Symantec: Drop In Bots Due To Windows XP SP2

Although Symantec's claim that bots are on the downturn contradicts recent research by the Honeynet Project, which last week said that as many as a million machines may be kidnapped by botnets, the Cupertino, Calif.-based company made a compelling case.

While Symantec tracked an average of 30,000 machines daily that were actively involved in botnet scanning during the first half of 2004, the number plummeted to just 5,000 per day in the second. The bulk of the drop occurred mid-August, said Symantec, with a significant drop on August 19.

"The timing of this drop corresponds closely with the availability of Windows XP Service Pack 2," said the report. Microsoft officially launched SP2 August 6, 2004, and rolled it out in stages throughout that month.

Symantec said the decrease was largely due to a fall-off in the number of bots scanning TCP ports 135 and 445; many bot exploits, including the nefarious Gaobot, target vulnerabilities accessible through these Windows ports to infect new machines.

"The sudden drop in bot network scanning indicates that SP2, in addition to cumulative patches, may have been successful at reducing the number of vulnerabilities in Windows XP systems that are subject to remote compromise," said Symantec. "The inclusion of default firewall rules that block TCP port 135 and confine TCP port 445 activity to only the local subnet may also have helped to reduce the chances of compromising a badly secured machine for participation in a bot network.

"It's reasonable to assume that this service pack is responsible, along with other mitigation measures, for the decline in identified bot network computers," Symantec's report continued.

Other data from the semi-annual Symantec Internet Security Threat Report included a dramatic increase in the number of worms targeting Windows, as well as a surge in overall software vulnerabilities.

The number of worms and viruses targeting Windows skyrocketed, said the report, from a total of 4,496 in the first six months of 2004, to 7,360 in the second half of the year. That 64 percent increase in six months -- and a 332 percent jump over the same time in 2003 -- is due in part to malicious code cutters releasing numerous variants of their worms or viruses in a very short period, sometimes as many as half a dozen in a single day.

Vulnerabilities are also up 13 percent in the second half of 2004, and in the past year have grown from an average of 48 per week to 58 weekly. "That's ten more issues a week that corporate IT has to deal with," said Alfred Huger, the vice president of engineering for Symantec's security response group. "It's already at a stage where they can't handle or patch all the vulnerabilities released, so this is a very unwelcome statistic."

On the brighter side, the average amount of time it took hackers to devise exploits of known vulnerabilities actually increased, from 5.8 days to 6.4 days. Huger's explanation for the break? "Luck of the draw," he hypothesized.

"But it could also be because hackers are posting their exploits less frequently, and in many cases, not posting them at all. We are seeing fewer exploits made public," he added.

"The bad guys aren't posting exploits because they want to keep them secret to make money from those exploits. And the good guys, the white hat researchers, are not posting as often because they're worried that hackers are using their information to create malicious code."