Counting IP addresses is not an accurate way of determining a botnet's size because some computers receive a different IP address from their ISP every time they connect to the Internet. However, in the absence of better identifiers, it can at least be used as a rough estimate.
Security researchers from Arbor Networks have also sinkholed GOZ domain names in July, but have done it every four days in order to determine how the botnet evolves over time.
The company observed the number of victims gradually grow from 127 on July 14 to 429 on July 21. Then, on July 25, following a large spam campaign that distributed the new GOZ malware, the infection count jumped to 8,494 victims, many of them located in the U.S., the Arbor Networks researchers said Wednesday in a blog post.
"In aggregate and over three weeks, our five sinkholes saw 12,353 unique source IPs from all corners of the globe," the researchers said. The most affected country was the United States, with 44 percent of infections, they said.
For now the creators of the new GOZ variant are focusing on rebuilding their botnet, rather than stealing money from users, but it's likely only a matter of time until they'll return to that primary goal.
Sign up for CIO Asia eNewsletters.