If you’ve looked at our daily report of the Top 40 Botted ISP’s, you’ll see a column labeled RZS which is short for Relative Zombie Strength. What does that mean and how is it measured? Good questions!
Once we began accumulating data from our botnet sensor network, we wanted to share this data about zombie activity in some meaningful way. We started to investigate how others converted their botnet data into “real” numbers. Very few places report hard numbers in terms of a count of infected computers, count of botnet C&C’s, etc… Those that do report hard numbers rely on some “fudge factor” to arrive at their numbers.
The Conficker Working Group has been tracking the Conficker botnet since it appeared about a year ago. At the time I write this, the working group estimates a little over 6 million infections as part of the Conficker botnet. But wait! When they discuss Population Numbers further up the screen, they say:
The daily numbers should represent the potential maximum level of the infection, but in previous test cases usually prove to be much less than that maximum. So, take the range of 25% to 75% of the values that we display as the possible infection population and you will be close to the real value. And yes, this is a very large range, and you can see why we do not like to quote any numbers for infection populations, and why you will see very high and low numbers get quoted regularly depending on the purpose of the person making the quote.
In other words, by their estimation, the number of infected computers ranges from 1.6 million to 4.2 million computers.
So you see, when it comes to counting zombie computers, reporting hard numbers is not an easy thing to do. Each sensor network sees only a very small percentage of internet traffic and has to extrapolate from that to the Internet as a whole. If you can claim to extrapolate exact numbers from your sensor network and keep a straight face, may I suggest a career in politics?
Faced with this counting challenge, we decided to show the zombie activity of an ISP relative to all the other ISP’s out there. We report the Top 40 ISP’s by amount of zombie activity each day. If ISP A has an RZS of 6.2 and ISP B has an RZS of 62, then you can conclude that ISP B has approximately 10 times the zombie activity of ISP A.
