The Biggest Botnet in the World

You may have seen the news about the bot masters in Spain who were arrested. Defense Intelligence dubbed this Mariposa botnet. It is claimed that this botnet had the power to perform much stronger attacks than what Estonia witnessed a couple of years ago.  Still, this botnet is dwarfed by the largest botnet in the world.

The largest botnet in the world is comprised of computers running Microsoft Update and Microsoft controls this botnet. Yes, this really is a botnet. Don’t confuse the term botnet with the requirement that it send spam, steal information, or attack other computers. A bot is an automated program and a botnet is a group of computer with an automated program that is controlled by the same entity. Microsoft controls what Microsoft Update does.  If Microsoft wants to install a piece of software that is completely useless to all customers with legal software, they simply call an anti-piracy program a critical update and all of the Microsoft Update bots obediently download and run the program. If Microsoft wanted to it could make all computers running Microsoft Update send spam, attack other computers, upload documents, and so forth.

Here is where it really gets interesting to me. A day ago at RSA, Microsoft’s Scott Charney, the Corporate Vice President for Trustworthy Computing, suggested a net tax to help clean up the net. In his talk, Charney is quoted as saying “When a computer user allows malware to run on his computer, "you're not just accepting it for yourself, you're contaminating everyone around you,”.

Oftentimes it isn’t the user who allowed malware to run, it is Windows autorun that prevented the user from having a chance to say no to malware. The most prevalent threats we see, including conficker, make use of autorun because it is known to be such an effective infection vector. With Windows 7 Microsoft changed autorun so that it no longer works with most USB devices. Even though the change does not go far enough, it is not insignificant. The problem is that most people don’t know that there are patches available for Windows Vista and Windows XP. These operating systems have a much larger market share than does Windows 7.

Come on Mr. Charney, Windows Genuine Advantage and Windows Activation Technologies do nothing to protect the average user, but disabling autorun would help neuter many of the prevalent threats and shut down an automated infection vector. It is long past time for Microsoft to put that botnet they control to effective use in eliminating the vulnerable-by-design autorun functionality present in Windows 95, Windows Me, Windows NT, Windows 2000, Windows XP and Windows Vista.

As long as Microsoft is the deliberate enabler of malware that a user does not choose to run, I really don’t think Microsoft can credibly accuse users of “allowing malware to run on their computer.”

I appreciate the remarkable and laudable security progress Microsoft has made, but before you, Mr. Charney, ask users to swallow a tax or fee for bot clean up, bite the bullet and clean up the autorun infection vector.

Update… I checked with our virus lab, and it appears that close to 30% of the malware out there is using autorun as one potential infection vector. There recently discovered Zimuse worm only spreads via autorun. My friend and colleague blogged about Zimuse at and

Randy Abrams
Director of Technical Education

Author , ESET

  • Yeah, and make sure no antivirus and it's bloated modules with false-positives on exe-protectors can be run that way either ;)
    Merry X-Mas to everyone :P

    • Randy Abrams

      Hi Bartosz. It is unfortunate that malware authors seem to be among the biggest users of executable protectors out there. Quite often they even pirate the protectors as well. For some packers that are virtually only used for malware there are products that will simply detect the packer, regardless of content.

      That said, I haven’t seen any PE Locked autorun.inf files though, so I don’t think you have to worry about that. The topic, after all is autorun.

  • I think shareware developers are the biggest group of executable protectors users, there are way more protected legit software listed on Tucows, and Softpedia than protected malware and as You said, there are packers used and made only for malware, so please don't try to put it all in one bag. Well AV companies also uses pirated copies of protectors (shocked?) to add its support or an automated unpackers based on illegal copies of exe-protectors.

    • Randy Abrams

      Well, again, completely off topic for something about net taxes and autorun, unless you seem to be seeing a lot of false positives on down loadable shareware that is packed and contains autorun. You mention Twocows,, and Softpedia, but do you have any metrics around flase positives form those sites? It seems to me the incidence of false positives on these downloads is relatively small.

      Even the packers used for legitimate purposes, such as Themedia, have found substantial use by the malware authors.

      As to AV companies pirating exe protectors, you really need to provide evidence. I am not shocked that you would say that, I’m just surprised that you didn’t back up your claim with any evidence at all.

