Symantec Global internet Security threat report
As mentioned previously, the technical sophistication of bots increased during this reporting period. As such, the authors of these threats may be shifting toward different channels of propagation, such as p2p. this may also explain the decline in activity observed from July through September. Consumer reaction to Downadup may also have contributed to this decline. As public attention to Downadup grew, users may have become more active in patching and protecting their computers from infection by the worm. Similarly, the attention may have alerted users already infected with Downadup who would not have otherwise been aware of the problem. As the number of computers secured against the worm increases, the activity levels of the worm should decline. Furthermore, no other Downadup variants have been released that could exploit other vulnerabilities and counteract the actions taken by users.
in 2009, the day-to-day bot activity levels were less sporadic than they were in 2008. Significant increases and decreases in activity occurred gradually over the course of several days or months. One possible explanation is that, following the shutdown of the two U.S.-based Web hosting companies discussed above, botnets may have been managed with more consistent commands in an effort to bolster against future shutdown attempts or to make up for decreased resources following shutdowns.
the levels of bot activity are always in flux as new techniques are deployed for existing bots or new families of malicious code are launched, and in the last quarter of 2009, bot activity began to rise again. As mentioned in the “Malicious activity by country” metric, CnniC made substantial changes to the .cn domain registration procedure, which appeared to have an immediate effect on spam levels. this change may continue to have a noticeable effect on the activity levels of botnets that send spam in 2010.
Threat activity—protection and mitigation
there are a number of measures that enterprises, administrators, and end users can employ to protect against malicious activity. Organizations should monitor all network-connected computers for signs of malicious activity including bot activity and potential security breaches, ensuring that any infected computers are removed from the network and disinfected as soon as possible. Organizations should employ defense-in-depth strategies, including the deployment of antivirus software and a firewall.87 Administrators should update antivirus definitions regularly and ensure that all desktop, laptop, and server computers are updated with all necessary security patches from their operating system vendor. As compromised computers can be a threat to other systems, Symantec also recommends that enterprises notify their iSps of any potentially malicious activity.
Symantec recommends that organizations perform both ingress and egress filtering on all network traffic to ensure that malicious activity and unauthorized communications are not taking place. Organizations should also filter out potentially malicious email attachments to reduce exposure to enterprises and end users. in addition, egress filtering is one of the best ways to mitigate a DoS attack. DoS victims frequently need to engage their upstream iSp to help filter the traffic to mitigate the effects of attacks.
Defense-in-depth emphasizes multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection methodology. Defense-in-depth should include the deployment of antivirus, firewalls, and intrusion detection systems, among other security measures.