Re: Worms versus Bots
On Tue, 11 May 2004, Chris Woodfield wrote: I stand corrected, they're out there. I'm advised that 3com has a on-NIC firewall product as well. However, at $299 and $329 respectively, I don't anticipate wide adoption in the consumer market... This is all silly.. there's no reason operating systems cant be (collectively) immune to automated worms. regards, -- Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A warning: do not ever send email to [EMAIL PROTECTED] Fortune: Indomitable in retreat; invincible in advance; insufferable in victory. -- Winston Churchill, on General Montgomery
RE: Worms versus Bots
Chris Woodfield wrote: I stand corrected, they're out there. I'm advised that 3com has a on-NIC firewall product as well. However, at $299 and $329 respectively, I don't anticipate wide adoption in the consumer market... No danger, as it is not worth jack as a standalone product; requires a centralized server to tell it what to do. Not for the consumer market in the first place. Even for the corporate market, $300 + the server + managing the whole enchilada == to much $$$ per port. Michel.
RE: Worms versus Bots
Jonathan M. Slivko Uh... they have. It's called a Snapgear card :) Same as the 3com card, this is not for the consumer market. First, the consumer is generally afraid of opening the PC. Second, it costs many times more than a Linksys or other el-cheapo external box. Michel.
Re: Worms versus Bots
I think running two separate computers is a wee bit of overkill... A better solution would be a NIC with a built-in SI firewall...manageable from a host app, but physically separate from the OS running on the PC. -C On Thu, May 06, 2004 at 09:49:37PM +0300, Petri Helenius wrote: [EMAIL PROTECTED] wrote: you can easily fit an entire router into a PC's slimline case and the router can include a complete SI Firewall capability. The PC BIOS will allow the initial SI Firewall config to be done before booting the PC. They got to it before you did; http://www.giwano.com/ Pete pgp0.pgp Description: PGP signature
Re: Worms versus Bots
On Tue, 11 May 2004 11:38:33 EDT, Chris Woodfield said: A better solution would be a NIC with a built-in SI firewall...manageable from a host app, but physically separate from the OS running on the PC. Gaak. No. ;) What's the point of a firewall, if the first piece of malware that does manage to sneak in (via a file-sharing program, or a webpage that installs malware, or an ooh! Shiny! email attachment) just does the network Plug-N-Play call to tell the firewall Shield DOWN!? pgp0.pgp Description: PGP signature
Re: Worms versus Bots
Simple solution...build the on-NIC firewall to not use uPnP, or at least require a password before changing rulesets. :) Seriously, this is such a stupidly simple solution that I'm amazed no one's attempted to make a product out of it yet. -C On Tue, May 11, 2004 at 12:21:29PM -0400, [EMAIL PROTECTED] wrote: On Tue, 11 May 2004 11:38:33 EDT, Chris Woodfield said: A better solution would be a NIC with a built-in SI firewall...manageable from a host app, but physically separate from the OS running on the PC. Gaak. No. ;) What's the point of a firewall, if the first piece of malware that does manage to sneak in (via a file-sharing program, or a webpage that installs malware, or an ooh! Shiny! email attachment) just does the network Plug-N-Play call to tell the firewall Shield DOWN!? pgp0.pgp Description: PGP signature
RE: Worms versus Bots
Uh... they have. It's called a Snapgear card :) -- Jonathan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Woodfield Sent: Tuesday, May 11, 2004 12:42 PM To: [EMAIL PROTECTED] Cc: Petri Helenius; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Worms versus Bots Simple solution...build the on-NIC firewall to not use uPnP, or at least require a password before changing rulesets. :) Seriously, this is such a stupidly simple solution that I'm amazed no one's attempted to make a product out of it yet. -C On Tue, May 11, 2004 at 12:21:29PM -0400, [EMAIL PROTECTED] wrote: On Tue, 11 May 2004 11:38:33 EDT, Chris Woodfield said: A better solution would be a NIC with a built-in SI firewall...manageable from a host app, but physically separate from the OS running on the PC. Gaak. No. ;) What's the point of a firewall, if the first piece of malware that does manage to sneak in (via a file-sharing program, or a webpage that installs malware, or an ooh! Shiny! email attachment) just does the network Plug-N-Play call to tell the firewall Shield DOWN!?
