[funsec] 2007 Year-End Growth of More Than 200% for The Storm Botnet

Paul Ferguson fergdawg at netzero.net
Thu Jan 3 16:57:04 CST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thorsten Holz writes on the Honeyblog:

[snip]

The picture illustrates the success rate of the botnet: The x-axis shows
the date, starting a few days before Christmas and ending today. The y-axis
represents the number of infected machines within Stormnet, the "encrypted"
part of the botnet in which the actual communication is XORed with a 40
byte key.

As you can see, the first days before Christmas the size of the botnet was
around 5-14 thousand infected machines. However, just around Christmas the
size grows again due to successful infections and new victims which fell
for the social engineering mails. For now, the botnet has peaked at about
40 thousand infected machines being online at a time.

Moreover, the picture also shows a clear diurnal pattern: many infected
host are located in the US and these machines are turned off during the
night, leading to fewer online machines within the botnet.

[snip]

More here:
http://honeyblog.org/archives/156-Measuring-the-Success-Rate-of-Storm-Worm.
html

Storm really is the Energizer Bunny of botnets. ;-)

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFHfWhDq1pz9mNUZTMRAu5KAKDARrF1STwJdRjObt32XFK32LzbywCgngMy
3Gw61WeISIEjR22Uq7MjB5Q=
=qMQC
-----END PGP SIGNATURE-----



--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/




More information about the funsec mailing list