Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten, Delft University of Technology https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/asghari This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-931971-232 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere and Michel J.G. van Eeten Delft University of Technology Abstract Research on botnet mitigation has focused predominantly on methods to technically disrupt the commandand-control infrastructure. Much less is known about the effectiveness of large-scale efforts to clean up infected machines. We analyze longitudinal data from the sinkhole of Conficker, one the largest botnets ever seen, to assess the impact of what has been emerging as a best practice: national anti-botnet initiatives that support largescale cleanup of end user machines. It has been six years since the Conficker botnet was sinkholed. The attackers have abandoned it. Still, nearly a million machines remain infected. Conficker provides us with a unique opportunity to estimate cleanup rates, because there are relatively few interfering factors at work. This paper is the first to propose a systematic approach to transform noisy sinkhole data into comparative infection metrics and normalized estimates of cleanup rates. We compare the growth, peak, and decay of Conficker across countries. We find that institutional differences, such as ICT development or unlicensed software use, explain much of the variance, while the national anti-botnet centers have had no visible impact. Cleanup seems even slower than the replacement of machines running Windows XP. In general, the infected users appear outside the reach of current remediation practices. Some ISPs may have judged the neutralized botnet an insufficient threat to merit remediation. These machines can however be magnets for other threats — we find an overlap between GameoverZeus and Conficker infections. We conclude by reflecting on what this means for the future of botnet mitigation. 1 Introduction For years, researchers have been working on methods to take over or disrupt the command-and-control (C&C) infrastructure of botnets (e.g. [14, 37, 26]). Their successes have been answered by the attackers with ever USENIX Association more sophisticated C&C mechanisms that are increasingly resilient against takeover attempts [30]. In pale contrast to this wealth of work stands the limited research into the other side of botnet mitigation: cleanup of the infected machines of end users. After a botnet is successfully sinkholed, the bots or zombies basically remain waiting for the attackers to find a way to reconnect to them, update their binaries and move the machines out of the sinkhole. This happens with some regularity. The recent sinkholing attempt of GameoverZeus [32], for example, is more a tug of war between attackers and defenders, rather than definitive takedown action. The bots that remain after a takedown of C&C infrastructure may also attract other attackers, as these machines remain vulnerable and hence can be re-compromised. To some extent, cleanup of bots is an automated process, driven by anti-virus software, software patches and tools like Microsoft’s Malicious Software Removal Tool, which is included in Windows’ automatic update cycle. These automated actions are deemed insufficient, however. In recent years, wide support has been established for the idea that Internet Service Providers (ISPs) should contact affected customers and help them remediate their compromised machines [39, 22]. This shift has been accompanied by proposals to treat large-scale infections as a public health issue [6, 8]. As part of this public health approach, we have seen the emergence of large-scale cleanup campaigns, most notably in the form of national anti-botnet initiatives. Public and private stakeholders, especially ISPs, collaborate to notify infected end users and help them clean their machines. Examples include Germany’s Anti-Botnet Advisory Center (BotFrei), Australia’s Internet Industry Code of Practice (iCode), and Japan’s Cyber Clean Center (CCC, superseded by ACTIVE) [27]. Setting up large-scale cleanup mechanisms is cumbersome and costly. This underlines the need to measure whether these efforts are effective. The central question 24th USENIX Security Symposium  1 of this paper is: What factors drive cleanup rates of infected machines? We explore whether the leading national anti-botnet initiatives have increased the speed of cleanup. We answer this question via longitudinal data from the sinkhole of Conficker, one the largest botnets ever seen. Conficker provides us with a unique opportunity to study the impact of national initiatives. It has been six years since the vulnerability was patched and the botnet was sinkholed. The attackers have basically abandoned it years ago, which means that infection rates are driven by cleanup rather than the attacker countermeasures. Still, nearly a million machines remain infected (see figure 1). The Conficker Working Group, the collective industry effort against the botnet, concluded in 2010 that remediation has been a failure [7]. Before one can draw lessons from sinkhole data, or from most other data sources on infected machines, several methodological problems have to be overcome. This paper is the first to systematically work through these issues, transforming noisy sinkhole data into comparative infection metrics and normalized estimates of cleanup rates. For this research, we were generously given access to the Conficker sinkhole logs, which provide a unique long term view into the life of the botnet. The dataset runs from February 2009 until September 2014, and covers all countries — 241 ISO codes — and 34,000 autonomous systems. It records millions of unique IP addresses each year — for instance, 223 million in 2009, and 120 million in 2013. For this paper, we focus on bots located in 62 countries. In sum, the contributions of this paper are as follows: Figure 1: Conficker bots worldwide mechanisms, and some milestones in the activities of the Conficker Working Group. The Conficker worm, also known as Downadup, was first detected in November 2008. The worm spread by exploiting vulnerability MS08-067 in Microsoft Windows, which had just been announced and patched. The vulnerability affected all versions of Microsoft Windows at the time, including server versions. A detailed technical analysis is available in [29]. Briefly put, infected machines scanned the IP space for vulnerable machines and infected them in a number steps. To be vulnerable, a machine needed to be unpatched and online with its NetBIOS ports open and not behind a firewall. Remarkably, a third of all machines had still not installed the patch by January 2009, a few months after its availability [11]. Consequently, the worm spread at an explosive rate. The malware authors released an update on December 29, 2008, which was named Conficker-B. The update added new methods of spreading, including via infected USB devices and shared network folders with weak passwords. This made the worm propagate even faster [7]. Infected machines communicated with the attackers via an innovative, centralized system. Every day, the bots attempted to connect to 250 new pseudo-randomly generated domains under eight different top-level domains. The attackers needed to register only one of these domains to reach the bots and update their instructions and binaries. Defenders, on the other hand, needed to block all these domains, every day, to disrupt the C&C. Another aspect of Conficker was the use of intelligent defense mechanisms, that made the worm harder to remove. It disabled Windows updates, popular anti-virus products, and several Windows security services. It also blocked access to popular security websites [29, 7]. Conficker continued to grow, causing alarm in the cybersecurity community about the potential scale of attacks, even though the botnet had not yet been very active at that point. In late January, the community — includ- 1. We develop a systematic approach to transform noisy sinkhole data into comparative infection metrics and normalized estimates of cleanup rates. 2. We present the first long term study on botnet remediation. 3. We provide the first empirical test of the best practice exemplified by the leading national anti-botnet initiatives. 4. We identify several factors that influence cleanup rates across countries. 