Re: Worms versus Bots
While following the thread, I did a bit of Googling, then browsing 3Com's site: http://www.3com.com/products/en_US/detail.jsp?tab=featurespathtype=purchasesku=3CRFW200B On-NIC firewall w/remote management. On Tue, 11 May 2004, Chris Woodfield wrote: :Simple solution...build the on-NIC firewall to not use uPnP, or at least require :a password before changing rulesets. :) : :Seriously, this is such a stupidly simple solution that I'm amazed no one's attempted :to make a product out of it yet. : :-C : :On Tue, May 11, 2004 at 12:21:29PM -0400, [EMAIL PROTECTED] wrote: : On Tue, 11 May 2004 11:38:33 EDT, Chris Woodfield said: : : A better solution would be a NIC with a built-in SI firewall...manageable from a host : app, but physically separate from the OS running on the PC. : : Gaak. No. ;) : : What's the point of a firewall, if the first piece of malware that does manage : to sneak in (via a file-sharing program, or a webpage that installs malware, or : an ooh! Shiny! email attachment) just does the network Plug-N-Play call to : tell the firewall Shield DOWN!? : : : :
Re: Worms versus Bots
I stand corrected, they're out there. I'm advised that 3com has a on-NIC firewall product as well. However, at $299 and $329 respectively, I don't anticipate wide adoption in the consumer market... -C On Tue, May 11, 2004 at 12:49:05PM -0400, Jonathan M. Slivko wrote: Uh... they have. It's called a Snapgear card :) -- Jonathan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Woodfield Sent: Tuesday, May 11, 2004 12:42 PM To: [EMAIL PROTECTED] Cc: Petri Helenius; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Worms versus Bots Simple solution...build the on-NIC firewall to not use uPnP, or at least require a password before changing rulesets. :) Seriously, this is such a stupidly simple solution that I'm amazed no one's attempted to make a product out of it yet. -C On Tue, May 11, 2004 at 12:21:29PM -0400, [EMAIL PROTECTED] wrote: On Tue, 11 May 2004 11:38:33 EDT, Chris Woodfield said: A better solution would be a NIC with a built-in SI firewall...manageable from a host app, but physically separate from the OS running on the PC. Gaak. No. ;) What's the point of a firewall, if the first piece of malware that does manage to sneak in (via a file-sharing program, or a webpage that installs malware, or an ooh! Shiny! email attachment) just does the network Plug-N-Play call to tell the firewall Shield DOWN!? pgp0.pgp Description: PGP signature
Re: Worms versus Bots
Microsoft is expected to recommend that the average Longhorn PC feature a dual-core CPU running at 4 to 6GHz; a minimum of 2 gigs of RAM; up to a terabyte of storage; a 1 Gbit, built-in, Ethernet-wired port and an 802.11g wireless link; and a graphics processor that runs three times fasterthan those on the market today. How about a PC that has *NO* externally accessible network connectivity, not even wireless. But it does have an internal 100baseTx Ethernet port that uses a non-standard connector. And it also includes a router unit running off the same power supply as the PC but otherwise completely independent. This router is connected to the non-standard Ethernet interface of the PC and supplies 2 externally accessible Ethernet ports and an 802.11g wireless capability. The components for this stuff are small enough these days that you can easily fit an entire router into a PC's slimline case and the router can include a complete SI Firewall capability. The PC BIOS will allow the initial SI Firewall config to be done before booting the PC. And even if there is an SI Firewall on the broadband router serving the home, it's still worthwhile to protect Mom's PC from worm infestations brought into the home by junior's unsafe Internet practices. I know Microsoft would hate the idea of a Windows PC running Linux on an in-box firewall router but it seems like poetic justice in a way. --Michael Dillon
Re: Worms versus Bots
On 5-mei-04, at 0:26, Rob Nelson wrote: If the person doesn't continue to do acls/nat/firewalls, they'll just get infected after the next hole is discovered. And yes, there are plenty of holes that a firewall/nat box won't fix. Still, better than the user only doing Windows Update on the day of install and never having a firewall... I object to the idea that requiring a software firewall inside a host is a reasonable thing to do. Why on earth would I want to run an insecure service and then have a filter to keep it from being used? Either I really want to run the service, and then the firewall gets in the way, or I don't need the service to be reachable, so I shouldn't run it. System services should only be available over the loopback address. Now obviously this is way too simple for some OS builders, but we shouldn't accept their ugly hacks as best current practice.
