On Mon, Feb 19, 2007 at 02:04:13PM +0000, Simon Waters wrote:
I simply don't believe the higher figures bandied about in the discussion for compromised hosts. Certainly Microsoft's malware team report a high level of trojans around, but they include things like the Jar files downloaded onto many PCs, that attempt to exploit a vulnerability that most people patched several years ago. Simply identifying your computer downloaded (as designed), but didn't run (because it was malformed), malware, isn't an infection, or of especial interest (other than indicating something about the frequency with which webservers attempt to deliver malware).
I don't understand why you don't believe those numbers. The estimates that people are making are based on externally-observed known-hostile behavior by the systems in question: they're sending spam, performing SSH attacks, participating in botnets, controlling botnets, hosting spamvertised web sites, handling phisher DNS, etc. They're not based on things like mere downloads or similar. As Joe St. Sauver pointed out to me, "a million compromised systems a day is quite reasonable, actually (you can track it by rsync'ing copies of the CBL and cummulating the dotted quads over time)". So I'm genuinely baffled. I'd like someone to explain to me why this seems implausible. BTW #1: I'm not asserting that my little January experiment is the basis for such an estimate. It's not. It wasn't intended to be, otherwise I would have used a very different methodology. BTW #2: All of this leaves open an important and likely-unanswerable question: how many systems are compromised but not as yet manifesting any external sign of it? Certainly any competent adversary would hold a considerable fraction of its forces in reserve. (If it were me, that fraction would be at least "the majority".) ---Rsk