Botnet Sizes Exaggerated to Gain More Funding for Defenses: Survey

An EU agency is asking for new ways to calculate botnet threats because it believes estimates of botnet sizes are generally exaggerated because of a lack of reliable data and because the larger estimates will bring more financial support for security measures.

Size doesn't mean everything when trying to determine how dangerous a botnet is, and new metrics are needed to provide more accurate estimates, according to a European security agency.

Security researchers often estimate the size and scope of a botnet to describe the army of zombie machines ready to launch malicious attacks at the will of their masters. However, these figures are inaccurate because there is a lot of incentive to exaggerate, according to a research report released March 9 by theENISA (European Network and Information Security Agency).

The study examined the reliability of botnet size estimates and noted that some of the best-known botnets were estimated to have several million compromised machines. Most commonly reported estimates for Conficker ranged from 7 million to 9 million, over 13 million for Mariposa, and 30 million in Bredolab, the report said.

"As big numbers imply big threats, therefore high attention, there is a significant incentive for overestimation," the report said.

ENISA conducted two parallel studies to collectively evaluate the botnet threat and to assess the effectiveness of existing countermeasures. The studies were published at a security conference in Cologne, Germany. The report's main findings were distilled into a Question-and-Answer format to address the "10 Tough Questions" about botnets.

Giles Hogben, the report's editor, said the number of infected machines inside a botnet is usually extrapolated from samples collected, but there is often no explanation of the steps taken to reach a given estimate of botnet sizes. Methodologies that count IP addresses with infected traffic are not an accurate representation, Hogben said in his report. In the analysis of the Torpig botnet by University of California, Santa Barbara, researchers found 1.2 million hosts based on unique IP addresses, compared with the much smaller 180,000, based on unique bot identifiers.

The report also said the chances of receiving financial support strongly correlated with the level of threat implied by the large size of the botnet. As a result, organizations have an incentive to publicize the inflated number, Hogben said.

Even small botnets can cause severe damage, if the malware was sophisticated enough, Hogben said in the report.

Estimates of the total annual global economic loss as a result of malicious botnet activities exceed $10 billion, the report found.

"A shift in the motivation for the creation of malicious software has led to a financially oriented underground economy of criminals acting in cyber-space," the report said.

The ENISA report points out that relying too much on botnet size may lead to organizations misallocating security resources, by investing in defenses they don't need or by not investing in technologies they do need.

The other half of the report focused on recommendations on tactics that can be used to mitigate the botnet threat. They included financial incentives for Internet service providers for detection efforts, and to support customers with their malware defenses. Another recommendation in the report suggested a "Good Samaritan Law" to encourage individuals to take actions against botnets. However, the law would have to be written in a way to discourage cyber-vigilantism, the report said.