Re: Worms versus Bots
On Thu, 06 May 2004 11:45:23 +0200, Iljitsch van Beijnum said: I object to the idea that requiring a software firewall inside a host is a reasonable thing to do. Why on earth would I want to run an insecure service and then have a filter to keep it from being used? You object to it, I object to it... but the fact remains that 95% of the user-accessible CPUs (not counting the embedded market) are running software that you have to do unreasonable things in order to make it anywhere near safe to use Either I really want to run the service, and then the firewall gets in the way, or I don't need the service to be reachable, so I shouldn't run it. System services should only be available over the loopback address. Now obviously this is way too simple for some OS builders, but we shouldn't accept their ugly hacks as best current practice. Best Current Practice is *so* divergent from Currently Deployed Practice that there's little or no common ground. pgpSVKairOayc.pgp Description: PGP signature
RE: Worms versus Bots
On Thu, 6 May 2004 [EMAIL PROTECTED] wrote: connectivity, not even wireless. But it does have an internal 100baseTx Ethernet port that uses a non-standard connector. And it also includes a router unit running off the same power supply as the PC but otherwise completely independent. Urg, a horrible idea. Why not just make the software on the host secure? Because then you would have to limit the ability to modify the software to only those trusted not to affect network security. It's the same answer as the answer to why not run everything as root? DS
Re: Worms versus Bots
[EMAIL PROTECTED] wrote: you can easily fit an entire router into a PC's slimline case and the router can include a complete SI Firewall capability. The PC BIOS will allow the initial SI Firewall config to be done before booting the PC. They got to it before you did; http://www.giwano.com/ Pete
Re: Worms versus Bots
Its not manufacturers who did not caught up (in fact they did and offer very inexpensive personal dsl routers goes all the way to $20 range), its DSL providers who still offer free dsl modem (device at least twice more expensive then router) and free network card and complex and instructions on how to set this all up on each different type of pc. No clue at all that it would be only very marginally more expensive for them to integrate features of such small nat router into dsl modem and instead of offering PPPoverEthernet it could just offer NAT and DHCP and make it so much simpler for many of those lusers with only light computer skills to set this all up. Agreed, We require a NAT device or true firewall on all DSL customer connections. We sell cheap Linksys boxes to customers or they can upgrade to a SonicWall. We don't use an Integrated modem/router because most of them are junk. You won't find a single Windows/Linux/Mac machine directly connected to our DSL network. I still like PPPoE for customer authentication because I can place individual packet filters or re-assign users to different contexts based on username/password authentication. PPPoE/NAT is a good combination. Couple that with 3 levels of virus scanning on our mail server has reduced the effects of virus and worm spread inside the networks we control. We still get viruses worms to hit but it is at a more manageable rate. We are not a large provider by any means but I try my hardest to provide a solid network and protect the Internet from my users as much as possible. If only the users would not shop solely on price I would be all set :/ -Matt -- William Leibzon Elan Networks [EMAIL PROTECTED]
RE: Worms versus Bots
Matthew Crocker wrote: We require a NAT device or true firewall on all DSL customer connections. We sell cheap Linksys boxes to customers or they can upgrade to a SonicWall. This makes a lot of sense to me. It's not a silver bullet, but it does help. I still like PPPoE for customer authentication because I can place individual packet filters or re-assign users to different contexts based on username/password authentication. PPPoE/NAT is a good combination. Tends to be a non-issue now, but it's a lot easier to deal with PPPoE on the Linksys than have the customer install a more or less crummy PPPoE client on their PC. The cost of dealing with one customer that trashed their PC installing an early PPPoE client (with the help of helpdesk :-( is worth ten Linksys. Michel.