2 2.1 Background Conficker timeline and variants In this section we will provide a brief background on the history of the Conficker worm, its spreading and defense 2 2  24th USENIX Security Symposium USENIX Association ing Microsoft, ICANN, domain registries, anti-virus vendors, and academic researchers — responded by forming the Conficker Working Group [7, 31]. The most important task of the working group was to coordinate and register or block all the domains the bots would use to communicate, staying ahead of the Conficker authors. The group was mostly successful in neutralizing the botnet and disconnecting it from its owners; however, small errors were made on two occasions in March, allowing the attackers to gain access to part of the botnet population and update them to the C variant. The Conficker-C variant had two key new features: the number of pseudo-randomly generated domains was increased to 50,000 per day, distributed over a hundred different TLDs, and a P2P update protocol was added. These features complicated the work of the working group. On April 9, 2009, Conficker-C bots upgraded to a new variant that included a scareware program which sold fake anti-virus at prices between $50– $100. The fake anti-virus program, probably a pay-perinstall contract, was purchased by close to a million unwitting users, as was later discovered. This use of the botnet prompted law enforcement agencies to increase their efforts to pursue the authors of Conficker.1 Eventually, in 2011, the U.S. Federal Bureau of Investigation, in collaboration with police in several other countries, arrested several individuals associated with this $72-million scareware ring. [21, 19] 2.2 The main reason for this shift is that ISPs can identify and contact the owners of the infected machines, and provide direct support to end users. They can also quarantine machines that do not get cleaned up. Earlier work has found evidence that ISP mitigation can significantly impact end user security [40]. Along with this shift of responsibility towards ISPs, some countries have established national anti-botnet initiatives to support the ISPs and end users in cleanup efforts. The setup is different in each country, but typically it involves the collection of data on infected machines (from botnet sinkholes, honeypots, spamtraps, and other sources); notifying ISPs of infections within their networks; and providing support for end users, via a website and sometimes a call-center. A number of countries have been running such centers, often as part of a public-private partnership. Table 1 lists the countries with active initiatives in late 2011, according to an OECD report [27]. The report also mentions the U.S. & U.K. as developing such initiatives. The Netherlands is listed as having ‘ISP-specific’ programs, for at that time, KPN and Ziggo — the two largest ISPs — were heading such programs voluntarily [39].2 Finland, though not listed, has been a leader with consistently low infection rates for years. It has had a notification and cleanup mechanism in place since 2005, as part of a collaboration between the national CERT, the telco regulator and main ISPs [20, 25]. At the time of writing, other countries are starting anti-botnet centers as well. In the EU alone, seven new national centers have been announced [2]. These will obviously not impact the past cleanup rates of Conficker, but they do underwrite the importance of empirically testing the efficacy of this mitigation strategy. Figure 2 shows the website of the German anti-botnet advisory center, botfrei. The center was launched in 2010 by eco, the German Internet industry association, and is partially funded by the German government. The center does three things. First, it identifies users with infected PCs. Second, they inform the infected customers via their ISPs. Third, they offer cleanup support, through a website — with free removal tools and a forum — and National anti-botnet centers Despite the successes of the cybersecurity community in neutralizing Conficker, a large number of infected machines still remained. This painful fact was recognized early on; in its ‘Lessons Learned’ document from 2010, the Conficker Working Group reported remediation as its top failure [7]. Despite being inactive, Conficker remains one of the largest botnets. As recent as June 2014, it was listed as the #6 botnet in the world by anti-virus vendor ESET [9]. This underlines the idea that neutralizing the C&C infrastructure in combination with automated cleanup tools will not eradicate the infected machines; some organized form of cleanup is necessary. During the past years, industry and regulatory guidelines have been calling for increased participation of ISPs in cleanup efforts. For instance, the European Network and Information Security Agency [1], the Internet Engineering Task Force [22], the Federal Communications Commission [10], and the Organization for Economic Cooperation and Development [27] have all called upon ISPs to contact infected customers and help them clean up their compromised machines. 1 Microsoft arrests. 2 It has now been replaced by a wider initiative involving all main providers and covering the bulk of the broadband market. COUNTRY Australia Germany Ireland Japan Korea Netherlands also set a $250,000 bounty for information leading to INITIATIVE Internet Industry Code of Practice (iCode) German Anti-Botnet Initiative (BotFrei) Irish Anti-Botnet Initiative Cyber Clean Center / ACTIVE KrCERT/CC Anti-Botnet Initiative Dutch Anti-Botnet Initiative (Abuse-Hub) Table 1: List of countries with anti-botnet initiatives [27] 3 USENIX Association 24th USENIX Security Symposium  3 literature. This expands some of our earlier work. In a broader context, a large body of research focuses on other forms of botnet mitigation, e.g., [14, 37, 26, 30], modeling worm infections, e.g. [35, 44, 43, 28], and challenges in longitudinal cybersecurity studies. For the sake of brevity we will not cite more works in these areas here (— except for works used in other sections). 3 Figure 2: The German Anti-Botnet Advisory Center website - botfrei.de Answering the central research question requires a number of steps. First, we set out to derive reliable estimates of the number of Conficker bots in each country over time. This involves processing and cleaning the noisy sinkhole data, as well as handling several measurement issues. Later, we use the estimates to compare infection trends in various countries, identify patterns and specifically see if countries with anti-botnet initiatives have done any better. We do this by by fitting a descriptive model to each country’s time-series of infection rates. This provides us with a specific set of parameters, namely the growth rate, the peak infection level, and the decay rate. We explore a few alternative models and opt for a two-piece model that accurately captures these characteristics. Lastly, to answer the central question, we explore the relationship between the estimated parameters and a set of explanatory variables. a call center [17]. The center covers a wide range of malware, including Conficker. We should mention that eco staff told us that much of the German Conficker response took place before the center was launched. In their own evaluations, the center reports successes in terms of the number of users visiting its website, the number of cleanup actions performed, and overall reductions in malware rates in Germany. Interestingly enough, a large number of users visit botfrei.de directly, without being prompted by their ISP. This highlights the impact of media attention, as well as the demand for proactive steps among part of the user population. We only highlight Germany’s botfrei program as an example. In short, one would expect that countries running similar anti-botnet initiatives to have higher cleanup rates of Conficker bots. This, we shall evaluate. 