Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: The Number of Machines Controlled by Botnets Has Jumped 4x in Last 3 Months SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The Number of Machines Controlled by Botnets Has Jumped 4x in Last 3 Months

I was perusing some of the data put out by the Shadowserver Foundation that tracks botnets.  One piece of information grabbed my eye, namely that over the last 3 months, the number of infected machines quadrupled.  During the same time period, there isn't an appreciable increase in new malware, new viruses or anything that would obviously indicated why this is so.  I imagine that the bad guys have gotten better about keeping machines owned, but there is one vector that we need to get much better about tracking and managing, and that's direct web-based malware.  The timing, very roughly, coincides with when we started to see increase SQL injection attacks against webservers (mind you, this is an educated guess that SQL injections are a big part of this, not a statement of fact).  We are very good at tracking email-based malware (including lead-the-user-to-the-bad-website variety) and certainly network based attacks.  Short of spidering the web on a consistent basis, it gets difficult to find infected sites for that malware.  We at the ISC, and I'm sure many others, are working on ways to honeypot pure web-based attacks to capture this malware, but much work is left to be done.

It's one of the disadvantages of operating in a reactive fashion, we are behind the power curve for some time until we figure out a way to approach something close to parity. 

John Bambenek
bambenek /at/ gmail \dot\ com


262 Posts
ISC Handler
Sep 1st 2008
Or does this spike mostly or in part reflect that for approximately the same period of time, college and high school students were on summer break? If so, apparently an idle mind is the devils workshop.

57 Posts
It also coincides with the email campaign they've been pursuing since June. (Not that I'm discounting, mind you.)

Sign Up for Free or Log In to start participating in the conversation!