. In realitythe bot network will constantly fluctuate, so metrics for longerperiods should at least be graphed at points over time to representthis fluctuation.
The "snapshot" approach, where activity is observed only for areasonable period of time, should deliver a more accurate picture ofthe known and verifiable state of the botnet at that point in time, butonly at that point. It will likely be a partial image, but it is basedon accurate and verifiable activity. If many of these “snapshots” aretaken, it might provide a more accurate impression of the bot networkwhen graphed. For a dynamic network that can radically change in sizefrom week to week, estimating the size of that network based on acumulative number generated based on observed IPs over a long period oftime might yield an inaccurate perception of the studied network.
Other researchers are reporting lower metrics for Peacomm networksize than the 20 million nodes figure. For example, Secure Science Corpreport an average of just over 53,000 active Peacomm bots at 7:00 a.m.ET, October 1, 2007. Secure Science Corp used the “snapshot” approach to graph metrics for the Peacomm network over the period of a week, and the undulating metric is fascinating.
Microsoft’s anti-malware team also reported lower metrics. In a recent blogthey discuss that Peacomm ranks in only third for the total malwarecleaned by the Microsoft anti-malware team. They also report acomponent of Peacomm was detected on 274,372 computers as of September18, 2007, at 2:00 p.m. PDT.
Symantec’s DeepSight Threat Analyst Team decided to use this"snapshot" approach in order to gather a geographical picture of a24-hour period of Peacomm spam activity. Based on spam messages thatwere captured over a 24-hour period by Symantec antispam sensors onAugust 18 and September 18, 2007, we observed 4,375 unique Peacomm IPsfor August 18; 2,131 of these IPs were acting as Peacomm SMTP serversand 2,244 IPs were acting as Peacomm HTTP servers (these are theservers that serve exploits and Peacomm binaries to innocent victims,as well as Peacomm propagation spam). Contrast that with 6,081 uniqueIPs for September 18, 2007, with 3,408 SMTP IPs and 2,673 HTTP IPs.Given those two sample sets, only 1,610 IPs intersect. So, for just amonth’s time-span we observed a respectable fluctuation in Peacomm IPmetrics, reinforcing the understanding that the Peacomm network isconsistently in a state of fluctuation.
This Peacomm snapshot was mapped based on the geo-location of theinvolved IP addresses and an interesting image developed. It seemedthat English-speaking countries were most affected by the Peacommactivity. Based on conjecture, this could be because the majority ofPeacomm spam is delivered in the English language, but this has notbeen verified and other factors are definitely involved. (Note: Thatthe markers on the below map represent groups of IP addresses that arerelated geographically.)
(Click for larger image)
I am sure that the debate about the Peacomm network size will rageon for some time, but I feel that we have to maintain some degree ofsensibility before hysteria-inducing claims, such as “Storm worm morepowerful than top supercomputers” can be proclaimed. Given the natureof Peacomm, an exact size metric is difficult to derive, although it isimportant that this is known. Peacomm presents an interesting enigmawith regards to the size of the network. On one hand, many researchers(including myself) agree that it is indeed a large network given thesophistication of Peacomm. On the other hand the Peacomm network isimpacted by daily bot losses as computers are disinfected or takenoffline. My initial research suggests that the network is smaller thansome think, leading me to believe that, at least currently, the Peacommnetwork size is closer to the more conservative estimates that arebeing published.