Re: Worms versus Bots
--On Wednesday, May 05, 2004 6:04 AM -0400 Matthew Crocker [EMAIL PROTECTED] wrote: We have all been through this before. Linux out of the box is generally no more secure than Windows. Linux can also be misconfigured and hacked. The reason why you don't see as many linux virus/worms is because there aren't as many linux desktops. Once Linux becomes a real player in the residential desktop OS market you'll see more and more worms/viruses running around because of it. Now, I love Linux, I have 30 linux servers in production but it isn't the be all, end all to mass user security. In the past this may have been true, it's been my experience that most modern Linux distributions have adopted (more or less) the approach that OpenBSD has: Leave services turned off by default. In fact, a typical RedHat workstation installation goes a step further by not even installing a lot of services by default. Sure, Joe Sixpack can still install everything and uncomment everything from /etc/inetd.conf[1] and get himself pwned, but I don't think we have to worry much about your average computer user doing this. -J [1] Actually since RedHat uses xinetd, it involves a little more work to turn _everything_ on. -- Jeff Workman | [EMAIL PROTECTED] | http://www.pimpworks.org
RE: Worms versus Bots
MP Date: Mon, 3 May 2004 20:53:50 -0700 MP From: Michel Py MP but in our ISP office I setup new win2000 servers and first MP thing I do is download all the patches. I've yet to see the MP server get infected in the 20-30 minutes it takes to finish MP MP It can happen in 5 or 10 minutes (I've seen it) but only if MP all of the following conditions are met simultaneously: I've not confirmed, but a client told us that some MS patches are carried by Akamai. Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
RE: Worms versus Bots
Until recently, I believe that Microsoft's download servers were managed by Akamai. -- William S. Duncanson [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward B. Dreger Sent: Tuesday, May 04, 2004 2:23 To: Michel Py Cc: william(at)elan.net; Rob Thomas; NANOG Subject: RE: Worms versus Bots MP Date: Mon, 3 May 2004 20:53:50 -0700 MP From: Michel Py MP but in our ISP office I setup new win2000 servers and first MP thing I do is download all the patches. I've yet to see the MP server get infected in the 20-30 minutes it takes to finish MP MP It can happen in 5 or 10 minutes (I've seen it) but only if MP all of the following conditions are met simultaneously: I've not confirmed, but a client told us that some MS patches are carried by Akamai. Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
RE: Worms versus Bots
True, but this isn't just an XP issue. Look at how many ppl are still infected with Code Red/Nimda/Slammer/etc. A Windows 2000 box doesn't fair any better. Heck, I still see Happy99. Eric -Original Message- From: Buhrmaster, Gary [mailto:[EMAIL PROTECTED] Sent: Monday, May 03, 2004 11:28 PM To: Eric Krichbaum; [EMAIL PROTECTED] Subject: RE: Worms versus Bots Microsoft has said Windows XP SP2 will have the firewall turned on by default, and that they have considered reissuing the installation CD's such that a new installation will have the firewall enabled to deal with just this problem. I do not know the current state of the consideration, but to me it seems reasonable that Microsoft should at least make the offer of a new CD (to anyone who has a valid XP license key?) No, many people will not request a new CD, but then many people never apply patches either. I think this is a horse and water problem. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Krichbaum Sent: Monday, May 03, 2004 8:13 PM To: [EMAIL PROTECTED] Subject: FW: Worms versus Bots I see times more typically in the 5 - 10 second range to infection. As a test, I unprotected a machine this morning on a single T1 to get a sample. 8 seconds. If you can get in 20 minutes of downloads you're luckier than most. Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of william(at)elan.net Sent: Monday, May 03, 2004 11:49 PM To: Sean Donelan Cc: Rob Thomas; NANOG Subject: Re: Worms versus Bots On Mon, 3 May 2004, Sean Donelan wrote: On Mon, 3 May 2004, Rob Thomas wrote: ] Just because a machine has a bot/worm/virus that didn't come with a ] rootkit, doesn't mean that someone else hasn't had their way with it. Agreed. Won't help. What's the first thing people do after re-installing the operating system (still have all the original CDs and keys and product activation codes and and and)? Connect to the Internet to download the patches. Time to download patches 60+ minutes. Time to infection 5 minutes. Its possible its a problem on dialup, but in our ISP office I setup new win2000 servers and first thing I do is download all the patches. I've yet to see the server get infected in the 20-30 minutes it takes to finish it (Note: I also disable IIS just in case until