Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Christmas Botnet Follow-up SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Christmas Botnet Follow-up
In response to yesterday's diary entry on the drop in botnets right before Christmas, Claude wrote to us with an interesting theory.  Here is what he said:

From the dshield reports, I do also see a (small) drop in the number of scans during the last day, both at home and on the office firewall, about 10% less sources & hits.

My thoughts to explain this drop are the following : the new (unpatched) computers replaced the old (infected) ones, so the global number of bots has decreased. 99.9% of the new computers must be Windows XP SP2 with firewall turned on - and that's why the new computers are not yet infected. XP firewall does a fair job in protecting a computer from the most common attacks *from the outside* (137,139,135 & 445 are closed), allowing to visit windowsupdate and download the missing patches.
So my assymption is that 99% of the new computer will stay clean ... at least until their users begin to click each and every popup on the screen, install an IM program and receive xmas & ny wishes in their mailboxes.

My guess is we will see a slow rise in the botnet size over the next month, until most of the new computers are infected again with malware - not because they were unpatched from the start, but because the users received no education with their new toy. Why can't you buy that at Walmart too ?

Great analysis, Claude!  I think you've nailed it.  Many of the infected machines are turned off, the new shiny ones have not been infected, and the Internet is momentarily a safer place.  But like you said, give it a few weeks and we'll be right back to where we started from.

Marcus H. Sachs
Director, SANS Internet Storm Center


301 Posts
ISC Handler
Dec 27th 2006

Sign Up for Free or Log In to start participating in the conversation!