In 2009, European security agencies estimated a botnet assembled using the Torpig malware program formed an army 1,200,000 client computers strong, lurking in the darkness, waiting to steal bank account and credit card data from its victims.
After researchers managed to take over the 'net for 10 days, they managed to count the number of infected machines according to the unique identifiers used by the botnet itself, rather than the IP addresses they'd used to extrapolate the original number of 1.2 million.
The real number was 180,000 machines, which turned out to be plenty to be a big player in what has become a $10 billion per year criminal industry.
Not that a botnet with 180,000 slaved PCs launching spam, DDOS or other attacks wouldn't normally be considered a big risk; it's just that security agencies in the U.S. and Europe focus most of their time and spend the bulk of their hundreds of millions of budget dollars on big numbers, not necessarily the most imminent threats, according to a pair of reports due to be published tomorrow by the European Union's IT security agency.
Most agencies count IP addresses and from there how many 'bots are likely to still be infected and available at any given time.
That looks good on paper, but overestimates the numbers and risk, which is an advantage for agencies fighting with other government agencies for budgets and authority, according to the European Network and Information Security Agency (ENISA).
According to one estimate, the botnet network the hactivist group Anonymous used to take down Visa's site used fewer than 1,000 client machines, according to Giles Hogben, an expert program manager for security applications and service for ENISA.
The intentions and financial backing of botnet creators has changed over the years as organized crime took over from hactivists or online anarchists or showoffs who built botnets to further their personal goals.
The money behind them is better and the programming efforts are more serious, while the ISPs through which they infect their victims remain marginal players, often with inadequate security, the reports concluded.
Malware, in other words, is a lot smarter and more effective than most of the countermeasures (if any) arrayed against it.
The second study, which focuses on detection, measurement and defense against botnets, recommends more specific laws against international cybercrime, more cooperation among law enforcement agencies.
It also recommended government funding of ISPs that would allow even marginal players to build and maintain anti-botnet security measures focused on neutralizing existing 'nets, preventing new infections and minimizing the potential of effective botnets to crack their targets cost-effectively.
Otherwise, botnets will continue to develop their own little economy and increase their sophistication to the point that one botnet will create others, to isolate the creators from blame, and the botnets themselves will become agents fire hire, rather than an instrument of their creators.
That way criminals or political extremists who can get money but don't know how to build their own botnets, can just rent what they need -- funding the botnet industry even further.
That is already happening, but not nearly as often, or to the extent, that the report predicts could be the case in a few years.
Without coordinated, persistent responses -- by law enforcement, ISPs, corporations and the consumers whose PCs are being co-opted -- slowing the botnets will be difficult or impossible, the reports concluded.