The Curious Case Of The Missing Malware Stats

Lately I have been thinking quite a bit about the malware-related statistics one finds online -- and those one can't seem to find anywhere.

A few weeks ago, a New York Times article put this issue squarely on the front burner. Writer John Markoff covered the discovery of an illicit data-snooping scheme, dubbed "GhostNet," that had compromised over 1,200 computers in 103 countries.

While Markoff provided plenty of information about the workings of GhostNet, one important detail was conspicuously absent: The operating systems running on the targeted computers.

As I noted in my bMighty.com blog post covering the incident, one NYT.com reader compared the omission to "covering a plane crash and not mentioning the make and model of the aircraft."

Markoff dismissed the criticism, even as coverage of his article appeared on other IT news sites. He considered information about the OSes targeted in the GhostNet scam irrelevant to the story as he wrote it.

Like many other people, I beg to differ. What really bugs me, though, is the fact that this type of information is extremely difficult to find anywhere online.

Consider McAfee's most recent quarterly threat assessment, which appeared online last week. The headline on McAfee's press release announcing the report trumpeted the news that 12 million new IP addresses have been hijacked by botnets since January. The report itself spends a lot of time breaking down the compromised IP addresses by location, and it provides some other interesting information about the evolving nature of botnet and drive-by malware threats.

Yet the report is completely silent when it comes to breaking down compromised systems by Web server or OS.

How many people find a geographical breakdown of hijacked IP addresses more interesting than information about the kinds of servers running behind these addresses? Not many, I suspect.

I have an inquiry in with McAfee asking them whether they can provide a breakdown of the hijacked IP addresses by operating system. They acknowledged my query but haven't yet answered it.

I subsequently asked Keith Ferrell, an IT security expert and one of my fellow contributors on bMighty.com, whether he was aware of any online sources for this sort of information. He replied that while it was a good question, he couldn't actually think of any authoritative sources for these types of statistics.

Most of you can guess where I'm going with this. I would be shocked if those stats failed to show that a very disproportionate number of compromised IP addresses are running Microsoft operating systems and/or servers.

(Note that "disproportionate" is the key word here.)

Am I missing some obvious sources for the kind of information I'm talking about here? If so, then I clearly am not the only one who didn't get the memo. And these sources should be obvious -- at least as obvious as the geographical breakdowns that so much malware-related coverage play up with banner headlines.