  • Concerned


    Usually I completely respect your opinions and advice. Lately, though, you seem to have been channeling more and more paranoia into your blog. Between your over the top reaction to Buzz (yes, what they did was wrong, but you were really reaching there) and now this, I’m starting to worry that you’re wearing a tinfoil hat while you update.

    • Randy Abrams

      Hmmm, paranoia? Any you post anonymously :D Nothing paranoid about my google or botnet post. Did you think it was paranoia to call computers running windows update a botnet? No, not at all. This is really a botnet. I’m not talking about connotation, I am talking denotation… definition. Even computers running AV updates are part of a botnet. Yes, Symantec, McAfee, Sophos, AVG, Avira, BitDefender, Panda, Ahnlabs, Norman, ESET, and virtually every product that has automatic updates has a botnet. Got Adobe, Itunes, etc., ? Part of a botnet. Did you know tht virtually every early bot was a good thing?
      I’m not worried about these companies using my PC to send out spam or participate in DDOS attacks. As for Google, you would have to ignore history not to be paranoid about what they will do with your data. Revealing contact names was dangerous to many people and clearly a violation of their privacy policy. It is pretty obvious that they didn’t apologize because it was by design. There is no defense of “if we apologize is hurts us legally.” There is either gross negligence or deliberate privacy violation.

      So, how about coming out from anonymity and having an open discussion?



  • A Telco Security Dweeb

    But there already IS a 100% fool-proof solution to the problem of Windows-based viruses and the botnets that they enable :
    Oh, and by the way, this solution also fixes your problems with "Genuine Advantage" and "Product Activation", once and for all.
    Thanks, and have a nice day.

    • Randy Abrams

      Funny thing… bots originated on UNIX! If everyone left Windows for Linux you would still find botnets, worms, and other malware. Operating systems do not provide protection against phishing attacks or many, if any, other social engineering attacks. Enjoy Ubuntu, but don’t get lulled into a false sense of security.

  • eugene

    >> Randy Abrams  March 5th, 2010 at 2:41 pm
    Thank you, I liked the article. However, your last comment about Linux and other -nixes' vulnerability  is questionable, Randy. It merely contradicts your own  article. You  have to cite examples you are talking about. My own experience,: I remember on Windows I would get a virus or worm almost every day (an indication was a changed home page and some strange processes running in systray). Since I switched to Linux and BSD I haven't had a single case! (I also check my system periodically).
    Whatever you deride about the MS is simply not present in most -nixes. Any unix-like operating system (except for Mac OS X) is much more secure by DESIGN. I do get t ssh probes in tens of  thousands every week (on all of my linux and freebsd machines combined).  If I do stupid things, like get ridiculous password or let a root on ssh, I might get hacked. A knowledge of creating a good password  is like washing hands before meal. This concerns education. You, Mr. Abrams, are an educator. The reason why MS dominates the market is the fact that they dominate an imbecile education system. Oust Billy from K-12 (in the US) and we'll see which system is more popular and which more susceptible to viruses and worms. 

  • You'll need to show me where my comment about nixes being vulnerable contradicts anything I wrote. do I really need to cite the Morris Internet worm that only ran on UNIX and severely crippled the Internet? Did you not know about Lion, Slapper, Ramen, and other Linux worms? Were you unaware that the terms bot and rootkit come from the UNIX world? I'm sorry, but if you were getting hit by viruses everyday, you were not using your computer very responsibly or in an educated manner at all. If you understand what an operating system does and how executables, vulnerabilities, and exploits work then you would have no question that all general purpose operating systems can be trojanized and are in fact virusable and wormable. Removing Windows from k-12, where Mac did once have the most popularity, does not add security education. MS was dominant before they got a foothold in the K-12 system, so your statement lacks historical accuracy. It was Apple, who through their pricing model made Windows machine the affordable choice for the masses. Apple handed the PC world to Microsoft. If you replace all Windows machines with Linux, or Macs you will find a quick and massive migration to the dominant platform by the criminal element and see a huge problem. A UNIX system being run as root is quite virusable and wormable. Windows Vista and Windows 7 do not run as admin by default. Most of the malware we have been seeing for quite sometime now is not self-replicating. The same tricks to get Windows users to run malicious code will work just as effectively against an uneducated UNIX user.