2.3 Methodology 3.1 Related Work The Conficker Dataset The Conficker dataset has four characteristics that make it uniquely suited for studying large-scale cleanup efforts. First, it contains the complete record of one sinkholed botnet, making it less convoluted than for example spam data, and with far fewer false positives. Second, it logs most of the population on a daily basis, avoiding limitations from seeing only a sample of the botnet. Third, the dataset is longitudinal and tracks a period of almost six years. Many sinkholes used in scientific research typically cover weeks rather than months, let alone six years. Fourth, most infection data reflects a mix of attacker and defender behavior, as well as different levels (global & local). This makes it hard to determine what drives a trend – is it the result of attacker behavior, defender innovation, or just randomness? Conficker, however, was neutralized early on, with the attackers losing control and abandoning the botnet. Most other global defensive actions (e.g., patching and sinkholing) were also done in early 2009. Hence, the infection levels in our dataset predominantly reflect cleanup efforts. These combined attributes make the Conficker dataset excellent for studying the policy effects we are interested in. Similar to other botnets, much of the work on the Conficker worm has focused predominantly on technical analysis, e.g., [29]. Other research has studied the worm’s outbreak and modeled its infection patterns, e.g., [42], [16], [33] and [41]. There have also been a few studies looking into the functioning of the Working Group, e.g., [31]. None of this work looks specifically at the issue of remediation. Although [33] uses the same dataset as this paper to model the spread of the worm, their results are skewed by the fact that they ignore DHCP churn, which is known to cause errors in infection rates of up to one order of magnitude for some countries [37]. This paper also connects to the literature on botnet mitigation, specifically to cleanup efforts. This includes the industry guidelines we discussed earlier, e.g., [1], [27], [10] and [22]; as well as academic work that tries to model different mitigation strategies, e.g., [6], [18] and [13]. We contribute to this discussion by bringing longitudinal data to bear on the problem and empirically evaluating one of the key proposals to emanate from this 4 4  24th USENIX Security Symposium USENIX Association Raw Data Our raw data comes from the Conficker sinkhole logs. As explained in the background section, Conficker bots used an innovative centralized command and control infrastructure. The bots seek to connect to a number of pseudo-random domains every day, and ask for updated instructions or binaries from their masters. The algorithm that generates this domain list was reverse engineered early on, and various teams, including the Conficker Working Group, seized legal control of these domains. The domains were then ‘sinkholed’: servers were set up to listen and log every attempt to access the domains. The resulting logs include the IP address of each machine making such an attempt, timestamps, and a few other bits of information. Figure 3: Unique IP counts over various time-periods Processing Sinkhole Logs moved due to severe measurement issues affecting their bot counts, which we will describe later. The full list of countries can be seen in figure 8 or in the appendix. The raw logs were originally stored in plain text, before adoption of the nmsg binary format in late 2010. The logs are huge; a typical hour of logs in January 2013 is around half a gigabyte, which adds up to tens of terabytes per year. From the raw logs we extract the IP address, which in the majority of cases will be a Conficker A, B, or C bot (the sinkholed domains were not typically used for other purposes). Then, using the MaxMind GeoIP database [23] and an IP-to-ASN database based on Routeviews BGP data [4], we determine the country and Autonomous System that this IP address belonged to at that moment in time. We lastly count the number of unique IP addresses in each region per hour. With some exceptions, we capture most Conficker bots worldwide. The limitations are due to sinkholes downtime; logs for some sinkholed domains not being handed over to the working group [7]; and bots being behind an egress firewall, blocking their access to the sinkhole. None of these issues however creates a systematic bias, so we may treat them as noise. After processing the logs we have a dataset spanning from February 2009 to September 2014, covering 241 ISO country codes and 34,000 autonomous systems. The dataset contains approximately 178 million unique IP addresses per year. In this paper we focus on bots located in 62 countries, which were selected as follows. We started with the 34 members of the Organization for Economic Cooperation and Development (OECD), and 7 additional members of the European Union which are not part of the OECD. These countries have a common development baseline, and good data is available on their policies, making comparison easier. We add to this list 23 countries that rank high in terms of Conficker or spam bots — cumulatively covering 80 percent of all such bots worldwide. These countries are interesting from a cybersecurity perspective. Finally, two countries were re- 3.2 Counting bots from IP addresses The Conficker dataset suffers from a limitation that is common among most sinkhole data and other data on infected machines, such as spam traps, firewall logs, and passive DNS records: one has to use IP addresses as a proxy for infected machines. Earlier research has established that IP addresses are coarse unique identifiers and they can be off by one order of magnitude in a matter of days [37], because of differences in the dynamic IP address allocation policies of providers (so-called DHCP churn). Simply put, because of dynamic addresses, the same infected machine can appear in the logs under multiple IP addresses. The higher the churn rate, the more over-counting. Figure 3 visualizes this problem. It shows the count of unique Conficker IP addresses in February 2011 over various time periods — 3 hours, 12 hours, one day, up to a week. We see an interesting growth curve, non-linear at the start, then linear. Not all computers are powered on at every point in time, so it makes sense to see more IP addresses in the sinkhole over longer time periods. However, between the 6th and 7th day, we have most likely seen most infected machines already. The new IP addresses are unlikely to be new infections, as the daily count is stable over the period. The difference is thus driven by infected machines reappearing with a new IP address. The figure shows IP address counts for the Netherlands and Germany. From qualitative reports we know that IP churn is relatively low in the Netherlands — an Internet subscriber can retain the same IP address for months — while in Germany the address typically 5 USENIX Association 24th USENIX Security Symposium  5 changes every 24 hours. This is reflected in the figure: the slope for Germany is much steeper. Should one ignore the differences in churn rates among countries, and simply count unique IP addresses over a week, then a severe bias will be introduced against countries such as Germany. Using shorter time periods, though leading to under-counting, decreases this bias.3 We settle for this simple solution: counting the average number of unique IPs per hour, thereby eliminating the churn factor. This hourly count will be a fraction of the total bot count, but that is not a problem when we make comparisons based on scale-invariant measures, such as cleanup rates. Network Address Translation (NAT) and the use of HTTP proxies can also cause under-counting. This is particularly problematic if it happens at the ISP level, leading to large biases when comparing cleanup policies. After comparing subscriber numbers with IP address space size in our selection of countries, we concluded that ISP-level NAT is widely practiced in India. As we have no clear way of correcting such cases, we chose to exclude India from our analysis. 