How long before infected - Internet addresses are not uniform

Sean Donelan sean at
Tue May 4 06:42:10 UTC 2004

On Mon, 3 May 2004, william(at) wrote:
> Similarly when settting up computers for several of my relatives (all
> have dsl) I've yet to see any infection before all updates are installed.

The folks at CAIDA can do the math, but it turns out many of the recent
worms have some interesting gaps in their address scanning routines.
There are some Internet address ranges scanned every few seconds, while
other address ranges may go weeks between scans.  This is part of the
reason why "network telescope" estimates of how many infected computers
are so wrong.  They assume a uniform distribution of worm scans and
infected computers.

I've seen "raw" Windows boxes connected to the Internet for 4 weeks
without being compromised.  A watched honeypot never attracts the bear :-)
I've also seen Windows boxes compromised during the boot process between
the time the network interface is enabled and XP's built-in firewall
being activated, less than 1 second.

Of course we still have the human factor.  Some system compromises require
the user to save an attachment, rename the file, open the file, enter a
password, extract another file and then run it in order to compromise
the computer.  Its amazing how many infected computers are behind
NAT/firewalls.  Firewalls and antivirus help, but please when you
get a message from your ISP saying your computer is infected check
it out.  Don't assume it can't happen to you just because.

I have not found an official Microsoft source for MD5 hashes of
Windows, so its difficult to find unknown stuff on your computer.  There
are some third-party products which can do change monitoring of Windows.
But I agree with Rob Thomas and others, the only way to restore trust
in your Windows' system is to re-install from a known, good distribution.
Unfortunately, this is beyond the capabilities of many home (and even
office) users.

More information about the NANOG mailing list