Worms versus Bots

Eric Krichbaum eric.krichbaum at citynet.net
Tue May 4 12:15:41 UTC 2004

True, but this isn't just an XP issue.  Look at how many ppl are still
infected with Code Red/Nimda/Slammer/etc.  A Windows 2000 box doesn't
fair any better.  Heck, I still see Happy99.


-----Original Message-----
From: Buhrmaster, Gary [mailto:gtb at slac.stanford.edu] 
Sent: Monday, May 03, 2004 11:28 PM
To: Eric Krichbaum; nanog at merit.edu
Subject: RE: Worms versus Bots

Microsoft has said Windows XP SP2 will have the firewall turned on by
default, and that they have "considered"
reissuing the installation CD's such that a new installation will have
the firewall enabled to deal with just this problem.  I do not know the
current state of the consideration, but to me it seems reasonable that
Microsoft should at least make the offer of a new CD (to anyone who has
a valid XP license key?)  No, many people will not request a new CD, but
then many people never apply patches either.  I think this is a horse
and water problem.  


> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf 
> Of Eric Krichbaum
> Sent: Monday, May 03, 2004 8:13 PM
> To: nanog at merit.edu
> Subject: FW: Worms versus Bots
> I see times more typically in the 5 - 10 second range to infection.  
> As a test, I unprotected a machine this morning on a single T1 to get 
> a sample.  8 seconds.  If you can get in 20 minutes of downloads 
> you're luckier than most.
> Eric
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf 
> Of william(at)elan.net
> Sent: Monday, May 03, 2004 11:49 PM
> To: Sean Donelan
> Cc: Rob Thomas; NANOG
> Subject: Re: Worms versus Bots
> On Mon, 3 May 2004, Sean Donelan wrote:
> > On Mon, 3 May 2004, Rob Thomas wrote:
> > > ] Just because a machine has a bot/worm/virus that didn't
> come with
> > > a ] rootkit, doesn't mean that someone else hasn't had their way
> with it.
> > >
> > > Agreed.
> > 
> > Won't help.  What's the first thing people do after
> re-installing the
> > operating system (still have all the original CDs and keys
> and product
> > activation codes and and and)? Connect to the Internet to
> download the
> > patches. Time to download patches 60+ minutes.
> > Time to  infection 5 minutes. 
> Its possible its a problem on dialup, but in our ISP office I setup 
> new win2000 servers and first thing I do is download all the patches. 
> I've yet to see the server get infected in the 20-30 minutes it takes 
> to finish it
> (Note: I also disable IIS just in case until everything is patched..).
> Similarly when settting up computers for several of my relatives (all 
> have dsl) I've yet to see any infection before all updates are 
> installed.
> Additional to that many users have dsl router or similar device and 
> many such beasts will provide NATed ip block and act like a firewall 
> not allowing outside servers to actually connect to your home 
> computer.
> On this point it would be really interested to see what percentage of 
> users actually have these routers and if decreasing speed of 
> infections by new virus (is there real numbers to show it decreased?) 
> have anything to do with this rather then people being more carefull 
> and using antivirus.
> Another option if you're really afraid of infection is to setup proxy 
> that only allows access to microsoft ip block that contains windows 
> update servers
> And of course, there is an even BETTER OPTION then all the above - 
> STOP USING WINDOWS and switch to Linux or Free(Mac)BSD ! :)
> > Patches are Microsoft's
> > intellectual property and can not be distributed by anyone without 
> > Microsoft's permission.
> I don't think this is quite true. Microsoft makes available all 
> patches as indidual .exe files. There are quite many of these updates 
> and its really a pain to actually get all of them and install updates 
> manually.
> But I've never seen written anywhere that I can not download these 
> .exe files and distribute it inside your company or to your friends as

> needed to fix the problems these patches are designed for.
> > The problem with Bots is they aren't always active.  That
> makes them
> > difficult to find until they do something.
> As opposed to what, viruses?
> Not at all! Many viruses have period wjhen they are active and 
> afterwards they go into "sleep" mode and will not active until some 
> other date!
> Additionally bot that does not immediatly become active is good thing 
> because of you do weekly or monthly audits (any many do it like that) 
> you may well find it this way and deal with it at your own time, 
> rather then all over a sudden being awaken 3am and having to clean up 
> infected system.
> --
> William Leibzon
> Elan Networks
> william at elan.net

More information about the NANOG mailing list