Fingerprints (was Re: Lazy network operators - NOT)

• Previous message (by thread): Blocking Win95 hosts [WAS: Lazy network operators - NOT]
• Next message (by thread): Lazy network operators - NOT
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 18 Apr 2004, Matt Hess wrote:
> <late-night-humor>
> # Do not allow Windows 9x SMTP connections since they are typically
> # a viral worm. Alternately we could limit these OSes to 1 connection each.
> block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \
>        to any port smtp
>
> The OS fingerprint list they have is rather extensive..
> </late-night-humor>

This has been suggested before.

Remember Windows 9x is essentially a single-user operating system.
Once a machine has been compromised, lots of things can be altered by
the intruder.  Some of the modifications are trivial, such as registry
entries.  Others changes can get more interesting.  Fingerprints work
best if the adversary isn't actively trying to munge them.  It doesn't
always look like another operating system, but it ceases to look like
a Windows 9x box.

The arms race continues.

Figuring out what the intruder changed, and cleaning it up continues to
get more complicated.  Last year running a major anti-virus program was
usually enough.  Now it can take hours, and sometimes its faster to
re-install the operating system, assuming the user still has their
original CD's and various Microsoft anti-piracy keys and then downloads
all the patches they were missing.


http://www.washingtonpost.com/wp-dyn/articles/A22514-2004Apr18.html

  The Federal Trade Commission today is hosting a daylong workshop in
  Washington to discuss the effects of hidden software that may be used to
  control or spy on a computer without its user's knowledge.

  So far most "spyware" and "adware" programs, often placed on Windows PCs
  by such downloaded programs as file-sharing programs, appear to have
  been used for the relatively benign purpose of tracking consumer
  preferences, said Howard Beales, director of the FTC's consumer
  protection division. The FTC is watching to see if criminals start
  making widespread use of this technology to steal credit-card and
  Social Security numbers of unwitting computer users, he said.

• Previous message (by thread): Blocking Win95 hosts [WAS: Lazy network operators - NOT]
• Next message (by thread): Lazy network operators - NOT
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]