RE: Gadi Busted In Massive Conspiracy

["Randy Abrams" <abrams () eset com>]

> -----Original Message-----
> From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] 
> Sent: Friday, February 03, 2006 7:34 AM
> To: Randy Abrams
> Cc: nick () virus-l demon co uk; funsec () linuxbox org
> Subject: Re: [funsec] Gadi Busted In Massive Conspiracy 
>
> On Thu, 02 Feb 2006 22:10:02 PST, Randy Abrams said:
>
> > They don't even know they are running the tool. This is a silent 
> > download (after the first time) that runs in the background. It is 
> > delivered with Windows Update automatically and there is no UI until it
finds something.
> > All it takes is a default XPSP2.
>
> Does this happen even if autoupdate isn't enabled? Or on 
> pre-XPSP2 systems, of which there are a lot?  Or if it 
> decides to update at 3:17AM, and the box is turned off then? 
> Or if the person is on dialup? Or if a proxy/NAT needs to be 
> configured? (I don't know, as I don't do Windows that extensively...)

It certainly won't happen every month if they don't have autoupdate. If they
do have autoupdate it will happen on dialup too. Most commercial home use
routers (linksys, Dlink) do not need any special configuration. I expect
that products like Zone Alarm would try to stay out of the way of Windows
update too. There are millions of PCs using Windows update. I don't recall
the exact numbers though. I could try to get some stats. Jason said at AVAR
that much of this info will be made public.
I don't recall which older OS's can run it. Clearly it isn't going to hit
everyone.


> As an aside, consider that there's a clear existence proof 
> that anything delivered along with the auto-update doesn't 
> get to as many places as we'd wish - after Patch Tuesday, 
> there's still a significant number of unpatched machines out there...

The MSRT with MSBlaster demonstrated far better penetration than has been
achieve with "Install AV Software" advice. AV estimates of infection rates
were found to be extremely understated.

> I'll skip the paranoid concept that the XPSP2 EULA gives the 
> tool the right to declare critical files from a Firefox or 
> OpenOffice install 'malicious' and nuke them without 
> notifying the user...  Even MS wouldn't stoop *that* low.
> (Although the legalistics that would happen with a 
> sufficiently big false positive *would* be amusing to watch 
> from the sidelines. ;)
>
> (Of course, if it's rammed down user's throats with XPSP2, 
> then there's probably a few percent at least, and making the 
> extrapolation becomes statistically viable.  At least *if* 
> you can get your hands on Microsoft's stats from the
> service....)

I'll see what I can find. The stats will be able to be measured against
other malware the MSRT deals with and should provide a fairly good
comparative prevalence picture.

Cheers,

Randy
 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.