nanog mailing list archives
RE: FW: Worms versus Bots
From: "Smith, Donald" <Donald.Smith () qwest com>
Date: Tue, 4 May 2004 07:37:01 -0600
If you follow these steps outlined by SANS you should be able to successfully update and NOT get infected. This is short, easy, fully documented (with pictures :) http://www.sans.org/rr/papers/index.php?id=1298 Donald.Smith () qwest com GCIA http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC kill -13 111.2
-----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of Henry Linneweh Sent: Tuesday, May 04, 2004 2:19 AM To: Eric Krichbaum; nanog () merit edu Subject: Re: FW: Worms versus Bots It is amazingly simply to pull an ethernet cable out of the back of your box to update a box from a CD.... especially in a suspect environment where you have had many problems. I have had the displeasure of having had to go from box to box and clean each individually and while many problems were stopped by Netscreen at the door, we still had to run enterprise protection per machine as a second line of defense and separate domains in the company for greater protection between the groups. -Henry --- Eric Krichbaum <eric.krichbaum () citynet net> wrote:I see times more typically in the 5 - 10 second range to infection. As a test, I unprotected a machine this morning on a single T1 to get a sample. 8 seconds. If you can get in 20 minutes ofdownloads you'reluckier than most. Eric -----Original Message----- From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of william(at)elan.net Sent: Monday, May 03, 2004 11:49 PM To: Sean Donelan Cc: Rob Thomas; NANOG Subject: Re: Worms versus Bots On Mon, 3 May 2004, Sean Donelan wrote:On Mon, 3 May 2004, Rob Thomas wrote:] Just because a machine has a bot/worm/virusthat didn't come witha ] rootkit, doesn't mean that someone elsehasn't had their way with it.Agreed.Won't help. What's the first thing people doafter re-installing theoperating system (still have all the original CDsand keys and productactivation codes and and and)? Connect to theInternet to download thepatches. Time to download patches 60+ minutes. Time to infection 5 minutes.Its possible its a problem on dialup, but in our ISP office I setup new win2000 servers and first thing I do is download all the patches. I've yet to see the server get infected in the 20-30 minutes it takes to finish it (Note: I also disable IIS just in case until everything is patched..). Similarly when settting up computers for several of my relatives (all have dsl) I've yet to see any infection before all updates are installed. Additional to that many users have dsl router or similar device and many such beasts will provide NATed ip block and act like a firewall not allowing outside servers to actually connect to your home computer. On this point it would be really interested to see what percentage of users actually have these routers and if decreasing speed of infections by new virus (is there real numbers to show it decreased?) have anything to do with this rather then people being more carefull and using antivirus. Another option if you're really afraid of infection is to setup proxy that only allows access to microsoft ip block that contains windows update servers And of course, there is an even BETTER OPTION then all the above - STOP USING WINDOWS and switch to Linux or Free(Mac)BSD ! :)Patches are Microsoft's intellectual property and can not be distributedby anyone withoutMicrosoft's permission.I don't think this is quite true. Microsoft makes available all patches as indidual .exe files. There are quite many of these updates and its really a pain to actually get all of them and install updates manually. But I've never seen written anywhere that I can not download these .exe files and distribute it inside your company or to your friends as needed to fix the problems these patches are designed for.The problem with Bots is they aren't alwaysactive. That makes themdifficult to find until they do something.As opposed to what, viruses? Not at all! Many viruses have period wjhen they are active and afterwards they go into "sleep" mode and will not active until some other date! Additionally bot that does not immediatly become active is good thing because of you do weekly or monthly audits (any many do it like that) you may well find it this way and deal with it at your own time, rather then all over a sudden being awaken 3am and having to clean up infected system. -- William Leibzon Elan Networks william () elan net
Current thread:
- RE: Worms versus Bots, (continued)
- RE: Worms versus Bots David Schwartz (May 06)
- Re: Worms versus Bots Petri Helenius (May 06)
- Re: Worms versus Bots Chris Woodfield (May 11)
- Re: Worms versus Bots Valdis . Kletnieks (May 11)
- Re: Worms versus Bots Chris Woodfield (May 11)
- RE: Worms versus Bots Jonathan M. Slivko (May 11)
- Re: Worms versus Bots Chris Woodfield (May 11)
- Re: Worms versus Bots Paul Jakma (May 13)
- Re: Worms versus Bots Rick Ernst (May 11)
- RE: FW: Worms versus Bots Sean Donelan (May 04)
- RE: FW: Worms versus Bots Daniel Senie (May 04)
- RE: FW: Worms versus Bots Michael . Dillon (May 05)
- RE: FW: Worms versus Bots william(at)elan.net (May 05)
- Re: Worms versus Bots Matthew Crocker (May 05)
- Re: FW: Worms versus Bots Robert E. Seastrom (May 05)
- Re: FW: Worms versus Bots Alexei Roudnev (May 06)
- Re: FW: Worms versus Bots Chris Adams (May 07)
- Re: FW: Worms versus Bots Jeff Shultz (May 07)
- Re: FW: Worms versus Bots Alexei Roudnev (May 07)