  • eugene

    Thanks for your response. I would like to praise your article one more time. The contradiction is in the statement that a huge number  of viral problems will go away on Windows OS if MS takes care of it's AutoRun system. Such feature is missing on most -nixes. Mac OS X is an exception (not sure here), however, Apple is known to borrow heavily  from various BSD systems. BTW, Mac OS X should not be allowed in the K-12, in my opinion. Both Windows and Mac OS X have a low educational value. Nothing pedagogical  come to mind other than  mouse-clicking  or typewriting.
    As far as the Linux worms you mentioned, I had to google for those. Sounds like talking about pretty old worms (2001-2002)?  I migrated from Windows around 2005.
    >>very responsibly or in an educated manner at all..
    I was not the least educated user, I guess, but you're absolutely right. An average Windows or Mac user is not educated (hope you won't argue here), whereas most Linux/BSD  users are. This takes care of the last paragraph of your comment about the root. MS' and Apple's business is. On Ubuntu, as a matter of fact, root user cannot login. Sudo utility is used instead.
    Take a "permissions headache" I had with XP  where most of (3d-party at least) require admin privileges, a GUI privilege, so you have to login as admin. Otherwise, a program would not install. Nice to hear that MS finally fixed it in 20 years after most -nixed did. 

    • Randy Abrams

      I didn’t say that a huge number of viral problems go away. I said that autorun is an infection vector used by a lot of malware and that this often takes away the choice as to whether or not a user allows malware to run. There is no contradiction there.
      The Linux worms I mentioned were just a few that came to mind. We still turn out regular detection for Linux based malware, but I am not sure how many are worms now. Worm is a specific and small subset of malware. Worms and viruses are a small subset of the malware we see on any platform, including Windows.
      I think it is a dogmatic religious zeal that leads one make assertions such as “Both Windows and Mac OS X have a low educational value” and “An average Windows or Mac user is not educated (hope you won’t argue here), whereas most Linux/BSD users are.”

      There really is nothing at all about buying a netbook with Linux pre-installed, or switching to Ubuntu, that increases a users education. If one is receptive to learning and not bound by OS dogma, both OSX and Windows machnes provide a ton of educational value. The use of any specific OS still does not teach security. The point of the article was that MS needs to take care of an autoinfection routine before they point fingers at users for allowing malware to execute. Simply switching a user to another OS does nothing to educate the user about social engineering attacks. An OS offers no protection against phishing or many of the social network based worms.

  • eugene

    Oops, my comment seems to get lost? I wanted to finish my sentence: both MS and Apple businesses depend very much on the user's ignorance. The less a user knows, the more he or she buys from them. Otherwise, one can either fix a problem on hi/her own or find a free alternative.
    Reiterating this windows-vs.-nix-security question, I'd like to cite this article by N. Petrely
    Despite the fact is was written 5 years ago, it is still mostly valid.

  • eugene

    By "huge" I meant 30% ( a multi-digit figure revenues in mind). Switching to Ubuntu DOES make you safer! There are no Linux/BSD viruses  caught in the wild so far. For the last five years, I haven't had a single  instance of a worm/trojan on any of my machines (recall my "everyday" Windows experience). On all Ubuntu systems that I installed for my friends (about 7 altogether) a year later I still did not find any malware present. Some of my friends, still think, I installed  some kind of a "brand new and free MS Windows immune to viruses"  :) (sounds like "dry water")

    Not only am I "a fanatic and a zealot", I have also used both Linux/BSD and Windows. I make conclusions based on this experience. I guess, it is not quite fair to judge about Windows without prior usage of it, and, vice-versa.  I hope you know about Linux/BSD because you used it.

    Education: Yes, I agree, it is possible to teach students a "better Windows". However, it is harder to do that with the technology that is a firm's secret. Secondly, once you start grasping the material ( happening  almost right away), you realize that GUI is lame, compared to CLI. MS Windows  cannot be separated from its GUI subsystem. Again, from my experience being a user of both OS, I admit that going back to Windows is painful in many occasions, take various text configuration files that is  a Unix practice, not Windows….

