Drop In Bots Due To Windows XP SP2, Says Symantec - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:23 PM

Drop In Bots Due To Windows XP SP2, Says Symantec

Microsoft's rollout of Windows XP SP2 in August 2004 was the most likely reason the number of bots actively involved in scanning dropped precipitously in the second half of 2004.

Microsoft's rollout of Windows XP SP2 in August 2004 was the most likely reason the number of bots actively involved in scanning dropped precipitously in the second half of 2004, said Symantec in a report the security company released Monday.

Although Symantec's claim that bots are on the downturn contradicts recent research by the Honeynet Project, which last week said that as many as a million machines may be kidnapped by botnets, the Cupertino, Calif.-based company made a compelling case.

While Symantec tracked an average of 30,000 machines daily that were actively involved in botnet scanning during the first half of 2004, the number plummeted to just 5,000 per day in the second. The bulk of the drop occurred mid-August, said Symantec, with a significant drop on August 19.

"The timing of this drop corresponds closely with the availability of Windows XP Service Pack 2," said the report. Microsoft officially launched SP2 August 6, 2004, and rolled it out in stages throughout that month.

Symantec said the decrease was largely due to a fall-off in the number of bots scanning TCP ports 135 and 445; many bot exploits, including the nefarious Gaobot, target vulnerabilities accessible through these Windows ports to infect new machines.

"The sudden drop in bot network scanning indicates that SP2, in addition to cumulative patches, may have been successful at reducing the number of vulnerabilities in Windows XP systems that are subject to remote compromise," said Symantec. "The inclusion of default firewall rules that block TCP port 135 and confine TCP port 445 activity to only the local subnet may also have helped to reduce the chances of compromising a badly secured machine for participation in a bot network.

"It's reasonable to assume that this service pack is responsible, along with other mitigation measures, for the decline in identified bot network computers," Symantec's report continued.

Other data from the semi-annual Symantec Internet Security Threat Report included a dramatic increase in the number of worms targeting Windows, as well as a surge in overall software vulnerabilities.

The number of worms and viruses targeting Windows skyrocketed, said the report, from a total of 4,496 in the first six months of 2004, to 7,360 in the second half of the year. That 64 percent increase in six months -- and a 332 percent jump over the same time in 2003 -- is due in part to malicious code cutters releasing numerous variants of their worms or viruses in a very short period, sometimes as many as half a dozen in a single day.

Vulnerabilities are also up 13 percent in the second half of 2004, and in the past year have grown from an average of 48 per week to 58 weekly. "That's ten more issues a week that corporate IT has to deal with," said Alfred Huger, the vice president of engineering for Symantec's security response group. "It's already at a stage where they can't handle or patch all the vulnerabilities released, so this is a very unwelcome statistic."

On the brighter side, the average amount of time it took hackers to devise exploits of known vulnerabilities actually increased, from 5.8 days to 6.4 days. Huger's explanation for the break? "Luck of the draw," he hypothesized.

"But it could also be because hackers are posting their exploits less frequently, and in many cases, not posting them at all. We are seeing fewer exploits made public," he added.

"The bad guys aren't posting exploits because they want to keep them secret to make money from those exploits. And the good guys, the white hat researchers, are not posting as often because they're worried that hackers are using their information to create malicious code."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll