Home / Blogs

United States Is the Most Bot-Infected Country. Right?

A couple of days ago, Threatpost posted an article indicating that the United States is the most bot-infected country:

The U.S. has by far the highest number of bot-infected computers of any country in the world, with nearly four times as many infected PCs as the country in second place, Brazil, according to a new report by Microsoft. The quarterly report on malicious software and Internet attacks shows that while some of the major botnets have been curtailed in recent months, the networks of infected PCs still represent a huge threat.

The data on botnets, published in Microsoft’s Security Intelligence Report for the first half of 2010, paints a somewhat bleak picture of the botnet landscape. Between January and June of this year, Microsoft cleaned more than 6.5 million machines worldwide of bot infections, which represents a 100 percent increase in bot infections from the same period in 2009. This increase comes at a time when there is more attention than ever focused on the botnet problem, both by security researchers and law-enforcement agencies around the world.

Microsoft measures botnet infections by counting the number of machines that are cleaned of bots by using the company’s Malicious Software Removal Tool (MSRT). The Microsoft data obviously does not show a complete picture of bot infections across the entire Internet, but gives a snapshot of the infection problem on the machines the company monitors.

I think that Microsoft’s mechanism of measuring bot infections is a good one, not necessarily because it is the most accurate but because it represents the most complete snapshot of botnet statistics. Because Microsoft Windows is installed on so many computers worldwide and because so many users across the world call home to the MSRT, Microsoft is able to collect a very large snapshot of data. Whereas there are a lot of competing A/V vendors out there who collect intelligence, none of them have quite the footprint that Microsoft has with its MSRT tool. Similarly, ISPs collect data on bots but most ISPs only operate within one country. Going by this data, the United States does indeed have the most bots in the world (the Microsoft Malware Protection team maps specific botnets to MSRT removals so they do not count all types of malware in the data snapshot, only malware associated with bots).

However, while the United States has the most bots, it does not have the most bots-per-capita. To determine the rate of infections, the MSRT also tracks a metric called CCM, or Computers Cleaned per Thousand executions of the MSRT (the M comes from the Latin word for thousand which is mille). If we go by this metric to find which country is the worst in terms of per-capita bot infections, then the United States is tied for seventh with Brazil who is number two in terms of total number of bots. Ahead of the US and Brazil are (1) South Korea, (2) Spain, (3) Mexico, (4) Colombia, (5) Portugal and (6) Saudi Arabia. These align somewhat with my statistics on countries of origin for the worst spamming regions sending spam to Forefront Online. If you look at the list of worst per CCM, then South Korea makes sense in terms of the fact that it is one of the worst botnet countries that send spam (according to my stats). Spain is the origin of the Mariposa botnet. Indeed, four of the top five countries are Spanish speaking (Portuguese is similar to Spanish). The only one that doesn’t make sense to me is Saudi Arabia.

What if we measured bots as a proportion of that country’s Internet user base? For example, if the US has 100 computer users and has 50 bots, while Brazil has 50 computers and 48 bots, then while the US has more bots in absolute numbers Brazil clearly has a much worse botnet problem because nearly their entire user base is part of a botnet.
I will take the top 8 countries and convert the numbers that way—by taking the statistics on number of Internet users as specified by the CIA fact book, then the countries’ order for botnet-per-Internet user is the following, with (1) being the worst and (8) being the best:

  1. Portugal—3.96
  2. Spain—3.45
  3. Mexico—2.96
  4. South Korea—2.36
  5. United States—2.36 (not rounded off, US is lower than South Korea)
  6. Brazil—1.99
  7. Saudia Arabia—1.56
  8. Colombia—1

In the numbers above, for every 1 Internet user in Colombia that is infected with a bot, there are 3.96 users in Portugal who are. You can see that the bot problem in Portugal is running much hotter than in other countries, and in Spain as well. This possibly corresponds to the Mariposa botnet (where several criminals were arrested earlier this year).

Viewing the data this way, we can see that while there are more bots in the United States than any other country, the problem is not as widespread as others.  So the statement that the US has the most bots depends on how you look at the problem. However, the bot problem in the US definitely is higher than in many other developed nations including Canada, the UK, France, Japan or even China! Why is the problem in the United States as bad as it is? Is it cultural? Greater non-compliance of applying patched software? Higher rates of software piracy? A greater ability to measure bot cleanings in the US than other countries (ie, more users in the US dial home to the MSRT than in other countries)? Clearly, the US is lagging far behind many other industrialized countries. Is there an explanation for this?

By Terry Zink, Program Manager

Filed Under


Seems kind of self selected John Levine  –  Oct 17, 2010 10:31 PM

Correct me if I’m wrong, but doesn’t this exclude anyone who hasn’t configured his or her computer to use Windows Update?  You may have just discovered that the US has a relatively low level of pirated software, and a high number of people who turn on Windows Update.

Yes, that is correct... although I allude Terry Zink  –  Oct 18, 2010 4:34 PM

Yes, that is correct… although I allude to that possibility in my comment/question “do more users in the US dial home to the MSRT than in other countries?”

A greater rate of compliance with auto-updates could explain it, but even if you are using pirated versions of Windows, Microsoft still allows you to apply security patches.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API