Method and systems for detecting compromised networks and/or computers

What is claimed is: 1. A method of detecting a collection of compromised networks and/or computers, comprising: performing processing associated with collecting Domain Name System (DNS) data, utilizing a detection system in communication with a database, the DNS data generated by a DNS server and/or similar device, wherein the DNS data comprises DNS queries, wherein the collected DNS data comprises DNS query rate information, and wherein the collecting DNS data from the DNS server comprises: performing processing associated with identifying a command and control (C&C) computer in a first network: when the DNS data of a computer has an exponential request rate, wherein determining the exponential request rate comprises sorting DNS request rates per current epoch and determining whether there is exponential activity over the current epoch and an epoch longer than the current epoch; and performing processing associated with recording an IP address and/or traffic information from a compromised computer when the compromised computer contacts another computer; performing processing associated with examining the collected DNS data relative to DNS data from known compromised and/or uncompromised computers; and performing processing associated with determining an existence of the collection of compromised networks and/or computers, and/or an identity of compromised networks and/or computers, based on the examination. 2. The method of claim 1 , wherein the performing processing associated with identifying a command and control (C&C) computer in a first network further comprises: performing processing associated with determining whether a computer has a suspicious DNS request rate, comprising: performing processing associated with calculating a canonical sub-level domain (SLD) request rate for a given SLD, wherein the canonical SLD request rate is calculated as the total number of requests to third level domains (3LDs) present in the given SLD plus any request to the given SLD, and performing processing associated with determining whether the canonical SLD request rate of the given SLD significantly deviates from the mean of canonical request rates of SLDs. 3. The method of claim 1 , wherein the performing processing associated with identifying a command and control (C&C) computer in a first network further comprises: when the DNS request rate is suspicious, performing processing associated with determining whether the DNS data has an exponential request rate comprising: performing processing associated with sorting DNS request rates per epoch, and performing processing associated with determining whether there is exponential activity over a longer time epoch. 4. The method of claim 1 , wherein collecting DNS data further comprises: performing processing associated with replacing an IP address of the C&C computer with an IP address of another computer, causing the compromised computer seeking to contact the C&C computer to be redirected to the other computer. 5. The method of claim 4 , wherein the other computer comprises a sinkhole computer. 6. The method of claim 4 , further comprising: performing processing associated with isolating the collection of compromised networks and/or computers from its C&C computer, causing the collection of compromised networks and/or computers to lose the ability to act as a coordinated group. 7. The method of claim 5 , further comprising: analyzing traffic from the compromised computer to the sinkhole computer to obtain information about a malware author. 8. The method of claim 1 , further comprising: utilizing time zone and time of release information to predict optimal release time information for an attack. 9. The method of claim 1 , wherein determining the existence of the collection of compromised networks and/or computers is accomplished without contacting any networks or computers in the collection of compromised networks and/or computers. 10. The method of claim 1 , wherein collecting DNS data comprises: performing processing associated with determining whether a source Internet Protocol (IP) address performing reconnaissance belongs to a compromised computer, the source IP address looking up at least one subject IP address; and when the source IP is known to belong to a compromised computer, performing processing associated with designating the at least one subject IP addresses as a compromised computer. 11. The method of claim 10 , wherein determining whether the source IP address belongs to a compromised computer comprises: performing processing associated with determining whether the source IP address is a known compromised computer utilizing a DNS-based Blackhole List (DNSBL) and/or another list of compromised computers. 12. The method of claim 11 , wherein determining whether the source IP address belongs to a compromised computer comprises: performing processing associated with determining whether the source IP address is also the subject IP address. 13. The method of claim 11 , wherein determining whether the source IP address belongs to a compromised computer comprises: performing processing associated with determining a look-up ratio for the source IP address, the look-up ratio comprising the number of IP addresses the source IP address queries divided by the number of IP addresses that issue a look-up for the source IP address; and when the look-up ratio for the source IP address is high, designating the source IP address as a compromised computer. 14. The method of claim 11 , wherein determining whether the source IP address belongs to a compromised computer comprises: performing processing associated with determining a look-up ratio for the source IP address, the look-up ratio comprising the number of IP addresses the source IP queries divided by the number of IP addresses that issue a look-up for the source IP address; when the look-up ratio for the source IP address is low, performing processing associated with determining whether the look-up arrival rate mirrors the email arrival rate; and when the look-up arrival rate does not mirror the email arrival rate, performing processing associated with designating the source IP address as a compromised computer. 15. The method of claim 14 , wherein determining whether the look-up arrival rate mirrors the email arrival rate further comprises: performing processing associated with identifying a list of known and/or probably legitimate IP addresses using a DNSBL service; for each of the known and/or probably legitimate IP addresses, performing processing associated with determining its average look-up arrival rate; performing processing associated with determining an average look-up arrival rate from the source IP address; performing processing associated with comparing the average look-up rates of the known and/or probably legitimate IP addresses to the arrival rate from the source IP address; and when the average look-up rates of the known and/or probably legitimate IP addresses differ significantly from the arrival rate from the source IP address, performing processing associated with designating the source IP address as a compromised computer. 16. The method of claim 15 , wherein identifying a list of known IPs comprises: when the DNSBL service has controlled access, performing processing associated with recording IP addresses of approved users. 17. The method of claim 15 , wherein identifying a list of probably legitimate IPs comprises: when the DNSBL service allows anonymous access, performing processing associated with monitoring th