3.3 Figure 4: Conficker bots versus broadband subscribers slightly fluctuate, but a sudden decrease in infected machines followed by a sudden return of infections to the previous level is highly unlikely. The interested reader is referred to the appendix to see the individual graphs for all the countries with the outliers removed.4 3.4 Missing measurements Normalizing bot counts by country size Countries with more Internet users are likely to have more Conficker bots, regardless of remediation efforts. Figure 4 illustrates this. It thus makes sense to normalize the unique IP counts by a measure of country size; in particular if one is to compare peak infection rates. One such measure is the size of a country’s IP space, but IP address usage practices vary considerably between countries. A more appropriate denominator and the one we use is the number of Internet broadband subscribers. This is available from a number of sources, including the Worldbank Development Indicators. The Conficker dataset has another problem that is also common: missing measurements. Looking back at figure 1, we see several sudden drops in bot counts, which we highlighted with dotted lines. These drops are primarily caused by sinkhole infrastructure downtime — typically for a few hours, but at one point even several weeks. These measurement errors are a serious issue, as they only occur in one direction and may skew our analysis. We considered several approaches to dealing with them. One approach is to model the measurement process explicitly. Another approach is to try and minimize the impact of aberrant observations by using robust curve-fitting methods. This approach adds unnecessary complexity and is not very intuitive. A third option is to pre-process the data using curve smoothing techniques; for instance by taking the exponentially weighted rolling average or applying the Hodrick-Prescott filter. Although not necessarily wrong, this also adds its own new biases as it changes data. The fourth approach, and the one that we use, is to detect and remove the outliers heuristically. For this purpose, we calculate the distance between each weekly value in the global graph with the rolling median of its surrounding two months, and throw out the top 10%. This works because most bots log in about once a day, so the IP counts of adjacent periods are not independent. The IP count may increase, decrease, or 4 4.1 Modeling Infections Descriptive Analysis Figure 5 shows the Conficker infection trends for Germany, United States, France, and Russia. The x-axis is time; the y-axis is the average number of unique IP addresses seen per day in the sinkhole logs, corrected for churn. We observe a similar pattern: a period of rapid growth; a plateau period, where the number of infected machines peaks and remains somewhat stable for a short or longer amount of time; and finally, a period of gradual decline. What explains these similar trends among countries, and in particular, the points in time where the changes 3 Ideally, we would calculate a churn rate — the average number of IPs per bot per day — and use that to generate a good estimate of the actual number of bots. That is not an easy task, and requires making quite a number of assumptions. 4 An extreme case was Malaysia, where the length of the drops and fluctuations spanned several months. This most likely indicates country-level egress filtering, prompting us to also exclude Malaysia from the analysis. 6 6  24th USENIX Security Symposium USENIX Association ery are locked in dynamic equilibrium. The size of the infected population reaches a plateau. In the final phase, the force of recovery takes over, and slowly the number of infections declines towards zero. Early on in our modeling efforts we experimented with a number of epidemic models, but eventually decided against them. Epidemic models involve a set of latent compartments and a set of differential equations that govern the transitions between them — see [12] for an extensive overview. Most models make a number of assumptions about the underlying structure of the population and the propagation mechanism of the disease. The basic models for instance assume constant transition rates over time. Such assumptions might hold to an acceptable degree in short time spans, but not over six years. The early works applying these models to the Code Red and Slammer worms [44, 43] used data spanning just a few weeks. One can still use the models even when the assumptions are not met, but the parameters cannot be then easily interpreted. To illustrate: the basic Kermack-McKendrick SIR model fits our data to a reasonable degree. However, we know that this model assumes no reinfections, while Conficker reinfections were a major problem for some companies [24]. More complex models reduce assumptions by adding additional latent variables. This creates a new problem: often when solved numerically, different combinations of the parameters fit the data equally well. We observed this for some countries with even the basic SIR model. Such estimates are not a problem when the aim is to predict an outbreak. But they are showstoppers when the aim is to compare and interpret the parameters and make inferences about policies. Figure 5: Conficker trends for four countries occur on the graphs? At first glance, one might think that the decline is set off by some event — for instance, the arrest of the bot-masters, or a release of a patch. But this is not the case. As previously explained, all patches for Conficker were released by early 2009, while the worm continued spreading after that. This is because most computers that get infected with Conficker are “unprotected” — that is, they are either unpatched or without security software, in case the worm spreads via weak passwords on networks shares, USB drives, or domain controllers. The peak in 2010 – 2011 is thus the worm reaching some form of saturation where all vulnerable computers are infected. In the case of business networks, administrators may have finally gotten the worm’s reinfection mechanisms under control [24]. Like the growth phase and the peak, the decline can also not be directly explained by external attacker behavior. Arrests related to Conficker occurred mid 2011, while the decline started earlier. In addition, most of the botnet was already out of the control of the attackers. What we are seeing appears to be a ‘natural’ process of the botnet. Infections may have spread faster in some countries, and cleanups may have been faster in others, but the overall patterns are similar across all countries. 4.2 4.3 Our model For the outlined reasons, we opted for a simple descriptive model. The model follows the characteristic trend of infection rates, provides just enough flexibility to capture the differences between countries, and makes no assumptions about the underlying behavior of Conficker. It merely describes the observed trends in a small set of parameters. The model consists of two parts: a logistic growth that ends in a plateau; followed by an exponential decay. Logistic growth is a basic model of self-limiting population growth, where first the rate of growth is proportional to the size of the existing population, and then declines as the natural limit is approached (— the seminal work of Staniford, et al. [35] also used logistic growth). In our case, this natural limit is the number of vulnerable hosts. Exponential decay corresponds to a daily decrease of the number of Conficker bots by a fixed percentage. Figure 6 shows the number of infections per subscriber over Epidemic Models It is often proposed in the security literature to model malware infections similarly as epidemics of infectious diseases, e.g. [28, 44]. The analog is that vulnerable hosts get infected, and start infecting other hosts in their vicinity; at some later point they are recovered or removed (cleaned, patched, upgraded or replaced). This leads to multiple phases, similar to what we see for Conficker: in the beginning, each new infection increases the pressure on vulnerable hosts, leading to an explosive growth. Over time, fewer and fewer vulnerable hosts remain to be infected. This leads to a phase where the force of new infections and the force of recov7 USENIX Association 24th USENIX Security Symposium  7 Figure 6: Conficker bots per subscriber on logarithm scale for (from top to bottom) Russia, Belarus, Germany. Figure 7: Comparison of alternative models time for three countries on a logarithm scale. We see a downward-sloping straight line in the last phase that corresponds to an exponential decay: the botnet shrank by a more or less a constant percentage each day. We do not claim that the assumptions underpinning the logistic growth and the exponential decay models are fully satisfied, but in the absence of knowledge of the exact dynamics, their simplicity seems the most reasonable approach. The model allows us to reduce the time series data for each country to these parameters: (1) the infection rate in the growth phase, (2) the peak number of infections, (3) the time at which this peak occurred, and (4) the exponential decay rate in the declining phase. We will fit our model on the time series for all countries, and then compare the estimates of these parameters. Mathematically, our model is formulated as follows:  K    1 + e−r(t−t0 ) , if t < tP (1) bots(t) =    −γ(t−tP ) He , if t ≥ tP at the point estimates. With these standard errors we computed Wald-type confidence intervals (point estimate ± 2 s.e.) for all parameters. These intervals have no exact interpretation in this case, but provide some idea of the precision of the point estimates. The reader can find plots of the fitted curves for all 62 countries in the appendix. The fits are good, with R2 values all between 0.95 and 1. Our model is especially effective for countries with sharp peaks, that is, the abrupt transitions from growth to decay that can be seen in Hungary and South Africa, for example. For some countries, such as Pakistan and Ukraine, we have very little data on the growth phase, as they reached their peak infection rate around the time sinkholing started. For these countries we will ignore the growth estimates in further analysis. By virtue of our two-phase model, the estimates of the decay rates are unaffected by this issue. We note that our model is deterministic rather than stochastic; that is, it does not account for one-time shocks in cleanup that lead to a lasting drop in infection rates. Nevertheless, we see that the data follows the fitted exponential decay curves quite closely, which indicates that bots get cleaned up at a constant rate and non-simultaneously.5 where bots(t) is the number of bots at time t, tP is the time of the peak (where the logistic growth transitions to exponential decay), and H the height of the peak. The logistic growth phase has growth rate r, asymptote K, and midpoint t0 . The parameter γ is the exponential decay rate. The height of the peak is identified by the other parameters: H= 4.4 K 1 + e−r(tP −t0 ) Alternative models: We tried fitting models from epidemiology (e.g. the SIR model) and reliability engineering (e.g. the Weibull curve), but they did not do well in such cases, and adjusted R2 values were lower for almost all countries. Additionally, for a number of countries, the parameter estimates were unstable. Figure 7 illustrates why: our model’s distinct phases captures the height of peak and exponential decay more accurately. . Inspection of Model Fit We fit the curves using the Levenberg-Marquardt least squares algorithm with the aid of the lmfit Python module. The results are point estimates; standard errors were computed by lmfit by approximating the Hessian matrix 5 The exception is China: near the end of 2010 we see a massive drop in Conficker infections. After some investigation, we found clues that this drop might be associated by a sudden spur in the adoption of IPv6 addresses, which are not directly observable to the sinkhole. 8 8  24th USENIX Security Symposium USENIX Association 5 5.1 Findings fections in other networks than those of the ISPs, as we know that the ABIs focus mostly on ISPs. This explanation fails, however, as can be seen in figure 2. The majority of the Conficker bots were located in the networks of the retail ISPs in these countries, compared to educational, corporate or governmental networks. This pattern held in 2010, the year of peak infections, and 2013, the decay phase, with one minor deviation: in the Netherlands, cleanup in ISP networks was faster than in other networks. Country Parameter Estimates Figure 8 shows the parameter estimates and their precision for each of the 62 countries: the growth rate, peak height, time of the peak, and the decay rate. The variance in the peak number of infections is striking: between as little as 0.01% to over 1% of Internet broadband subscribers. The median is .1%. It appears that countries with high peaks tend to also have high growth rates, though we have to keep in mind that the growth rate estimates are less precise, because the data does not fully cover that phase. Looking at the peak height, it seems that this is not associated with low cleanup rates. For example, Belarus (BY) has the highest decay rate, but a peak height well above the median. The timing of the peaks is distributed around the last weeks of 2010. Countries with earlier peaks are mostly countries with higher growth rates. This suggests that the time of the peak is simply a matter of when Conficker ran out of vulnerable machines to infect; a faster growth means this happens sooner. Hence, it seems unlikely that early peaks indicate successful remediation. The median decay rate estimate is .009, which corresponds to a 37% decline per year (100 · (1 − e−.009·52 )). In countries with low decay rates (around .005), the botnet shrank by 23% per year, versus over 50% per year on the high end. 5.2 Country AU DE FI IE JP KR NL Others ISP % 2010 77% 89% 73% 72% 64% 83% 72% 81% ISP % 2013 74% 82% 69% 74% 67% 87% 37% 75% Table 2: Conficker bots located in retail ISPs A second explanation might be that the ABIs did not include Conficker in their notification and cleanup efforts. In two countries, Germany and the Netherlands, we were able to contact participants of the ABI. They claimed that Conficker sinkhole feeds were included and sent to the ISPs. Perhaps the ISPs did not act on the data — or at least not at a scale that would impact the decay rate; they might have judged Conficker infections to be of low risk, since the botnet had been neutralized. This explanation might be correct, but it also reinforces our earlier conclusion that the ABIs did not have a significant impact. After all, this explanation implies that the ABIs have failed to get the ISPs and their customers to undertake cleanup at a larger scale. Given that cleanup incurs cost for the ISP, one could understand that they might decide to ignore sinkholed and neutralized botnets. On closer inspection, this decision seems misguided, however. If a machine is infected with Conficker, it means it is in a vulnerable — and perhaps infected — state for other malware as well. Since we had access to the global logs of the sinkhole for GameoverZeus — a more recent and serious threat — we ran a cross comparison of the two botnet populations. We found that based on common IP addresses, a surprising 15% of all GameoverZeus bots are also infected with Conficker. During six weeks at the end of 2014, the GameoverZeus sinkhole saw close to 1.9 million unique IP addresses; the Conficker sinkhole saw 12 million unique IP addresses; around 284 thousand addresses appear in both lists. Given that both malware types only infected a small percentage of the total pop- National Anti-Botnet Initiatives We are now in a position to address the paper’s central question and to explore the effects of the leading national anti-botnet initiatives (ABIs). In figure 8, we have highlighted the countries with such initiatives as crosses. One would expect that these countries have slower botnet growth, a lower peak height, and especially a faster cleanup rate. There is no clear evidence for any of this; the countries with ABIs are all over the place. We do see some clustering on the lower end of the peak height graphs; however, this position is shared with a number of other countries that are institutionally similar (in terms of wealth for example) but not running such initiatives. We can formally test if the population median is equal for the two groups using the Wilcoxon ranksum test. The p-value of the test when comparing the Conficker decay rate among the two sets of countries is 0.54, which is too large to conclude that the ABIs had a meaningful effect. It is somewhat surprising, and disappointing, to see no evidence for the impact of the leading remediation efforts on bot cleanup. We briefly look at three possible explanations. The first one is that country trends might be driven by in9 USENIX Association 24th USENIX Security Symposium  9 Figure 8: Parameter estimates and confidence intervals 5.3 ulation of broadband subscribers, this overlap is surprisingly large.6 It stands in stark contrast to the findings of a recent study that systematically determined the overlap among 85 blacklists and found that most entries were unique to one list, and that overlap between independent lists was typically less than one percent [34]. In other words, Conficker bots should be considered worthwhile targets for cleanup. Institutional Factors Given that anti-botnet initiatives cannot explain the variation among the country parameters shown in figure 8, we turn our attention to several institutional factors that are often attributed with malware infection rates (e.g., see [40]). These are broadband access, unlicensed software use, and ICT development on a national level. In addition, given the spreading mechanism of Conficker, we also look at Operating System market shares, as well as PC upgrade cycles. We correlate these factors with the relevant parameters. 