RE: Gadi Busted In Massive Conspiracy

[Nick FitzGerald <nick () virus-l demon co uk>]

Randy Abrams to Valdis Kletnieks:

> > Does this happen even if autoupdate isn't enabled? Or on 
> > pre-XPSP2 systems, of which there are a lot?  Or if it 
> > decides to update at 3:17AM, and the box is turned off then? 

Auto-Update takes a "smart", incremental streaming approach to 
obtaining its files.  Once it sees that new stuff necessary for the 
current state of its host is available, it starts downloading this 
using dynamically assessed "idle" bandwidth (unless it has the non-
default "alert me when available but don't download" option set), so if 
the host is offline (for whatever reason) at 3:17am, AU will simply 
wait until it is back online to start making its checks, trickling 
content, etc.

Credit where it's due , MS did a lot of work on this and it looks like 
they got it right.

> > Or if the person is on dialup? Or if a proxy/NAT needs to be 
> > configured? (I don't know, as I don't do Windows that extensively...)
>
> It certainly won't happen every month if they don't have autoupdate. If they
> do have autoupdate it will happen on dialup too. Most commercial home use
> routers (linksys, Dlink) do not need any special configuration. I expect
> that products like Zone Alarm would try to stay out of the way of Windows
> update too. There are millions of PCs using Windows update. I don't recall
> the exact numbers though. I could try to get some stats. Jason said at AVAR
> that much of this info will be made public.

Yes -- I'm looking forward to hearing that this promise has been 
delivered on...

> I don't recall which older OS's can run it. Clearly it isn't going to hit
> everyone.

I think it's Win2K and up.

> > As an aside, consider that there's a clear existence proof 
> > that anything delivered along with the auto-update doesn't 
> > get to as many places as we'd wish - after Patch Tuesday, 
> > there's still a significant number of unpatched machines out there...
>
> The MSRT with MSBlaster demonstrated far better penetration ...

IIRC, Jason said that a couple of months "after" Blaster he/MS was 
approached by a group of backbone/peering operators asking what was 
going to be done about the "Blaster problem".  This surprised Jason as 
they thought Blaster was mostly dealt with.  I don't recall the stats 
at all well now, but Jason said the net-ops stats showed that something 
like 10-15% of all backbone traffic was due to Blaster and its 
offshoots and that's when MS decided to release what has become the 
MSRT (IIRC, initially it was solely an anti-Blaster (and relatives) 
tool and data collector).

> ... than has been
> achieve with "Install AV Software" advice. AV estimates of infection rates
> were found to be extremely understated.

BUT, you also have to be aware that MSRT can be (and is being) 
trivially targeted by the bad guys, increasingly being seen in the 
"standard" lists of processes to kill as the first step of running any 
new malware, along with popular PFWs, AV s/w, etc...

Also, smart bad guys will ensure that they take sound steps to block 
access to the WU servers, so that once run they prevent being usurped 
by new MSRT updates, just as they already do with AV, etc...

Remember, when playing in a blacklisting-controlled environment (i.e. 
modern "known virus scanning" AV) the bad guy has the upper hand 
becvause his code always gets to run first...

> > I'll skip the paranoid concept that the XPSP2 EULA gives the 
> > tool the right to declare critical files from a Firefox or 
> > OpenOffice install 'malicious' and nuke them without 
> > notifying the user...  Even MS wouldn't stoop *that* low.
> > (Although the legalistics that would happen with a 
> > sufficiently big false positive *would* be amusing to watch 
> > from the sidelines. ;)
> >
> > (Of course, if it's rammed down user's throats with XPSP2, 
> > then there's probably a few percent at least, and making the 
> > extrapolation becomes statistically viable.  At least *if* 
> > you can get your hands on Microsoft's stats from the
> > service....)
>
> I'll see what I can find. The stats will be able to be measured against
> other malware the MSRT deals with and should provide a fairly good
> comparative prevalence picture.

This is getting awfully serious for _fun_sec -- technical descriptions 
of security processes, statistics???

Maybe we should continue this elsewhere (but if Jason Garms is 
listening, we really would like a pointer to those stats!).


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.