  • Your everyday Windows experience was on a version of Windows that you ran as administrator on. Yeah, there are currently far fewer threats written to attack the Linux OS, but Linux provides zero immunity against phishing attacks. Education provides protection. Linux helped me get my job at Microsoft in 1993 when I went to work there. Most of the malware we see today either attacks 3rd party applications or tricks the user into running a malicious program. With it's very small user base, Linux simply isn't attractive to the criminal element right now, so, you are safer because you are not getting rocks thrown at your windshield.
    In terms of education, I am talking about teaching computer security. Not simply OS dependent security, but security in general, especially with respect to social engineering and privacy. But, this really has gone way off topic for the post.

  • eugene

    Yes, you might be right it is getting a little bit off topic…
    However I can't agree more with what you say in this article. So far I remember  hearing it only  from my fellow zealots   :)  I am skeptical about Microsoft's being capable  to address this issue,  though. The  AutoRun dilemma, in my mind,  can be compared with cigarette smoking. You ask MS to listen to the doctors' opinion, that smoking causes health problems. If a customer puts a cigarette in his/.her mouth, MS is  too "shy" to make this person get rid of the unhealthy habit , it'll sell him/her a lighter instead and perhaps  will start talking about an anti-smoking  Tax.
    Good luck and  thanks again..

  • I’m always looking for stuff on info that I do not know of, even though it might be old news. It’s hard to look for things that you do not know about, because what do you look for? ;) Your blog was right up my alley on something new to me. Awsome read! Thanks.

  • Olle

    eugene, I suggest you subscribe to Secunia Advisories report for the last week shows following numbers:
    4) This Week in Numbers

    During the past week 84 Secunia Advisories have been released. All
    Secunia customers have received immediate notification on the alerts
    that affect their business.

    This weeks Secunia Advisories had the following spread across platforms
    and criticality ratings:

     Windows             :     15 Secunia Advisories
     Unix/Linux          :     29 Secunia Advisories
     Other               :      1 Secunia Advisory
     Cross platform      :     39 Secunia Advisories

    Criticality Ratings:
     Extremely Critical  :      0 Secunia Advisories
     Highly Critical     :     11 Secunia Advisories
     Moderately Critical :     32 Secunia Advisories
     Less Critical       :     37 Secunia Advisories
     Not Critical        :      4 Secunia Advisories
    As you can see there is more voulnerabilities for Linux/Unix theese days than for Windows, don't get fooled by stereotype that Linux is so secure.

  • no me mola windows

    si microsoft tiene una botnet para ayudar al usuario… ¿porque te instala programas sin la autorizacion del mismo? un ejemplo, browserchoice

    • David Harley

      I’m not sure this is meant as a serious comment, and I don’t really want to encourage a linguistic free-for-all in comments to a blog whose posters are all primarily English speakers, but I have to admit that browserchoice irritates me too. However, it’s hardly a botnet recruitment tool, or even serious adware: it’s pretty obvious what it’s there for, and it’s not difficult to kick it out of the way.

  • clint burford

    Heres a solution, Use openSUSE! I test ESET Antivirus on Linux Systems, and it seems to run well. Never had an issue. you can do chmod +x or u+x   so for example clint@linux:~/Desktop> chmod +x ueav.i386.en.linux   then you can run ./ueav.i386.en.linux  " because then its executable  =)  However it will ask you for your root password, so it can install it. Enjoy a system however thats not prone to viruses, spyware, and other crazy malware. Plus you can iptables -A INPUT -s subnet.IP/24 -j DROP or REJECT which ever you prefer, its just that DROP it won't reply or send a REJECT packet to the attacker. or you can always get into xtables, and use geo IP and drop entire Countries. :-) Hope this has been helpful, ESET nice clean code with ESET 4 Linux though, at least there is something users can have to feel a bit safer with an already secure system by default.

    • Randy Abrams

      Not really a solution. Linux is perfectly capable of running bots and other malware. The solution is education. An educated Windows user is far safer than an ignorant user of any operating system. Remember the Morris Internet Worm? It only ran on UNIX.

Follow us

Copyright © 2017 ESET, All Rights Reserved.