An EU agency is asking for new ways to calculate botnet threats because it believes estimates of botnet sizes are generally exaggerated because of a lack of reliable data and because the larger estimates will bring more financial support for security measures.
Size doesn't mean everything
when trying to determine how dangerous a botnet is, and new metrics are needed
to provide more accurate estimates, according to a European security agency.
Security researchers often
estimate the size and scope of a botnet to describe the army of zombie machines
ready to launch malicious attacks at the will of their masters. However, these
figures are inaccurate because there is a lot of incentive to exaggerate,
according to a research report released March 9 by the
ENISA (European Network and Information Security Agency)
The study examined the
reliability of botnet size estimates and noted that some of the best-known
botnets were estimated to have several million compromised machines. Most
commonly reported estimates for Conficker ranged from 7 million to 9 million,
over 13 million for Mariposa, and 30 million in Bredolab, the report said.
"As big numbers imply big
threats, therefore high attention, there is a significant incentive for
overestimation," the report said.
ENISA conducted two parallel
studies to collectively evaluate the botnet threat and to assess the
effectiveness of existing countermeasures. The studies were published at a
security conference in Cologne, Germany. The report's main findings were
distilled into a Question-and-Answer format to address the "10 Tough Questions"
Giles Hogben, the report's
editor, said the number
of infected machines
inside a botnet is usually extrapolated from samples
collected, but there is often no explanation of the steps taken to reach a
given estimate of botnet sizes. Methodologies that count IP addresses with
infected traffic are not an accurate representation, Hogben said in his report.
In the analysis of the Torpig botnet by University of California, Santa Barbara,
researchers found 1.2 million hosts based on unique IP addresses, compared with
the much smaller 180,000, based on unique bot identifiers.
The report also said the
chances of receiving financial support strongly correlated with the level of
threat implied by the large size of the botnet. As a result, organizations have
an incentive to publicize the inflated number, Hogben said.
Even small botnets can cause
severe damage, if the malware was sophisticated enough, Hogben said in the
Estimates of the total
annual global economic loss as a result of malicious botnet activities exceed
$10 billion, the report found.
"A shift in the
motivation for the creation of malicious software has led to a financially oriented
underground economy of criminals acting in cyber-space," the report said.
The ENISA report points out
that relying too much on botnet size may lead to organizations misallocating
security resources, by investing in defenses they don't need or by not
investing in technologies they do need.
The other half of the report
focused on recommendations on tactics that can be used to mitigate the botnet
threat. They included financial incentives for Internet service providers for
detection efforts, and to support customers with their malware defenses.
Another recommendation in the report suggested a "Good Samaritan Law" to
encourage individuals to take actions against botnets. However, the law would
have to be written in a way to discourage cyber-vigilantism, the report said.