(N.B. I (still) disagree with Ian Grigg's thesis in several of its other steps. However, the part about how botnets, which don't pay for the marginal cost of their electricity, will provide an increasing contribution to the global Bitcoin transaction-confirmation service (a.k.a. "mining") -- that part I'm starting to agree with.)
"In addition to spamming and distributed denial-of-service attacks, this latest botnet was capable of both stealing Bitcoin wallets from infected computers, and BitCoin mining, which uses the resources of victimized computers to make new Bitcoins." ¹ ¹ http://arstechnica.com/business/news/2012/03/p2p-botnets-the-bigger-they-come-the-faster-they-fall.ars So, Kaspersky and company took down this botnet, which they say had about 116,000 bots, starting on March 21, nabbing three quarters of them within 24 houres, and the botnet was mostly dead within a week. Note that a lot of the bots would not be powered on or connected to the Internet 24/7. That might be part of why it took a week to reach most of them and sinkhole them, and it also means that the *continuous* number of bots connected at any one time was a fraction of 116,000 -- probably around 5% of the total, or around 5000, extrapolating from ² -- or if you look at Figure 3 on ³ and squint real hard at the altitude of the red line. ² http://blog.damballa.com/?p=330 ³ http://blog.crowdstrike.com/2012/03/p2p-botnet-kelihosb-with-100000-nodes.html Can we see a blip in the Bitcoin charts starting on March 21? Here's the chart of aggregate mining power: ⁴. I uploaded a snapshot of the relevant time span here: ⁵. ⁴ http://bitcoin.sipa.be ⁵ http://zooko.com/pubscratch/speed-lin-2k.png How to interpret this? There *is* a significant dip in aggregate mining power beginning on the 22nd, not the 21st. Hm, yeah I guess that roughly lines up with Fig 4 from ³. Heh, I note that ³ doesn't mention Bitcoin mining, only wallet theft, and the Ars Technica article's only other source -- the blog entry from Kaspersky ⁶ -- mentions only "bitcoin-mining wallet theft", which is a funny jumble of two different things. ⁶ http://www.securelist.com/en/blog/208193431/Botnet_Shutdown_Success_Story_again_Disabling_the_new_Hlux_Kelihos_Botnet The security company people told the Ars Technica reporter that they were surprised that the Botnet operators didn't try to recover control of the bots. Look at the way the aggregate mining power rebounded in the ensuing days. Could it be that the operators were too busy renting and spinning up their new botnet to struggle for control of their old one? Here's another graph -- number of nodes connected to a Bitcoin node: ⁷. ⁷ http://bitcoinstatus.rowit.co.uk/hosts.html There's a substantial dip followed by a recovery within a couple of days. Oh, but if ⁸ (snapshot ⁹) is accurate, that dip began on the 16th and was over by the 19th. So that probably has nothing to do with it. I guess a Bitcoin-mining Botnet would not show up on this graph anyway, as it would proxy all of its connections to the Bitcoin network through a single Bitcoin node or a small number of Bitcoin nodes. ⁸ http://bitcoinstatus.rowit.co.uk/hostsMonth.png ⁹ http://zooko.com/pubscratch/hostsMonth.png I'm beginning to doubt that the takedown of the botnet had anything to do with the dip in mining power, because (a) the statements from security companies are light on details and unclear on the concept, and (b) 84% of the infected machines were running Windows XP (most of them were located in Poland), which I suspect means they don't have a modern enough GPU to contribute to the global transaction-confirmation service. But what if? Suppose, just suppose, that of the 5000 continuous bots, 500 of them had a modern GPU and that the botnet operators had actually gone ahead and installed a Bitcoin mining plugin on them. Looking at the Bitcoin Mining Hardware Comparison ¹⁰ and looking at the cheaper cards costing around $100, I guess that this might be worth about 200 Mhash/sec for each of the 500 bots, or 100 Ghash/sec for the whole botnet. The range from the peak to the trough of the blue line (1 day window estimate) on ⁴ is about 3000 Ghash/sec. Hm, so that's much more than the botnet could have been producing, by my estimates. Even if we are a lot more generous with our assumptions about how many of those bots had GPUs, and how fancy and expensive those GPUs were, they probably couldn't account for even half of that 1-day window estimate delta of 3000 GHash/sec. ¹⁰ https://en.bitcoin.it/wiki/Mining_Hardware_Comparison BOTTOM LINE A 100,000-node botnet was taken down. The architects of the takedown made statements that it was used for Bitcoin mining. At the same time, there was a substantial dip in the global rate of transaction confirmation (a.k.a. "mining"), which last about 48 hours. However, back-of-the-envelope calculations by yours truly indicate that a 100,000-node botnet would not contribute even 10% of the hash rate seen in the dip. Regards, Zooko _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography