[70176] in North American Network Operators' Group
Re: How long before infected - Internet addresses are not
daemon@ATHENA.MIT.EDU (Marshall Eubanks)
Tue May 4 11:56:32 2004
From: "Marshall Eubanks" <tme@multicasttech.com>
To: Sean Donelan <sean@donelan.com>, NANOG <nanog@merit.edu>
Date: Tue, 04 May 2004 11:55:41 -0400
In-Reply-To: <Pine.GSO.4.58.0405040206050.29767@clifden.donelan.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 4 May 2004 02:42:10 -0400 (EDT)
Sean Donelan <sean@donelan.com> wrote:
>
> On Mon, 3 May 2004, william(at)elan.net wrote:
> > Similarly when settting up computers for several of my relatives (all
> > have dsl) I've yet to see any infection before all updates are installed.
>
> The folks at CAIDA can do the math, but it turns out many of the recent
> worms have some interesting gaps in their address scanning routines.
> There are some Internet address ranges scanned every few seconds, while
> other address ranges may go weeks between scans. This is part of the
> reason why "network telescope" estimates of how many infected computers
> are so wrong. They assume a uniform distribution of worm scans and
> infected computers.
I think that their math is challenged in general - Sasser appears to
do TCP scanning of the entire multicast address range, which betrays a
lack of knowledge or concern about Internet routing.
Regards
Marshall Eubanks
>
> I've seen "raw" Windows boxes connected to the Internet for 4 weeks
> without being compromised. A watched honeypot never attracts the bear :-)
> I've also seen Windows boxes compromised during the boot process between
> the time the network interface is enabled and XP's built-in firewall
> being activated, less than 1 second.
>
> Of course we still have the human factor. Some system compromises require
> the user to save an attachment, rename the file, open the file, enter a
> password, extract another file and then run it in order to compromise
> the computer. Its amazing how many infected computers are behind
> NAT/firewalls. Firewalls and antivirus help, but please when you
> get a message from your ISP saying your computer is infected check
> it out. Don't assume it can't happen to you just because.
>
> I have not found an official Microsoft source for MD5 hashes of
> Windows, so its difficult to find unknown stuff on your computer. There
> are some third-party products which can do change monitoring of Windows.
> But I agree with Rob Thomas and others, the only way to restore trust
> in your Windows' system is to re-install from a known, good distribution.
> Unfortunately, this is beyond the capabilities of many home (and even
> office) users.
