FW: Worms versus Bots

Daniel Senie dts at senie.com
Tue May 4 15:38:58 UTC 2004

At 10:54 AM 5/4/2004, Sean Donelan wrote:

>On Tue, 4 May 2004, Smith, Donald wrote:
> > If you follow these steps outlined by SANS you should be able to
> > successfully update
> > and NOT get infected. This is short, easy, fully documented (with
> > pictures :)
> > http://www.sans.org/rr/papers/index.php?id=1298
>The risk is smaller, but still exists if you follow these directions
>for XP pre-SP2.  See the Microsoft release notes for XP SP2 for details
>about the fix.
>If you do not have XP SP2, you need to disconnect your computer from the
>network prior to every boot cycle until it is fully patched.

A much simpler mechanism than that described by SANS is to have a small, 
cheap NAT box in your bag (e.g. D-Link DI-604 or similar). Worth the $50 
cost to have one available. Put the little router between the new machine 
to be brought up and whatever network you have access to. Now you can bring 
up the new machine and update it without having it get instantly infected. 
(Use some common sense... don't set up email until the machine is patched, 
or use any other sort of mechanism to pull in potential viruses before 
patching is done).

(To deflect the inevitable "NAT is not a firewall" complaints, the box is a 
stateful inspection firewall -- as all NAT boxes actually are). 

More information about the NANOG mailing list