Top Botnets Control One Million Hijacked Computers

'Fingerprinting' Botnets

To try to bring some organization to competing claims, often contradictory, of which botnets are on the rise and which on the skids, Stewart first "fingerprinted" each botnet. "There are enough differences to the SMTP 'fingerprints' for each botnet that we could separate them pretty accurately," he said.

Individual bots implement the SMTP (Simply Mail Transfer Protocol) with minor variations, Stewart said. By developing network-based signatures, he was able to differentiate the collections.

He also estimated the size of each botnet by taking a one-day spam traffic sample from that bot -- the sample derived from SecureWorks' client base -- and then using probabilistic counting methods, extrapolated to come up with a botnet total. Stewart said that past data collected from control server logs confirmed this estimating technique as "fairly accurate."

The whole idea, he added, was to make it easier for everyone to keep track of the most dangerous botnets. "I hope this lets other researchers classify and track botnets better," said Stewart. "Bobax, for instance, flew under the radar for over two years because of confusion. It was still around, but [anti-virus] vendors stopped recognizing [the malware]."

End users should get something out of his work, too. "I think it matters a lot to end users what a botnet's called. They go to look for information, perhaps after they've been infected, and all they have is that it's 'agentxyz.'" But unless everyone is one the same page, that "agentxyz" may simply be a new alias. "Then they'd find hardly any information on what it is or what data it may be after. They won't have a clear picture.

"I hope this trickles down to end users," Stewart concluded.