How long it takes for a botnet to die

Virus Tracker is in operation since September 2012. We have more than 1 billion infection records in our database and keep all historical data. All the important botnets are in our system – including APTs such as Stuxnet, Flame, APT1, including banking Trojans such as Sinowal, MultiBanker, many ZeuS, SpyEye botnets, UrlZone, ZeuS Gameover and other bigger botnets like ZeroAccess and Sality.

Therefore we have a quite good understanding of how long it takes for botnets to die. Everytime there is a takedown (whether just legal or just technical nature) of a botnet we can monitor its impact in the following weeks. If there is no takedown and the criminals abandoned their botnet we also see a natural infection reduction – the cause to that is that antiviruses remove the infections and people simply reinstall their OS or get rid of their old computer.

Let’s have a look at some examples:

The first one is Sinowal. It had at peak 99.104 active infections per day. In December the operators apparently abandoned their botnet. On 11/27/2013 it had 33.268 infections dropping down within 7 months to yesterday 7/2/2014 to 14.273 infections. That’s an average monthly reduction (not taking negative compound interest into account of the calculation) of roughly 8.15%.

Sinowal

Next we see Conficker (blue) and ZeroAccess (red). For ZeroAccess there was the Microsoft takedown in December 2013 (peak 871.965 infections on 11/21/2013) and as you can see the botnet decreases day per day. Conficker was at peak 1.624.271 infections on the day 6/5/2013 and went down within a year now to roughly 1 million active infections per day.

Conficker and ZeroAccess

The last sample is ZeuS Gameover. There was the FBI, Europol & friends takedown. At peak we have seen 141.432 infections on 3/26/2014. Starting with 5/12/2014 (3 weeks before the takedown was publicly announced) we start to see a massive drop.

ZeuS Gameover

Info regarding the measurement ‘unique active infections per day’: Some other AVs/researchers often claim that botnet X has this million or hundred thousands of infections, though they take often unique IPs per 48 hours, 7 days or even longer. As dynamic IPs for end-customers are typically reallocated within 24 hours such numbers are not representative. In the entire Virus Tracker system we only use unique IPs per day (even though multiple infection can be behind 1 single IP), which is the only measurement that actually makes sense. Claiming a botnet would have “2 million infections” would wrongly create the impression that a botnet master could direct 2 million machines at a time to attack (i.e. ddos) a server, though in reality even if the botnet would have 1 million infections per day there would be roughly only 50k-100k bots online at a time.