Worms versus Bots

william(at)elan.net william at elan.net
Tue May 4 03:48:41 UTC 2004

On Mon, 3 May 2004, Sean Donelan wrote:

> On Mon, 3 May 2004, Rob Thomas wrote:
> > ] Just because a machine has a bot/worm/virus that didn't come with a
> > ] rootkit, doesn't mean that someone else hasn't had their way with it.
> >
> > Agreed.
> Won't help.  What's the first thing people do after re-installing
> the operating system (still have all the original CDs and keys and
> product activation codes and and and)? Connect to the Internet to 
> download the patches. Time to download patches 60+ minutes.  
> Time to  infection 5 minutes. 

Its possible its a problem on dialup, but in our ISP office I setup new 
win2000 servers and first thing I do is download all the patches. I've yet 
to see the server get infected in the 20-30 minutes it takes to finish it
(Note: I also disable IIS just in case until everything is patched..). 

Similarly when settting up computers for several of my relatives (all 
have dsl) I've yet to see any infection before all updates are installed.

Additional to that many users have dsl router or similar device and many 
such beasts will provide NATed ip block and act like a firewall not 
allowing outside servers to actually connect to your home computer.
On this point it would be really interested to see what percentage of 
users actually have these routers and if decreasing speed of infections by 
new virus (is there real numbers to show it decreased?) have anything to 
do with this rather then people being more carefull and using antivirus.

Another option if you're really afraid of infection is to setup proxy that
only allows access to microsoft ip block that contains windows update servers

And of course, there is an even BETTER OPTION then all the above -
STOP USING WINDOWS and switch to Linux or Free(Mac)BSD ! :)

> Patches are Microsoft's
> intellectual property and can not be distributed by anyone without
> Microsoft's permission.
I don't think this is quite true. Microsoft makes available all patches as 
indidual .exe files. There are quite many of these updates and its really 
a pain to actually get all of them and install updates manually. But I've 
never seen written anywhere that I can not download these .exe files and 
distribute it inside your company or to your friends as needed to fix the 
problems these patches are designed for. 
> The problem with Bots is they aren't always active.  That makes them
> difficult to find until they do something.
As opposed to what, viruses?
Not at all! Many viruses have period wjhen they are active and afterwards
they go into "sleep" mode and will not active until some other date!

Additionally bot that does not immediatly become active is good thing 
because of you do weekly or monthly audits (any many do it like that) you 
may well find it this way and deal with it at your own time, rather then 
all over a sudden being awaken 3am and having to clean up infected system.

William Leibzon
Elan Networks
william at elan.net

More information about the NANOG mailing list