[70164] in North American Network Operators' Group
RE: Worms versus Bots
daemon@ATHENA.MIT.EDU (Eric Krichbaum)
Tue May 4 08:16:50 2004
Date: Tue, 4 May 2004 08:15:41 -0400
From: "Eric Krichbaum" <eric.krichbaum@citynet.net>
To: <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
True, but this isn't just an XP issue. Look at how many ppl are still
infected with Code Red/Nimda/Slammer/etc. A Windows 2000 box doesn't
fair any better. Heck, I still see Happy99.
Eric
-----Original Message-----
From: Buhrmaster, Gary [mailto:gtb@slac.stanford.edu]=20
Sent: Monday, May 03, 2004 11:28 PM
To: Eric Krichbaum; nanog@merit.edu
Subject: RE: Worms versus Bots
Microsoft has said Windows XP SP2 will have the firewall turned on by
default, and that they have "considered"
reissuing the installation CD's such that a new installation will have
the firewall enabled to deal with just this problem. I do not know the
current state of the consideration, but to me it seems reasonable that
Microsoft should at least make the offer of a new CD (to anyone who has
a valid XP license key?) No, many people will not request a new CD, but
then many people never apply patches either. I think this is a horse
and water problem. =20
Gary=20
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf=20
> Of Eric Krichbaum
> Sent: Monday, May 03, 2004 8:13 PM
> To: nanog@merit.edu
> Subject: FW: Worms versus Bots
>=20
>=20
> I see times more typically in the 5 - 10 second range to infection. =20
> As a test, I unprotected a machine this morning on a single T1 to get=20
> a sample. 8 seconds. If you can get in 20 minutes of downloads=20
> you're luckier than most.
>=20
> Eric
>=20
>=20
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf=20
> Of william(at)elan.net
> Sent: Monday, May 03, 2004 11:49 PM
> To: Sean Donelan
> Cc: Rob Thomas; NANOG
> Subject: Re: Worms versus Bots
>=20
>=20
> On Mon, 3 May 2004, Sean Donelan wrote:
>=20
> > On Mon, 3 May 2004, Rob Thomas wrote:
> > > ] Just because a machine has a bot/worm/virus that didn't
> come with
> > > a ] rootkit, doesn't mean that someone else hasn't had their way
> with it.
> > >
> > > Agreed.
> >=20
> > Won't help. What's the first thing people do after
> re-installing the
> > operating system (still have all the original CDs and keys
> and product
>=20
> > activation codes and and and)? Connect to the Internet to
> download the
>=20
> > patches. Time to download patches 60+ minutes.
> > Time to infection 5 minutes.=20
>=20
> Its possible its a problem on dialup, but in our ISP office I setup=20
> new win2000 servers and first thing I do is download all the patches.=20
> I've yet to see the server get infected in the 20-30 minutes it takes=20
> to finish it
> (Note: I also disable IIS just in case until everything is patched..).
>=20
> Similarly when settting up computers for several of my relatives (all=20
> have dsl) I've yet to see any infection before all updates are=20
> installed.
>=20
> Additional to that many users have dsl router or similar device and=20
> many such beasts will provide NATed ip block and act like a firewall=20
> not allowing outside servers to actually connect to your home=20
> computer.
> On this point it would be really interested to see what percentage of=20
> users actually have these routers and if decreasing speed of=20
> infections by new virus (is there real numbers to show it decreased?)=20
> have anything to do with this rather then people being more carefull=20
> and using antivirus.
>=20
> Another option if you're really afraid of infection is to setup proxy=20
> that only allows access to microsoft ip block that contains windows=20
> update servers
>=20
> And of course, there is an even BETTER OPTION then all the above -=20
> STOP USING WINDOWS and switch to Linux or Free(Mac)BSD ! :)
>=20
> > Patches are Microsoft's
> > intellectual property and can not be distributed by anyone without=20
> > Microsoft's permission.
> I don't think this is quite true. Microsoft makes available all=20
> patches as indidual .exe files. There are quite many of these updates=20
> and its really a pain to actually get all of them and install updates=20
> manually.
> But I've never seen written anywhere that I can not download these=20
> .exe files and distribute it inside your company or to your friends as
> needed to fix the problems these patches are designed for.
> =20
> > The problem with Bots is they aren't always active. That
> makes them
> > difficult to find until they do something.
> As opposed to what, viruses?
> Not at all! Many viruses have period wjhen they are active and=20
> afterwards they go into "sleep" mode and will not active until some=20
> other date!
>=20
> Additionally bot that does not immediatly become active is good thing=20
> because of you do weekly or monthly audits (any many do it like that)=20
> you may well find it this way and deal with it at your own time,=20
> rather then all over a sudden being awaken 3am and having to clean up=20
> infected system.
>=20
> --
> William Leibzon
> Elan Networks
> william@elan.net
>=20
>=20
>=20
