Fifty ISPs harbour half the world's zombies

OECD researchers have found that piracy, not high speed broadband as is often assumed, explains the prevalence of botnet infections in a country. 

After analysing 190 billion spam messages from 170 million sources captured between 2005 and 2009, the researchers found high speed broadband was not associated with higher levels of botnet infections. 

"In fact, we find the reverse: that high connection speeds are associated with lower botnet activity," the researchers reported [PDF].

Fibre network operators were more likely to have superior network controls in place to control the problem, the researchers said.

Under the OECD's Directorate for Science, Technology and Industry, the researchers from Michigan State and Delft University were investigating how effective ISPs would be at preventing the spread of botnets.   

Spam messages were used as a proxy for the presence of botnet activity "since 80-90 percent of spam is issued by botnets". 

The finding that piracy is associated with higher levels of zombie computers supports a recent call by some antivirus vendors for Microsoft to extend its free antivirus under Security Essentials to pirated Windows machines.

At present Microsoft only offers Security Essentials to certified genuine Windows owners, and the program remains voluntary.   

The researchers noted that tackling just a few ISPs around the globe could patch up the gap left by Microsoft's policy. 

Of the thousands of ISPs across the globe, numbering 4,000 to 100,000 entities, convincing just 50 ISPs to firm up their approach to botnet infections could have a dramatic effect, the study concluded.

These 50 accounted for half the world's infected machines. The top 200 ISPs, which held the lion's share to internet access, accounted for only 60 percent. 

"To put it differently: the number of actors needed to create an impact on botnets is smaller than expected," the researchers said.  

"If the 50 ISPs we identified would ramp up their efforts, the problem might migrate elsewhere. However, it is much more difficult to migrate a network of millions of infected machines than to migrate the command and control servers or other ancillary services," said the researchers.

Some major ISPs have already begun malware disinfection programs. Australia's recently launched voluntary anti-zombie code for ISPs was held up as a good model for achieving relatively low levels of infections. General levels of education were also an important factor. 

The researchers said that countries where governments and ISPs collaborated, such as Japan and Finland, had the lowest levels of infections. 

While security remains a difficult differentiator in the price-sensitive ISP market, some larger providers have recently voluntarily adopted anti-zombie programs.

Comcast, the largest residential ISP in the US, took its botnet disinfection system nationwide in September. The cable company now sends a high speed broadband customer a notification and links to its clean-up page if it suspects they have been infected. 

UK ISP Virgin Media established a similar program for its customers in August.