Worms versus Bots

Tue May 4 03:28:00 UTC 2004

Microsoft has said Windows XP SP2 will have the firewall
turned on by default, and that they have "considered"
reissuing the installation CD's such that a new installation
will have the firewall enabled to deal with just this
problem.  I do not know the current state of the 
consideration, but to me it seems reasonable that
Microsoft should at least make the offer of a new CD
(to anyone who has a valid XP license key?)  No, many
people will not request a new CD, but then many people
never apply patches either.  I think this is a horse 
and water problem.  

Gary 

> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On 
> Behalf Of Eric Krichbaum
> Sent: Monday, May 03, 2004 8:13 PM
> To: nanog at merit.edu
> Subject: FW: Worms versus Bots
> 
> 
> I see times more typically in the 5 - 10 second range to 
> infection.  As
> a test, I unprotected a machine this morning on a single T1 to get a
> sample.  8 seconds.  If you can get in 20 minutes of downloads you're
> luckier than most.
> 
> Eric
> 
> 
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On 
> Behalf Of
> william(at)elan.net
> Sent: Monday, May 03, 2004 11:49 PM
> To: Sean Donelan
> Cc: Rob Thomas; NANOG
> Subject: Re: Worms versus Bots
> 
> 
> On Mon, 3 May 2004, Sean Donelan wrote:
> 
> > On Mon, 3 May 2004, Rob Thomas wrote:
> > > ] Just because a machine has a bot/worm/virus that didn't 
> come with 
> > > a ] rootkit, doesn't mean that someone else hasn't had their way
> with it.
> > >
> > > Agreed.
> > 
> > Won't help.  What's the first thing people do after 
> re-installing the 
> > operating system (still have all the original CDs and keys 
> and product
> 
> > activation codes and and and)? Connect to the Internet to 
> download the
> 
> > patches. Time to download patches 60+ minutes.
> > Time to  infection 5 minutes. 
> 
> Its possible its a problem on dialup, but in our ISP office I 
> setup new
> win2000 servers and first thing I do is download all the patches. I've
> yet to see the server get infected in the 20-30 minutes it takes to
> finish it
> (Note: I also disable IIS just in case until everything is 
> patched..). 
> 
> Similarly when settting up computers for several of my relatives (all
> have dsl) I've yet to see any infection before all updates are
> installed.
> 
> Additional to that many users have dsl router or similar 
> device and many
> such beasts will provide NATed ip block and act like a firewall not
> allowing outside servers to actually connect to your home computer.
> On this point it would be really interested to see what percentage of
> users actually have these routers and if decreasing speed of 
> infections
> by new virus (is there real numbers to show it decreased?) 
> have anything
> to do with this rather then people being more carefull and using
> antivirus.
> 
> Another option if you're really afraid of infection is to setup proxy
> that only allows access to microsoft ip block that contains windows
> update servers
> 
> And of course, there is an even BETTER OPTION then all the 
> above - STOP
> USING WINDOWS and switch to Linux or Free(Mac)BSD ! :)
> 
> > Patches are Microsoft's
> > intellectual property and can not be distributed by anyone without 
> > Microsoft's permission.
> I don't think this is quite true. Microsoft makes available 
> all patches
> as indidual .exe files. There are quite many of these updates and its
> really a pain to actually get all of them and install updates 
> manually.
> But I've never seen written anywhere that I can not download 
> these .exe
> files and distribute it inside your company or to your 
> friends as needed
> to fix the problems these patches are designed for. 
>  
> > The problem with Bots is they aren't always active.  That 
> makes them 
> > difficult to find until they do something.
> As opposed to what, viruses?
> Not at all! Many viruses have period wjhen they are active and
> afterwards they go into "sleep" mode and will not active until some
> other date!
> 
> Additionally bot that does not immediatly become active is good thing
> because of you do weekly or monthly audits (any many do it like that)
> you may well find it this way and deal with it at your own 
> time, rather
> then all over a sudden being awaken 3am and having to clean 
> up infected
> system.
> 
> --
> William Leibzon
> Elan Networks
> william at elan.net
> 
> 
> 