FW: Worms versus Bots

Tue May 4 13:37:01 UTC 2004

If you follow these steps outlined by SANS you should be able to
successfully update
and NOT get infected. This is short, easy, fully documented (with
pictures :)
http://www.sans.org/rr/papers/index.php?id=1298

Donald.Smith at qwest.com GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
pgpFingerPrint:9CE4 227B B9B3 601F B500  D076 43F1 0767 AF00 EDCC
kill -13 111.2 

> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On 
> Behalf Of Henry Linneweh
> Sent: Tuesday, May 04, 2004 2:19 AM
> To: Eric Krichbaum; nanog at merit.edu
> Subject: Re: FW: Worms versus Bots
> 
> 
> 
> It is amazingly simply to pull an ethernet cable out
> of the back of your box to update a box from a CD.... 
> especially in a suspect environment where you have had many problems.
> 
> I have had the displeasure of having had to go from
> box to box and clean each individually and while many
> problems were stopped by Netscreen at the door, we
> still had to run enterprise protection per machine as
> a second line of defense and separate domains in the
> company for greater protection between the groups.
> 
> -Henry
> 
> 
> --- Eric Krichbaum <eric.krichbaum at citynet.net> wrote:
> > 
> > I see times more typically in the 5 - 10 second
> > range to infection.  As
> > a test, I unprotected a machine this morning on a
> > single T1 to get a
> > sample.  8 seconds.  If you can get in 20 minutes of 
> downloads you're
> > luckier than most.
> > 
> > Eric
> > 
> > 
> > -----Original Message-----
> > From: owner-nanog at merit.edu
> > [mailto:owner-nanog at merit.edu] On Behalf Of william(at)elan.net
> > Sent: Monday, May 03, 2004 11:49 PM
> > To: Sean Donelan
> > Cc: Rob Thomas; NANOG
> > Subject: Re: Worms versus Bots
> > 
> > 
> > On Mon, 3 May 2004, Sean Donelan wrote:
> > 
> > > On Mon, 3 May 2004, Rob Thomas wrote:
> > > > ] Just because a machine has a bot/worm/virus
> > that didn't come with
> > > > a ] rootkit, doesn't mean that someone else
> > hasn't had their way
> > with it.
> > > >
> > > > Agreed.
> > > 
> > > Won't help.  What's the first thing people do
> > after re-installing the
> > > operating system (still have all the original CDs
> > and keys and product
> > 
> > > activation codes and and and)? Connect to the
> > Internet to download the
> > 
> > > patches. Time to download patches 60+ minutes.
> > > Time to  infection 5 minutes.
> > 
> > Its possible its a problem on dialup, but in our ISP
> > office I setup new
> > win2000 servers and first thing I do is download all
> > the patches. I've
> > yet to see the server get infected in the 20-30
> > minutes it takes to
> > finish it
> > (Note: I also disable IIS just in case until
> > everything is patched..).
> > 
> > Similarly when settting up computers for several of
> > my relatives (all
> > have dsl) I've yet to see any infection before all
> > updates are
> > installed.
> > 
> > Additional to that many users have dsl router or
> > similar device and many
> > such beasts will provide NATed ip block and act like
> > a firewall not
> > allowing outside servers to actually connect to your
> > home computer.
> > On this point it would be really interested to see
> > what percentage of
> > users actually have these routers and if decreasing
> > speed of infections
> > by new virus (is there real numbers to show it
> > decreased?) have anything
> > to do with this rather then people being more
> > carefull and using
> > antivirus.
> > 
> > Another option if you're really afraid of infection
> > is to setup proxy
> > that only allows access to microsoft ip block that
> > contains windows
> > update servers
> > 
> > And of course, there is an even BETTER OPTION then
> > all the above - STOP
> > USING WINDOWS and switch to Linux or Free(Mac)BSD !
> > :)
> > 
> > > Patches are Microsoft's
> > > intellectual property and can not be distributed
> > by anyone without
> > > Microsoft's permission.
> > I don't think this is quite true. Microsoft makes
> > available all patches
> > as indidual .exe files. There are quite many of
> > these updates and its
> > really a pain to actually get all of them and
> > install updates manually.
> > But I've never seen written anywhere that I can not
> > download these .exe
> > files and distribute it inside your company or to
> > your friends as needed
> > to fix the problems these patches are designed for.
> >  
> > > The problem with Bots is they aren't always
> > active.  That makes them
> > > difficult to find until they do something.
> > As opposed to what, viruses?
> > Not at all! Many viruses have period wjhen they are
> > active and
> > afterwards they go into "sleep" mode and will not
> > active until some
> > other date!
> > 
> > Additionally bot that does not immediatly become
> > active is good thing
> > because of you do weekly or monthly audits (any many
> > do it like that)
> > you may well find it this way and deal with it at
> > your own time, rather
> > then all over a sudden being awaken 3am and having
> > to clean up infected
> > system.
> > 
> > --
> > William Leibzon
> > Elan Networks
> > william at elan.net
> > 
> 
> 