Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

United States is the most bot-infected country. Right?

United States is the most bot-infected country. Right?

  • Comments 2

A couple of days ago, Threatpost posted an article indicating that the United States is the most bot-infected country:

The U.S. has by far the highest number of bot-infected computers of any country in the world, with nearly four times as many infected PCs as the country in second place, Brazil, according to a new report by Microsoft. The quarterly report on malicious software and Internet attacks shows that while some of the major botnets have been curtailed in recent months, the networks of infected PCs still represent a huge threat.

The data on botnets, published in Microsoft's Security Intelligence Report for the first half of 2010, paints a somewhat bleak picture of the botnet landscape. Between January and June of this year, Microsoft cleaned more than 6.5 million machines worldwide of bot infections, which represents a 100 percent increase in bot infections from the same period in 2009. This increase comes at a time when there is more attention than ever focused on the botnet problem, both by security researchers and law-enforcement agencies around the world.

Microsoft measures botnet infections by counting the number of machines that are cleaned of bots by using the company's Malicious Software Removal Tool (MSRT). The Microsoft data obviously does not show a complete picture of bot infections across the entire Internet, but gives a snapshot of the infection problem on the machines the company monitors.

I think that Microsoft’s mechanism of measuring bot infections is a good one, not necessarily because it is the most accurate but because it represents the most complete snapshot of botnet statistics.  Because Microsoft Windows is installed on so many computers worldwide and because so many users across the world call home to the MSRT, Microsoft is able to collect a very large snapshot of data.  Whereas there are a lot of competing A/V vendors out there who collect intelligence, none of them have quite the footprint that Microsoft has with its MSRT tool.  Similarly, ISPs collect data on bots but most ISPs only operate within one country.  Going by this data, the United States does indeed have the most bots in the world (the Microsoft Malware Protection team maps specific botnets to MSRT removals so they do not count all types of malware in the data snapshot, only malware associated with bots).

However, while the United States has the most bots, it does not have the most bots-per-capita.  To determine the rate of infections, the MSRT also tracks a metric called CCM, or Computers Cleaned per Thousand executions of the MSRT (the M comes from the Latin word for thousand which is mille).  If we go by this metric to find which country is the worst in terms of per-capita bot infections, then the United States is tied for seventh with Brazil who is number two in terms of total number of bots.  Ahead of the US and Brazil are (1) South Korea, (2) Spain, (3) Mexico, (4) Colombia, (5) Portugal and (6) Saudi Arabia.  These align somewhat with my statistics on countries of origin for the worst spamming regions sending spam to Forefront Online.  If you look at the list of worst per CCM, then South Korea makes sense in terms of the fact that it is one of the worst botnet countries that send spam (according to my stats).  Spain is the origin of the Mariposa botnet.  Indeed, four of the top five countries are Spanish speaking (Portuguese is similar to Spanish).  The only one that doesn’t make sense to me is Saudi Arabia.

What if we measured bots as a proportion of that country’s Internet user base?  For example, if the US has 100 computer users and has 50 bots, while Brazil has 50 computers and 48 bots, then while the US has more bots in absolute numbers Brazil clearly has a much worse botnet problem because nearly their entire user base is part of a botnet.

I will take the top 8 countries and convert the numbers that way – by taking the statistics on number of Internet users as specified by the CIA fact book, then the countries’ order for botnet-per-Internet user is the following, with (1) being the worst and (8) being the best:

  1. Portugal – 3.96
  2. Spain – 3.45
  3. Mexico – 2.96
  4. South Korea – 2.36
  5. United States – 2.36 (not rounded off, US is lower than South Korea)
  6. Brazil – 1.99
  7. Saudia Arabia – 1.56
  8. Colombia – 1

In the numbers above, for every 1 Internet user in Colombia that is infected with a bot, there are 3.96 users in Portugal who are.  You can see that the bot problem in Portugal is running much hotter than in other countries, and in Spain as well.  This possibly corresponds to the Mariposa botnet (where several criminals were arrested earlier this year).

Viewing the data this way, we can see that while there are more bots in the United States than any other country, the problem is not as widespread as others.   So the statement that the US has the most bots depends on how you look at the problem.  However, the bot problem in the US definitely is higher than in many other developed nations including Canada, the UK, France, Japan or even China!  Why is the problem in the United States as bad as it is?  Is it cultural?  Greater non-compliance of applying patched software?  Higher rates of software piracy?  A greater ability to measure bot cleanings in the US than other countries (ie, more users in the US dial home to the MSRT than in other countries)?  Clearly, the US is lagging far behind many other industrialized countries.  Is there an explanation for this?

Leave a Comment
  • Please add 5 and 8 and type the answer here:
  • Post
  • In the U.S. Linux also has the weakest market penetration among post-industrial countries. This fact alone contributes a bit to the botnet stats. But obviously, both facts also grade the technical literacy of the average user. Not to be rude, but that's what it says. However, it might help if that statistic went into detail about city vs countryside infestation.

  • @mario

    Linux only appears secure because it isn't being used in the same numbers as Windows. If the market penetration goes up exploits WILL appear for *nix systems. Also, Win7 and Vista have much much better security features compared to WinXP which a large number of users are still running. A break down by OS for botnet infections would likely reveal more on this.

Page 1 of 1 (2 items)