nanog mailing list archives

RE: Worms versus Bots

From: "Buhrmaster, Gary" <gtb () slac stanford edu>
Date: Mon, 3 May 2004 20:28:00 -0700


Microsoft has said Windows XP SP2 will have the firewall
turned on by default, and that they have "considered"
reissuing the installation CD's such that a new installation
will have the firewall enabled to deal with just this
problem.  I do not know the current state of the 
consideration, but to me it seems reasonable that
Microsoft should at least make the offer of a new CD
(to anyone who has a valid XP license key?)  No, many
people will not request a new CD, but then many people
never apply patches either.  I think this is a horse 
and water problem.  

Gary

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On 
Behalf Of Eric Krichbaum
Sent: Monday, May 03, 2004 8:13 PM
To: nanog () merit edu
Subject: FW: Worms versus Bots

I see times more typically in the 5 - 10 second range to 
infection.  As
a test, I unprotected a machine this morning on a single T1 to get a
sample.  8 seconds.  If you can get in 20 minutes of downloads you're
luckier than most.

Eric

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On 
Behalf Of
william(at)elan.net
Sent: Monday, May 03, 2004 11:49 PM
To: Sean Donelan
Cc: Rob Thomas; NANOG
Subject: Re: Worms versus Bots

On Mon, 3 May 2004, Sean Donelan wrote:

On Mon, 3 May 2004, Rob Thomas wrote:

] Just because a machine has a bot/worm/virus that didn't

come with

a ] rootkit, doesn't mean that someone else hasn't had their way

with it.


Agreed.


Won't help.  What's the first thing people do after

re-installing the

operating system (still have all the original CDs and keys

and product

activation codes and and and)? Connect to the Internet to

download the

patches. Time to download patches 60+ minutes.
Time to  infection 5 minutes.


Its possible its a problem on dialup, but in our ISP office I 
setup new
win2000 servers and first thing I do is download all the patches. I've
yet to see the server get infected in the 20-30 minutes it takes to
finish it
(Note: I also disable IIS just in case until everything is 
patched..). 

Similarly when settting up computers for several of my relatives (all
have dsl) I've yet to see any infection before all updates are
installed.

Additional to that many users have dsl router or similar 
device and many
such beasts will provide NATed ip block and act like a firewall not
allowing outside servers to actually connect to your home computer.
On this point it would be really interested to see what percentage of
users actually have these routers and if decreasing speed of 
infections
by new virus (is there real numbers to show it decreased?) 
have anything
to do with this rather then people being more carefull and using
antivirus.

Another option if you're really afraid of infection is to setup proxy
that only allows access to microsoft ip block that contains windows
update servers

And of course, there is an even BETTER OPTION then all the 
above - STOP
USING WINDOWS and switch to Linux or Free(Mac)BSD ! :)

Patches are Microsoft's
intellectual property and can not be distributed by anyone without 
Microsoft's permission.

I don't think this is quite true. Microsoft makes available 
all patches
as indidual .exe files. There are quite many of these updates and its
really a pain to actually get all of them and install updates 
manually.
But I've never seen written anywhere that I can not download 
these .exe
files and distribute it inside your company or to your 
friends as needed
to fix the problems these patches are designed for.

The problem with Bots is they aren't always active.  That

makes them

difficult to find until they do something.

As opposed to what, viruses?
Not at all! Many viruses have period wjhen they are active and
afterwards they go into "sleep" mode and will not active until some
other date!

Additionally bot that does not immediatly become active is good thing
because of you do weekly or monthly audits (any many do it like that)
you may well find it this way and deal with it at your own 
time, rather
then all over a sudden being awaken 3am and having to clean 
up infected
system.

--
William Leibzon
Elan Networks
william () elan net

Current thread:

Re: Worms versus Bots, (continued)
- Re: Worms versus Bots Mike Lewinski (May 03)
  - Re: Worms versus Bots Rob Thomas (May 03)
    - Re: Worms versus Bots Sean Donelan (May 03)
    - Re: Worms versus Bots william(at)elan.net (May 03)
    - How long before infected - Internet addresses are not uniform Sean Donelan (May 03)
    - Re: How long before infected - Internet addresses are not uniform Marshall Eubanks (May 04)
    - Re: Worms versus Bots Stephen J. Wilcox (May 04)
  - Re: Worms versus Bots Richard Welty (May 04)
- FW: Worms versus Bots Eric Krichbaum (May 03)
  - Re: FW: Worms versus Bots Henry Linneweh (May 04)
- RE: Worms versus Bots Buhrmaster, Gary (May 03)
- RE: Worms versus Bots Michel Py (May 03)
  - RE: Worms versus Bots Edward B. Dreger (May 04)
    - RE: Worms versus Bots William S. Duncanson (May 04)
  - Re: Worms versus Bots Valdis . Kletnieks (May 04)
    - Re: Worms versus Bots chuck goolsbee (May 04)
    - Re: Worms versus Bots Laurence F. Sheldon, Jr. (May 04)
    - Re: Worms versus Bots Steven M. Bellovin (May 04)
    - Re: Worms versus Bots Laurence F. Sheldon, Jr. (May 04)
    - Re: Worms versus Bots chuck goolsbee (May 04)
    - Re: Worms versus Bots Paul Jakma (May 05)

(Thread continues...)