Where do they get this botnet numbers?

Submitted by Mike Rothman on Wed, 2006-08-23 09:23.
::

The old saying goes: "Lies, Damn Lies, and Statistics." From my time on the vendor side, I can tell you that statistics make great news pegs, but the data is usually not worth much. Case in point from an article I saw this morning: "Botnets spike in wake of Windows flaw."

Bill Brenner of SearchSecurity quotes CipherTrust research numbers here about the number of new "bots" exploiting the Macbot worm has increased 23% in the past week. I say that's hogwash. Why? Because CipherTrust only sees spam bots. The real number of new bots could be considerably more, or considerably less. And these bots could be caused by a number of things, not just Macbot.

Heresy you say? Especially considering I still own CipherTrust stock (for the next two weeks or so until the SCUR deal closes). I don't think so.

This quote from the story says it all: "Much of this increase can be attributed to the spam originating from the new zombies unleashed by the Mocbot worm." Huh? If they know this, I want these guys picking stocks for me. Obviously they have a kick-ass crystal ball.

CipherTrust makes a number of assumptions here that I'm not sure hold up.

  1. They assume that all new zombies are as a result of Macbot - so basically every other attack vector that turns unsuspecting machines into spam bots have gone away?

  2. They assume every zombie is a spam bot - Again, CipherTrust only sees devices that are new senders of spam. They make the assumption that those are bots. That may or may not be true. They also assume that there are no zombies out there doing other things, which I know is not the case.

Maybe I just disagree with the terminology, but I don't know how new spam sender = bot. I also don't understand how they can pinpoint that Macbot is the source of all these zombies.

Maybe there are good answers for this, and if so I have no doubt I'll hear from some of my friends. But I've always said that you can make numbers sing, and lots of vendors do that to generate PR.

End users should take these numbers with a grain of salt, unless they help you get an important project funded anyway.