Worms versus Bots
Eric Krichbaum
eric.krichbaum at citynet.net
Tue May 4 12:15:41 UTC 2004
True, but this isn't just an XP issue. Look at how many ppl are still
infected with Code Red/Nimda/Slammer/etc. A Windows 2000 box doesn't
fair any better. Heck, I still see Happy99.
Eric
-----Original Message-----
From: Buhrmaster, Gary [mailto:gtb at slac.stanford.edu]
Sent: Monday, May 03, 2004 11:28 PM
To: Eric Krichbaum; nanog at merit.edu
Subject: RE: Worms versus Bots
Microsoft has said Windows XP SP2 will have the firewall turned on by
default, and that they have "considered"
reissuing the installation CD's such that a new installation will have
the firewall enabled to deal with just this problem. I do not know the
current state of the consideration, but to me it seems reasonable that
Microsoft should at least make the offer of a new CD (to anyone who has
a valid XP license key?) No, many people will not request a new CD, but
then many people never apply patches either. I think this is a horse
and water problem.
Gary
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf
> Of Eric Krichbaum
> Sent: Monday, May 03, 2004 8:13 PM
> To: nanog at merit.edu
> Subject: FW: Worms versus Bots
>
>
> I see times more typically in the 5 - 10 second range to infection.
> As a test, I unprotected a machine this morning on a single T1 to get
> a sample. 8 seconds. If you can get in 20 minutes of downloads
> you're luckier than most.
>
> Eric
>
>
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf
> Of william(at)elan.net
> Sent: Monday, May 03, 2004 11:49 PM
> To: Sean Donelan
> Cc: Rob Thomas; NANOG
> Subject: Re: Worms versus Bots
>
>
> On Mon, 3 May 2004, Sean Donelan wrote:
>
> > On Mon, 3 May 2004, Rob Thomas wrote:
> > > ] Just because a machine has a bot/worm/virus that didn't
> come with
> > > a ] rootkit, doesn't mean that someone else hasn't had their way
> with it.
> > >
> > > Agreed.
> >
> > Won't help. What's the first thing people do after
> re-installing the
> > operating system (still have all the original CDs and keys
> and product
>
> > activation codes and and and)? Connect to the Internet to
> download the
>
> > patches. Time to download patches 60+ minutes.
> > Time to infection 5 minutes.
>
> Its possible its a problem on dialup, but in our ISP office I setup
> new win2000 servers and first thing I do is download all the patches.
> I've yet to see the server get infected in the 20-30 minutes it takes
> to finish it
> (Note: I also disable IIS just in case until everything is patched..).
>
> Similarly when settting up computers for several of my relatives (all
> have dsl) I've yet to see any infection before all updates are
> installed.
>
> Additional to that many users have dsl router or similar device and
> many such beasts will provide NATed ip block and act like a firewall
> not allowing outside servers to actually connect to your home
> computer.
> On this point it would be really interested to see what percentage of
> users actually have these routers and if decreasing speed of
> infections by new virus (is there real numbers to show it decreased?)
> have anything to do with this rather then people being more carefull
> and using antivirus.
>
> Another option if you're really afraid of infection is to setup proxy
> that only allows access to microsoft ip block that contains windows
> update servers
>
> And of course, there is an even BETTER OPTION then all the above -
> STOP USING WINDOWS and switch to Linux or Free(Mac)BSD ! :)
>
> > Patches are Microsoft's
> > intellectual property and can not be distributed by anyone without
> > Microsoft's permission.
> I don't think this is quite true. Microsoft makes available all
> patches as indidual .exe files. There are quite many of these updates
> and its really a pain to actually get all of them and install updates
> manually.
> But I've never seen written anywhere that I can not download these
> .exe files and distribute it inside your company or to your friends as
> needed to fix the problems these patches are designed for.
>
> > The problem with Bots is they aren't always active. That
> makes them
> > difficult to find until they do something.
> As opposed to what, viruses?
> Not at all! Many viruses have period wjhen they are active and
> afterwards they go into "sleep" mode and will not active until some
> other date!
>
> Additionally bot that does not immediatly become active is good thing
> because of you do weekly or monthly audits (any many do it like that)
> you may well find it this way and deal with it at your own time,
> rather then all over a sudden being awaken 3am and having to clean up
> infected system.
>
> --
> William Leibzon
> Elan Networks
> william at elan.net
>
>
>
More information about the NANOG
mailing list