6 The calculated overlap in terms of bots might be inflated as a result of both NAT and DHCP churn. Churn can in this case have both an over-counting and under-counting effect. Under-counting will occur if one bot appears in the two sinkholes with different IP addresses, as a result of different connection times to the sinkholes. Doing the IP comparisons at a daily level yields a 6% overlap, which is still considerable. 10 10  24th USENIX Security Symposium USENIX Association Correlating Growth Rate 100 XP/Vista share Jan. 2010 (%) Broadband access is often mentioned as a technological enabler of malware; in particular, since Conficker was a worm that spread initially by scanning for hosts to infect, one could expect its growth in countries with higher broadband speeds to be faster. Holding other factors constant, most epidemiological models would also predict this faster growth with increased network speeds. This turns out not to be the case. The Spearman correlation coefficient between average national broadband speeds, as reported by the International Telecommunication Union [15], and Conficker growth rate is in fact negative: -0.30. This is most probably due to other factors confounding with higher broadband speeds, e.g. national wealth. In any case, the effects of broadband access and speeds are negligible compared to other factors, and we will not pursue this further. IR PE KR CNMA TH TR TW PK AR KZBR PH EG VN BG PL ID IL CL RSCORO LT UA CY SA SK HU LV BY MTGR RU CZ ES HR JP EE PTIT SI FR BE IE ZA GB DE NZ SE DK CA LU AU AT US IS MX 90 80 CH 70 0.01 0.10 1.00 10.00 Peak number of bots per subscriber (%) Figure 9: Bots versus XP & Vista use both citizens and firms. Figure 10 shows this metric against hp, and interestingly enough we see a strong correlation. Unlicensed software use or piracy rates are another oft mentioned factor influencing malware infection rates. In addition to the fact that pirated software might include malware itself, users running pirated OS’s often turn off automatic updates, for fear of updates disabling their unlicensed software — even though Microsoft consistently states that it will also ship security updates to unlicensed versions of Windows [38]. Disabling automatic updates leaves a machine open to vulnerabilities, and stops automated cleanups. We use the unlicensed software rates calculated by the Business Software Alliance [5]. This factor also turns out to be strongly correlated with hp, as shown in figure 10. Since ICT development and piracy rates are themselves correlated, we use the following simple linear regression to explore thier joint association with peak Conficker infection rates: Correlating Height of Peak As we saw, there is a wide dispersion between countries in the peak number of Conficker bots. What explains the large differences in peak infection rates? Operating system market shares: Since Conficker only infects machines running Windows 2000, XP, Vista, or Server 2003/2008, some variation in peak height may be explained by differences in use of these operating systems (versus Windows 7 or non-Windows systems). We use data from StatCounter Global Stats [36], which is based on page view analytics of some three million websites. Figure 9 shows the peak height against the combined Windows XP and Vista market shares in January 2010 (other vulnerable OS versions were negligible). We see a strong correlation — with a Pearson correlation coefficient of 0.55. This in itself is perhaps not surprising. Dividing the peak heights by the XP/Vista market shares gives us estimates of the peak number of infections per vulnerable user; we shall call this metric hp. This metric allows for fairer comparisons between countries, as one would expect countries with higher market shares of vulnerable OS’s to harbor more infections regardless of other factors. Interestingly, there is still considerable variation in this metric – the coefficient of variance is 1.2. We investigate two institutional factors that may explain this variation. ICT development index is an index published by the ITU based on a number of well-established ICT indicators. It allows for benchmarking and measuring the digital divide and ICT development among countries (based on ICT readiness and infrastructure, ICT intensity and use, ICT skills and literacy [15]). This is obviously a broad indicator, and can indicate the ability to manage cybersecurity risks, including botnet cleanups, among log(hp) = α + β1 · ict-dev + β2 · piracy + ε ID 2.0 1.5 VN 0.5 0.0 ID 2.0 1.5 1.0 Peak number of bots per subscriber (%) Peak number of bots per subscriber (%) where both regressors were standardized by subtracting the mean and dividing by two standard devia- VN 1.0 PK EG UA PH RU BR TH KZBY BG CL RO AR SA PECO MA RSCY HULV LT PL CN TR KR HR IT ES PT IL EEAT SI ZAMX CZ MT NZ SKGR IEFR AU DE BE GB LU US JP CA DK SE CH NLFIIS NO 3 5 7 ICT development index 0.5 0.0 PK UA EG RU PH BG ARTH KZ CL RO BY SA PE TW CO TRMA RS CN HU CY HR LT PL KR ES IT LVMX IL CZ ZA PTMTSIEE GR AT NZ IS AU DE BE GB LU US JP CA DK SE CH NL IEFRSK NO FI BR 30 50 Piracy rate 70 90 Figure 10: hp versus ICT development & piracy 11 USENIX Association 24th USENIX Security Symposium  11 tions. We use the logarithm of hp as it is a proportion. The least squares estimates (standard errors) are βˆ1 = −0.78(0.27), p < 0.01, and βˆ2 = 1.7(0.27), p < 0.001. These coefficients can be interpreted as follows: everything else kept equal, countries with low (one sd below the mean) ICT development have e0.78 = 2.2 times more Conficker bots per XP/Vista user at the peak than countries with high ICT development (one sd above the mean), and, similarly, countries with high piracy rates (one sd above the mean) have an e1.7 = 5.5 times higher peak than countries with low piracy rates (one sd below the mean). The R2 of this regression is 0.78, which indicates that ICT development and piracy rates explain most of the variation in Conficker peak height. BY Conficker decay rate 0.020 0.015 SA CO CL BR LV DE FI NO TW TH TR VN EE AR PH NZ ID EG ATGB SE IL ROCZCY PL AU MA NL FR CA DK PTPK JP US KR CH BG HU SK ES MT IT BE MX ZA HR GR SI IE 0.005 0.005 Although decay rates are less dispersed than peak heights, there are still noticeable differences among countries. Given the rather slow cleanup rates — the median of 0.009 translates to a 37% decrease in the number of bots after one year — one hypothesis that comes to mind is that perhaps some of the cleanup is being driven by users upgrading their OS’s (to say Windows 7), or buying a new computer and disposing of the old fully. For each country we estimated the decay rate of the market share of Windows XP and Vista from January 2011 to June 2013 using the StatCounter GlobalStats data. Figure 11 shows these decay rates versus Conficker decay rates. There is a weak correlation among the two, with a Spearman correlation coefficient of 0.26. But more interesting and somewhat surprising is that in many countries, the Conficker botnet shrank at a slower pace than the market share of Windows XP / Vista (all countries below and to the right of the dashed line). Basically this means that the users infected with Conficker are less likely to upgrade their computers then the average consumer.7 6 UARU LT PE 0.010 Correlating Decay Rate KZ CN IR 0.010 0.015 XP/Vista decay rate 0.020 Figure 11: Conficker decay vs. XP/Vista decay countries, we observed that the ICT development index and piracy rates can explain 78% of the variation in peak height, even after correcting for OS market shares. We also found that the Conficker cleanup rate is less than the average PC upgrade rate. Perhaps not all security experts are surprised by these findings. They are nevertheless important in forming effective anti-botnet policies. We presented the research to an audience of industry practitioners active in botnet cleanup. Two North American ISPs commented that they informed their customers about Conficker infections — as part of the ISP’s own policy, not a country-level initiative. They stated that some customers repeatedly ignored notifications, while others got re-infected soon after cleanup. Another difficulty was licensing issues requiring ISPs to point users to a variety of cleanup tool websites (e.g., on