In response to yesterday's diary entry on the drop in botnets right before Christmas, Claude wrote to us with an interesting theory.  Here is what he said:

From the dshield reports, I do also see a (small) drop in the number of scans during the last day, both at home and on the office firewall, about 10% less sources & hits.

My thoughts to explain this drop are the following : the new (unpatched) computers replaced the old (infected) ones, so the global number of bots has decreased. 99.9% of the new computers must be Windows XP SP2 with firewall turned on - and that's why the new computers are not yet infected. XP firewall does a fair job in protecting a computer from the most common attacks *from the outside* (137,139,135 & 445 are closed), allowing to visit windowsupdate and download the missing patches.
So my assymption is that 99% of the new computer will stay clean ... at least until their users begin to click each and every popup on the screen, install an IM program and receive xmas & ny wishes in their mailboxes.

My guess is we will see a slow rise in the botnet size over the next month, until most of the new computers are infected again with malware - not because they were unpatched from the start, but because the users received no education with their new toy. Why can't you buy that at Walmart too ?

Great analysis, Claude!  I think you've nailed it.  Many of the infected machines are turned off, the new shiny ones have not been infected, and the Internet is momentarily a safer place.  But like you said, give it a few weeks and we'll be right back to where we started from.

Marcus H. Sachs
Director, SANS Internet Storm Center