Botnet losing ground

Over the last couple of weeks we've been closely following the behaviour of a botnet with a C&C (command and control) center based on a popular web-based engine.

We waited for it to grow (see previous posts) and it was interesting to see the increase in the number of infected machines. And now the scale of the botnet is shrinking.

Today the botnet was made up of 6000 zombies, even though a week and a half ago there were more than 14 000! What happened? We took a look and found that there's a significant difference between the total number of infections and actual number of infected machines.

Let's take a look at the zombie network stats that we got today:

Subtract "GENERAL NUMBER BOTS" from "GENERAL NUMBER OF INFECTIONS" and there's a difference of about 10 000. This means the botnet is losing its bots!

Now let's compare the very same stats with the ones that we captured while the botnet was still growing:

The difference between "GENERAL NUMBER OF INFECTIONS" and "GENERAL NUMBER BOTS" is less than 500!

These differences are explained by the fact that AV companies have been busy detecting malicious files which were used to create the botnet. The time taken before all AV vendors detected the files was several days. During this time bots were detected and removed from PCs and this is why the botnet is losing its clients. And every day, as more and more users update their AV databases the botnet continues to lose ground...