microsoft.com) instead of directly distributing a tool, which complicates the process for some users. Interestingly enough both ISPs ranked well with regards to Conficker peak, showing that their efforts did have a positive impact. Their challenges suggests areas for improvement. Future work in this area can be taken in several directions. One is to test the various parameters against other independent variables — e.g., the number of CERTs, privacy regulation, and other governance indicators. A second avenue is to explore Conficker infection rates at the ISP level versus the country level. A random effects regression could reveal to what extent ISPs in the same country follow similar patterns. We might see whether particular ISPs differ widely from their country baseline, which would be interesting from an anti-botnet perspective. Third, it might be fruitful to contact a number of Discussion We found that the large scale national anti-botnet initiatives had no observable impact on the growth, peak height, or decay of the Conficker botnet. This is surprising and unfortunate, as one would expect Conficker bots to be among those targeted for cleanup by such initiatives. We checked that the majority of bots were indeed located among the networks of ISPs, and also observed that some of these machines have multiple infections. Turning away from the initiatives and to institutional factors that could explain the differences among 7 This difference between users who remain infected with Conficker and the average user might be more extreme in countries with a higher level of ICT development. This can be observed in the graph. 12 12  24th USENIX Security Symposium USENIX Association section 6. Second, the fact that long-living bots appear in a reliable dataset — that is, one with few false positives — suggests that future anti-botnet initiatives need to commit ISPs to take action on such data sources, even if the sinkholed botnet is no longer a direct threat. These machines are vulnerable and likely to harbor other threats as well. Tracking these infections will be an important way to measure ISP compliance with these commitments, as well as incentivize cleanup for those users outside the reach of automated cleanup tools. Third, given that cleanup is a long term effort, future anti-botnet initiatives should support, and perhaps fund, the long-term sustainability of sinkholes. This is a necessity if we want ISPs to act on this data. A long term view is rare in the area of cybersecurity, which tends to focus on the most recent advances and threats. In contrast to C&C takedown, bot remediation needs the mindset of a marathon runner, not a sprinter. To conclude on a more optimistic note, Finland has been in the marathon for a longer time than basically all other countries. It pays off: they have been enjoying consistently low infection rates for years now. In other words, a long term view is not only needed, but possible. users still infected with Conficker in a qualitative survey, to see why they remain unaware or unworried about running infected machines. This can help develop new mitigation strategies for the most vulnerable part of the population. Perhaps some infections are forgotten embedded systems, not end users. Forth and more broadly is to conduct research on the challenges identified by the ISPs: notification mechanisms and simplifying cleanup. 7 Conclusion and Policy Implications In this paper, we tackled the often ignored side of botnet mitigation: large-scale cleanup efforts. We explored the impact of the emerging best practice of setting up national anti-botnet initiatives with ISPs. Did these initiatives accelerate cleanup? The longitudinal data from the Conficker botnet provided us with a unique opportunity to explore this question. We proposed a systematic approach to transform noisy sinkhole data into comparative infection metrics and normalized estimates of cleanup rates. After removing outliers, and by using the hourly Conficker IP address count per subscriber to compensate for a variety of known measurement issues, we modeled the infection trends using a two-part model. We thereby condensed the dataset to three key parameters for each country, and compared the growth, peak, and decay of Conficker, which we compared across countries. The main findings were that institutional factors such as ICT development and unlicensed software use have influenced the spread and cleanup of Conficker more than the leading large scale anti-botnet initiatives. Cleanup seems even slower than the replacement of machines running Windows XP, and thus infected users appear outside the reach of remediation practices. At first glance, these findings seem rather gloomy. The Conficker Working Group, a collective effort against botnets, had noted remediation to be their largest failure [7]. We have now found that the most promising emerging practice to overcome that failure suffers similar problems. So what can be done? Our findings lead us to identify several implications. First of all, the fact that peak infection levels strongly correlate with ICT development and software piracy, suggests that botnet mitigation can go hand in hand with economic development and capacity building. Helping countries develop their ICT capabilities can lower the global impact of infections over the long run. In addition, the strong correlation with software piracy suggests that automatic updates and unattended cleanups are some of the strongest tools in our arsenal. It support policies to enable security updates to install by default, and delivering them to all machines, including those running unlicensed copies [3]. Some of these points were also echoed by the ISPs mentioned in Acknowledgment The authors would like to explicitly thank Chris Lee, Paul Vixie and Eric Ziegast for providing us with access to the Conficker sinkhole and supporting our research. We also thank Ning An, Ben Edwards, Dina Hadziosmanovic, Stephanie Forest, Jan Philip Koenders, Rene Mahieu, Hooshang Motarjem, Piet van Mieghem, Julie Ryan, as well as the participants of Microsoft DCC 2015 and USENIX reviewers for contributing ideas and providing feedback at various stages of this paper. References [1] Botnets: Measurement, detection, disinfection and defence. [2] A DVANCED C YBER D EFENCE C ENTRE. Support centers - advanced cyber defence centre (ACDC). [3] A NDERSON , R., B HME , R., C LAYTON , R., AND M OORE , T. Security economics and the internal market. 00068. [4] A SGHARI , H. Python IP address to autonomous system number lookup module. [5] B USINESS S OFTWARE A LLIANCE. BSA global software survey: The compliance gap: Home. 00000. [6] C LAYTON , R. Might governments clean-up malware? 87–104. [7] C ONFICKER W ORKING G ROUP. Lessons learned. Conficker working group: [8] E AST W EST I NSTITUTE. The internet health model for cybersecurity. 00000. [9] ESET. Global threat report - june 2014. 13 USENIX Association 24th USENIX Security Symposium  13 [10] F EDERAL C OMMUNICATIONS C OMISSION. U.s. anti-bot code of conduct (ABCs) for internet service providers (ISPs). [36] S TAT C OUNTER. Free invisible web tracker, hit counter and web stats. 00000. [11] G OODIN , D. Superworm seizes 9m PCs, ’stunned’ researchers say. [37] S TONE -G ROSS , B., C OVA , M., C AVALLARO , L., G ILBERT, B., S ZYDLOWSKI , M., K EMMERER , R., K RUEGEL , C., AND V I GNA , G. Your botnet is my botnet: Analysis of a botnet takeover. In Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS ’09, ACM, pp. 635–647. [12] H EESTERBEEK , J. Mathematical epidemiology of infectious diseases: model building, analysis and interpretation. 02020. [13] H OFMEYR , S., M OORE , T., F ORREST, S., E DWARDS , B., AND S TELLE , G. Modeling internet-scale policies for cleaning up malware. Springer, pp. 149–170. [38] T OM ’ S H ARDWARE. Microsoft: Pirated windows 7 will still get updates. 00000. [14] H OLZ , T., S TEINER , M., DAHL , F., B IERSACK , E., AND F REILING , F. C. Measurements and mitigation of peer-to-peerbased botnets: A case study on storm worm. 1–9. 00375. [39] VAN E ETEN , M. J., A SGHARI , H., BAUER , J. M., AND TABATABAIE , S. Internet service providers and botnet mitigation: A fact-finding study on the dutch market. [15] I NTERNATIONAL T ELECOMMUNICATIONS U NION. Measuring the information society. 