FW: Worms versus Bots

Tue May 4 08:19:26 UTC 2004

It is amazingly simply to pull an ethernet cable out
of the back of your box to update a box from a CD....
especially in a suspect environment where you have
had many problems.

I have had the displeasure of having had to go from
box to box and clean each individually and while many
problems were stopped by Netscreen at the door, we
still had to run enterprise protection per machine as
a second line of defense and separate domains in the
company for greater protection between the groups.

-Henry

--- Eric Krichbaum <eric.krichbaum at citynet.net> wrote:
> 
> I see times more typically in the 5 - 10 second
> range to infection.  As
> a test, I unprotected a machine this morning on a
> single T1 to get a
> sample.  8 seconds.  If you can get in 20 minutes of
> downloads you're
> luckier than most.
> 
> Eric
> 
> 
> -----Original Message-----
> From: owner-nanog at merit.edu
> [mailto:owner-nanog at merit.edu] On Behalf Of
> william(at)elan.net
> Sent: Monday, May 03, 2004 11:49 PM
> To: Sean Donelan
> Cc: Rob Thomas; NANOG
> Subject: Re: Worms versus Bots
> 
> 
> On Mon, 3 May 2004, Sean Donelan wrote:
> 
> > On Mon, 3 May 2004, Rob Thomas wrote:
> > > ] Just because a machine has a bot/worm/virus
> that didn't come with 
> > > a ] rootkit, doesn't mean that someone else
> hasn't had their way
> with it.
> > >
> > > Agreed.
> > 
> > Won't help.  What's the first thing people do
> after re-installing the 
> > operating system (still have all the original CDs
> and keys and product
> 
> > activation codes and and and)? Connect to the
> Internet to download the
> 
> > patches. Time to download patches 60+ minutes.
> > Time to  infection 5 minutes. 
> 
> Its possible its a problem on dialup, but in our ISP
> office I setup new
> win2000 servers and first thing I do is download all
> the patches. I've
> yet to see the server get infected in the 20-30
> minutes it takes to
> finish it
> (Note: I also disable IIS just in case until
> everything is patched..). 
> 
> Similarly when settting up computers for several of
> my relatives (all
> have dsl) I've yet to see any infection before all
> updates are
> installed.
> 
> Additional to that many users have dsl router or
> similar device and many
> such beasts will provide NATed ip block and act like
> a firewall not
> allowing outside servers to actually connect to your
> home computer.
> On this point it would be really interested to see
> what percentage of
> users actually have these routers and if decreasing
> speed of infections
> by new virus (is there real numbers to show it
> decreased?) have anything
> to do with this rather then people being more
> carefull and using
> antivirus.
> 
> Another option if you're really afraid of infection
> is to setup proxy
> that only allows access to microsoft ip block that
> contains windows
> update servers
> 
> And of course, there is an even BETTER OPTION then
> all the above - STOP
> USING WINDOWS and switch to Linux or Free(Mac)BSD !
> :)
> 
> > Patches are Microsoft's
> > intellectual property and can not be distributed
> by anyone without 
> > Microsoft's permission.
> I don't think this is quite true. Microsoft makes
> available all patches
> as indidual .exe files. There are quite many of
> these updates and its
> really a pain to actually get all of them and
> install updates manually.
> But I've never seen written anywhere that I can not
> download these .exe
> files and distribute it inside your company or to
> your friends as needed
> to fix the problems these patches are designed for. 
>  
> > The problem with Bots is they aren't always
> active.  That makes them 
> > difficult to find until they do something.
> As opposed to what, viruses?
> Not at all! Many viruses have period wjhen they are
> active and
> afterwards they go into "sleep" mode and will not
> active until some
> other date!
> 
> Additionally bot that does not immediatly become
> active is good thing
> because of you do weekly or monthly audits (any many
> do it like that)
> you may well find it this way and deal with it at
> your own time, rather
> then all over a sudden being awaken 3am and having
> to clean up infected
> system.
> 
> --
> William Leibzon
> Elan Networks
> william at elan.net
> 