funsec mailing list archives
RE: Gadi Busted In Massive Conspiracy
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 04 Feb 2006 11:21:12 +1300
Randy Abrams to Valdis Kletnieks:
Does this happen even if autoupdate isn't enabled? Or on pre-XPSP2 systems, of which there are a lot? Or if it decides to update at 3:17AM, and the box is turned off then?
Auto-Update takes a "smart", incremental streaming approach to obtaining its files. Once it sees that new stuff necessary for the current state of its host is available, it starts downloading this using dynamically assessed "idle" bandwidth (unless it has the non- default "alert me when available but don't download" option set), so if the host is offline (for whatever reason) at 3:17am, AU will simply wait until it is back online to start making its checks, trickling content, etc. Credit where it's due , MS did a lot of work on this and it looks like they got it right.
Or if the person is on dialup? Or if a proxy/NAT needs to be configured? (I don't know, as I don't do Windows that extensively...)It certainly won't happen every month if they don't have autoupdate. If they do have autoupdate it will happen on dialup too. Most commercial home use routers (linksys, Dlink) do not need any special configuration. I expect that products like Zone Alarm would try to stay out of the way of Windows update too. There are millions of PCs using Windows update. I don't recall the exact numbers though. I could try to get some stats. Jason said at AVAR that much of this info will be made public.
Yes -- I'm looking forward to hearing that this promise has been delivered on...
I don't recall which older OS's can run it. Clearly it isn't going to hit everyone.
I think it's Win2K and up.
As an aside, consider that there's a clear existence proof that anything delivered along with the auto-update doesn't get to as many places as we'd wish - after Patch Tuesday, there's still a significant number of unpatched machines out there...The MSRT with MSBlaster demonstrated far better penetration ...
IIRC, Jason said that a couple of months "after" Blaster he/MS was approached by a group of backbone/peering operators asking what was going to be done about the "Blaster problem". This surprised Jason as they thought Blaster was mostly dealt with. I don't recall the stats at all well now, but Jason said the net-ops stats showed that something like 10-15% of all backbone traffic was due to Blaster and its offshoots and that's when MS decided to release what has become the MSRT (IIRC, initially it was solely an anti-Blaster (and relatives) tool and data collector).
... than has been achieve with "Install AV Software" advice. AV estimates of infection rates were found to be extremely understated.
BUT, you also have to be aware that MSRT can be (and is being) trivially targeted by the bad guys, increasingly being seen in the "standard" lists of processes to kill as the first step of running any new malware, along with popular PFWs, AV s/w, etc... Also, smart bad guys will ensure that they take sound steps to block access to the WU servers, so that once run they prevent being usurped by new MSRT updates, just as they already do with AV, etc... Remember, when playing in a blacklisting-controlled environment (i.e. modern "known virus scanning" AV) the bad guy has the upper hand becvause his code always gets to run first...
I'll skip the paranoid concept that the XPSP2 EULA gives the tool the right to declare critical files from a Firefox or OpenOffice install 'malicious' and nuke them without notifying the user... Even MS wouldn't stoop *that* low. (Although the legalistics that would happen with a sufficiently big false positive *would* be amusing to watch from the sidelines. ;) (Of course, if it's rammed down user's throats with XPSP2, then there's probably a few percent at least, and making the extrapolation becomes statistically viable. At least *if* you can get your hands on Microsoft's stats from the service....)I'll see what I can find. The stats will be able to be measured against other malware the MSRT deals with and should provide a fairly good comparative prevalence picture.
This is getting awfully serious for _fun_sec -- technical descriptions of security processes, statistics??? Maybe we should continue this elsewhere (but if Jason Garms is listening, we really would like a pointer to those stats!). Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Gadi Busted In Massive Conspiracy, (continued)
- Re: Gadi Busted In Massive Conspiracy Nick FitzGerald (Feb 02)
- RE: Gadi Busted In Massive Conspiracy Randy Abrams (Feb 02)
- RE: Gadi Busted In Massive Conspiracy Gary Funck (Feb 02)
- RE: Gadi Busted In Massive Conspiracy Randy Abrams (Feb 02)
- RE: Gadi Busted In Massive Conspiracy Nick FitzGerald (Feb 02)
- RE: Gadi Busted In Massive Conspiracy Gary Funck (Feb 03)
- Re: Gadi Busted In Massive Conspiracy Nick FitzGerald (Feb 02)
- Re: Gadi Busted In Massive Conspiracy Valdis . Kletnieks (Feb 02)
- RE: Gadi Busted In Massive Conspiracy Randy Abrams (Feb 02)
- Re: Gadi Busted In Massive Conspiracy Valdis . Kletnieks (Feb 03)
- RE: Gadi Busted In Massive Conspiracy Randy Abrams (Feb 03)
- RE: Gadi Busted In Massive Conspiracy Nick FitzGerald (Feb 03)
- RE: Gadi Busted In Massive Conspiracy Sean Donelan (Feb 04)
- RE: Gadi Busted In Massive Conspiracy Nick FitzGerald (Feb 04)
- RE: Gadi Busted In Massive Conspiracy Sean Donelan (Feb 04)
- RE: Gadi Busted In Massive Conspiracy Nick FitzGerald (Feb 04)
- Re: Gadi Busted In Massive Conspiracy Drsolly (Feb 04)
- Re: Gadi Busted In Massive Conspiracy Valdis . Kletnieks (Feb 04)
- Re: Gadi Busted In Massive Conspiracy Drsolly (Feb 04)
- Re: Gadi Busted In Massive Conspiracy Drsolly (Feb 04)