00002. [40] VAN E ETEN , M. J., BAUER , J. M., A SGHARI , H., TABATABAIE , S., AND R AND , D. The role of internet service providers in botnet mitigation: An empirical analysis based on spam data. [16] I RWIN , B. A network telescope perspective of the conficker outbreak. In Information Security for South Africa (ISSA), 2012, IEEE, pp. 1–8. [41] W EAVER , R. A probabilistic population study of the conficker-c botnet. In Passive and Active Measurement, Springer, pp. 181– 190. [17] K ARGE , S. The german anti-botnet initiative. [18] K HATTAK , S., R AMAY, N. R., K HAN , K. R., S YED , A. A., AND K HAYAM , S. A. A taxonomy of botnet behavior, detection, and defense. 898–924. [42] Z HANG , C., Z HOU , S., AND C HAIN , B. M. Hybrid spreading of the internet worm conficker. [43] Z OU , C. C., G AO , L., G ONG , W., AND T OWSLEY, D. Monitoring and early warning for internet worms. In Proceedings of the 10th ACM conference on Computer and communications security, ACM, pp. 190–199. [19] K IRK , J. Ukraine helps disrupt $72m conficker hacking ring. [20] KOIVUNEN , E. Why Wasnt I Notified?: Information Security Incident Reporting Demystified, vol. 7127. Springer Berlin Heidelberg, pp. 55–70. 00000. [44] Z OU , C. C., G ONG , W., AND T OWSLEY, D. Code red worm propagation modeling and analysis. In Proceedings of the 9th ACM conference on Computer and communications security, ACM, pp. 138–147. [21] K REBS , B. 72m USD scareware ring used conficker worm. [22] L IVINGOOD , J., M ODY, N., AND O’R EIRDAN , M. Recommendations for the remediation of bots in ISP networks. [23] M AX M IND. country. https://www.maxmind.com/en/geoip2-precision- Appendix - Individual Country Graphs [24] M ICROSOFT. Microsoft security intelligence report - how conficker continues to propogate. In this appendix we provide the model fit for all the 62 countries used in the paper. The graphs show the relative number of Conficker bots in each country - as measured by average unique Conficker IP addresses per hour in the sinkholes, divided by broadband subscriber counts for each country. (Please refer to the methodology section for the rationale). In each graph, the solid line (in blue) indicates the measurement; the dotted line (in gray) is removed outliers; and the smooth-solid line (in red) indicates the fitted model. The model has four parameters: growth and decay rates — given on the graph — and height and time of peak infections — deducible from the axes. The R2 is also given for each country. [25] M ICROSOFT. TelieSonera, european telecom uses microsoft security data to remove botnet devices from network. [26] NADJI , Y., A NTONAKAKIS , M., P ERDISCI , R., DAGON , D., AND L EE , W. Beheading hydras: performing effective botnet takedowns. ACM Press, pp. 121–132. [27] OECD. Proactive policy measures by internet service providers against botnets. [28] PASTOR -S ATORRAS , R., C ASTELLANO , C., VAN M IEGHEM , P., AND V ESPIGNANI , A. Epidemic processes in complex networks. 00019. [29] P ORRAS , P., S AIDI , H., AND Y EGNESWARAN , V. An analysis of confickers logic and rendezvous points. [30] ROSSOW, C., A NDRIESSE , D., W ERNER , T., S TONE -G ROSS , B., P LOHMANN , D., D IETRICH , C., AND B OS , H. SoK: P2pwned - modeling and evaluating the resilience of peer-to-peer botnets. In 2013 IEEE Symposium on Security and Privacy (SP), pp. 97–111. 00035. [31] S CHMIDT, A. Secrecy versus openness: Internet security and the limits of open source and peer production. [32] S HADOWSERVER F OUNDATION. Gameover zeus. [33] S HIN , S., G U , G., R EDDY, N., AND L EE , C. P. A large-scale empirical study of conficker. 676–690. [34] S PRING , J. Blacklist ecosystem analysis. 00000. [35] S TANIFORD , S., PAXSON , V., W EAVER , N., AND OTHERS. How to own the internet in your spare time. In USENIX Security Symposium, pp. 149–167. 14 14  24th USENIX Security Symposium USENIX Association 0.6 0.045 0.035 AR BE 05 I phig =0.186 0'0? 0.030 7 =0.065 0.035 phid 20.007 0.025 7 =098 0.030 0.025 0.020 0.015 0.010 0.005 0.020 0.015 0.010 0.005 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 0 5 0.6 0.40 0.020 36 1? BR BY CA phig =0.064 05 7 phi? =0.204 0-35 phi? =0.232 phi? =0.058 0-4 phid :0007 phid :0011 030 pm}. :0022 0015 phid :0.008 :098 R2 :0.98 R2 :099 20.98 0.4 0.3 0.25 0.3 0.20 0.010 0.2 0.2 0.15 1 0.10 0.005 0.1 0.(moo . . 1 . . 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 0.014 0.6 0.25 0.40 CH CL CN co 0.012 05 20195 0-35 phig 20.250 phid :0011 030 phid :0011 0.010 0 4 122 :097 R2 20.96 0.25 0.008 0.3 0.20 0.006 0 15 0 00 0.2 4 0.10 0.002 0.05 0.000 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 0.25 0.08 0.040 0.018 CY cz DE DK phig 20.052 0-07 phi? 20.037 0-035 phig 20.105 0'0? phig 20.063 0-20 phid =0.009 0'06 7 phid =0.009 0.030 7 phid =0.010 0.014 phid =0.008 70.96 70.98 70.99 0.012 70.94 0.05 0.025 0.010 0.04 0.020 0 008 0.10 0.03 0.015 0.006 0 05 0.02 0.010 0.004 0.01 0.005 0.002 - MO 1 1 . 1 1 0,00 1 1 . 1 1 0.000 1 1 . 1 1 0.000 1 1 1 . 1 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 0.10 0 7 0.16 0.005 EE EG ES FI phig :0078 0.6 7 phig :0174 0-14 phig :0109 phig :0033 0-08 phid =0.010 phid =0.009 0'12 7 phid =0.007 0-004 phid =0.010 132 =09s 0-5 - 132 =095 R2 =097 =095 0.10 0.06 0.4 0.003 0.08 0.3 0.04 006 0.002 0.2 0.04 0.02 0.001 7 0.1 0.02 0.0.000 1 1 1 . 1 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 0.035 0.035 0.09 0.18 FR GB GR HR 0.030 7 phig =0.083 0.030 7 VW phig =0.073 0'08 phig =0.070 0'16 phig =o.094 phid 20.008 phid 20.008 0.07 7 phid 20.006 0.14 7 phid 20.006 0.025 2 0.025 - 2 2 2 70.97 70.98 006 70.97 012 70.97 0.020 0.020 0.05 0.10 0.015 0.015 0-04 0-08 0.03 0.06 0.010 0.010 I 1 I 0.02 0.04 I 0.005 - 0.005 - 0.01 0.2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 0.25 2.0 0.06 0.phig =0.046 phig =0.232 0.05 7 phig =0.057 MO 7 phi? =0.051 - phid 20.008 1 5 phid 20.009 phid 20.005 phid 20.009 7 2 7 2 7 7 -098 -097 0.04 -095 008 -099 0.15 1.0 0.03 0.06 0.10 0.02 0.04 0.5 0.05 0.01 0.2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 0.8 0.045 0.14 0.025 1 IR IS IT jP 0-7 phi? 20.103 0'0? phi? 20.065 0.12 phi? 20.126 phiy 20.048 as phid :0.016 0.035 7 phid :0005 pm}. :0007 0-020 phid :0.008 :0.96 2 :0.96 0-10 R2 :095 R2 20.96 0.030 . 0.5 0.015 0.025 0-08 0.4 I- 3 0'020 0.010 0.015 04 0.2 0.010 0.005 0.02 7 0-1 I 0.005 . 1 . . 0.000 . 0000 . . 1 . . 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 USENIX Association 24th USENIX Security Symposium 15 0.20 0.5 0.25 0.035 KR KZ LT LU phig =0.011 phig =0.296 phi! =0.146 0.030 7 phig =0.058 0 15 phid :0007 0-4 pm}, :0017 0-20 pm}, 20.012 pm", 20.005 122 =0.97 R2 =0.99 R2 =0.97 0-025 7 R2 =0.89 0.3 0.020 0.10 0.2 0.10 0.015 0.05 0.010 0.1 0.05 0.005 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 0.25 0.35 0.07 0.12 LV MA MT MX 20 phig =0.082 0.30 7 phig =0.085 0.06 7 phig =0.046 0.10 phig =0,177 - phid :0010 p70,, :0009 pm}, :0007 phid :0007 122 20.98 0-25 7 R2 20.98 0-05 H2 :096 0 08 :094 0-15 0.20 0.04 0.06 0.10 0.15 0.03 0.04 0.10 0.02 0.05 0.0.00 . . . . I 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 0.009 0.007 0.06 0.45 ML NO NZ :0 PE 0008 0.006 005 phig 20.050 0'40 phi? 20.267 0.007 phid :0009 0.35 7 phid :0012 0.005 2 2 7 0.006 0.04 ?0'96 0.30 ?0'97 0.005 0004 0.25 0.03 0.004 0.003 0.20 0.003 0.02 0.15 0.002 0.002 0 01 0.10 0.001 7 0'0? 0.2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 1 0 0.phig 20.438 phi? :0051 0.10 phig 20.171 0-8 phid . 0-20 phid =0.009 phid =0.008 R2 :098 R2 :098 0.6 0.4 0.0.00 I . I I I 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 0.5 0.30 0.6 0.phig :0087 025 phig :0005 0.5 phig :0160 phig :0204 - phid =0.009 phid =0.005 phid =0,013 0.35 - phid =0,012 Rz =0.98 R2 =0.93 R2 =0.98 R2 =0.97 0.30 0.25 0.20 0.15 0.10 0.2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 0.016 0.10 0.0-014 phiy =0.065 08 phiy =0.079 005 phig =0.044 0.5 phig =0.239 0.012 phid 20.009 - phid :0000 phid :0008 phid :0010 R2 =0.98 R2 =0.95 R2 =093 R2 =0.97 0 010 0'04 - 0.06 0.008 0.03 0.04 0.006 0.02 0.004 0 02 0.002 7 0'2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 0.25 0.40 0.7 0.030 phig =0.064 - phig =0.108 0.6 phig =0432 0.025 phig =0,053 - pm :0010 030 phid :0010 phid :0013 pm", :0007 R2 20.97 R2 :098 0-5 R2 20.98 R2 20.98 0.020 0.15 Q4 0.20 0.015 0.3 0.10 0.15 02 0.010 005 0.10 0.05 0.0057 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 1.11 0.09 VN ZA 1.2 phig :0424 0'08 phig 20.059 phid :0010 0.07 7 phid :0000 1-0 122 20.95 0 06 R2 20.94 0-8 0.05 0.6 0.04 0.03 0.4 0.02 0'2 0.01 7 0.0 0.00 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014 16 24th USENIX Security Symposium USENIX Association