How long before infected - Internet addresses are not uniform

Marshall Eubanks tme at multicasttech.com
Tue May 4 15:55:41 UTC 2004


On Tue, 4 May 2004 02:42:10 -0400 (EDT)
 Sean Donelan <sean at donelan.com> wrote:
> 
> On Mon, 3 May 2004, william(at)elan.net wrote:
> > Similarly when settting up computers for several of my relatives (all
> > have dsl) I've yet to see any infection before all updates are installed.
> 
> The folks at CAIDA can do the math, but it turns out many of the recent
> worms have some interesting gaps in their address scanning routines.
> There are some Internet address ranges scanned every few seconds, while
> other address ranges may go weeks between scans.  This is part of the
> reason why "network telescope" estimates of how many infected computers
> are so wrong.  They assume a uniform distribution of worm scans and
> infected computers.

I think that their math is challenged in general - Sasser appears to
do TCP scanning of the entire multicast address range, which betrays a
lack of knowledge or concern about Internet routing.

Regards
Marshall Eubanks

> 
> I've seen "raw" Windows boxes connected to the Internet for 4 weeks
> without being compromised.  A watched honeypot never attracts the bear :-)
> I've also seen Windows boxes compromised during the boot process between
> the time the network interface is enabled and XP's built-in firewall
> being activated, less than 1 second.
> 
> Of course we still have the human factor.  Some system compromises require
> the user to save an attachment, rename the file, open the file, enter a
> password, extract another file and then run it in order to compromise
> the computer.  Its amazing how many infected computers are behind
> NAT/firewalls.  Firewalls and antivirus help, but please when you
> get a message from your ISP saying your computer is infected check
> it out.  Don't assume it can't happen to you just because.
> 
> I have not found an official Microsoft source for MD5 hashes of
> Windows, so its difficult to find unknown stuff on your computer.  There
> are some third-party products which can do change monitoring of Windows.
> But I agree with Rob Thomas and others, the only way to restore trust
> in your Windows' system is to re-install from a known, good distribution.
> Unfortunately, this is beyond the capabilities of many home (and even
> office) users.




More information about the NANOG mailing list