everything is patched..). Similarly when settting up computers for several of my relatives (all have dsl) I've yet to see any infection before all updates are installed. Additional to that many users have dsl router or similar device and many such beasts will provide NATed ip block and act like a firewall not allowing outside servers to actually connect to your home computer. On this point it would be really interested to see what percentage of users actually have these routers and if decreasing speed of infections by new virus (is there real numbers to show it decreased?) have anything to do with this rather then people being more carefull and using antivirus. Another option if you're really afraid of infection is to setup proxy that only allows access to microsoft ip block that contains windows update servers And of course, there is an even BETTER OPTION then all the above - STOP USING WINDOWS and switch to Linux or Free(Mac)BSD ! :) Patches are Microsoft's intellectual property and can not be distributed by anyone without Microsoft's permission. I don't think this is quite true. Microsoft makes available all patches as indidual .exe files. There are quite many of these updates and its really a pain to actually get all of them and install updates manually. But I've never seen written anywhere that I can not download these .exe files and distribute it inside your company or to your friends as needed to fix the problems these patches are designed for. The problem with Bots is they aren't always active. That makes them difficult to find until they do something. As opposed to what, viruses? Not at all! Many viruses have period wjhen they are active and afterwards they go into sleep mode and will not active until some other date! Additionally bot that does not immediatly become active is good thing because of you do weekly or monthly audits (any many do it like that) you may well find it this way and deal with it at your own time, rather then all over a sudden being awaken 3am and having to clean up infected system. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Worms versus Bots
On Mon, 3 May 2004, william(at)elan.net wrote: Its possible its a problem on dialup, but in our ISP office I setup new win2000 servers and first thing I do is download all the patches. I've yet to see the server get infected in the 20-30 minutes it takes to finish it (Note: I also disable IIS just in case until everything is patched..). The frequency of scans is such that I'd say you have been lucky. Some worms also weight scans by IP (ie they can the local /16 more than the local /8 more than the /0).. in which case if you're a large ISP dialup customer you stand a higher chance of infection Steve
Re: Worms versus Bots
In other words: if one is stupid, one gets worm'ed or bot'ed. However, up to 90% of the users *are* stupid: http://www.silicon.com/software/security/0,39024655,39118228,00.htm Any network security scheme that fails to either (a) lower the stupidity rate or (b) deliver a system that will protect that 90% from themselves is doomed. There's only so much stupidity you can compensate for; there comes a point where you compensate for so much stupidity that it starts to cause problems for the people who actually think in a normal way. --Bill Dickson, digital.forest tech support Which leads to the logical conclusion: We may be looking at a move back towards the WebTV appliance model (which would thrill the media conglomerates to no end). =) Seriosuly though, the Internet might be a better place for it. After all, 90% of those stupid people just want email and HTTP. --chuck
Re: Worms versus Bots
chuck goolsbee wrote: However, up to 90% of the users *are* stupid: Seriosuly though, the Internet might be a better place for it. After all, 90% of those stupid people just want email and HTTP. Do we have a pointer to a rigorous study that indicates either assertion? Or is it possible there are other explanations? What will be do when they figure out that paying us to let them hurt themselves is a sub-optimal use of their money? -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
Re: Worms versus Bots
In message [EMAIL PROTECTED], Laurence F. Sheldon, Jr. writes: chuck goolsbee wrote: However, up to 90% of the users *are* stupid: Seriosuly though, the Internet might be a better place for it. After all, 90% of those stupid people just want email and HTTP. Do we have a pointer to a rigorous study that indicates either assertion? Or is it possible there are other explanations? Don Norman has argued quite eloquently that it's a technology and human factors failure -- see, for example, http://www.interesting-people.org/archives/interesting-people/200312/msg00105.html (reprinted from RISKS Digest). Now, I'm not saying that it's easy to get things like this right, and I've argued loudly against the notion that auto-patching is a sane approach. But if we deny that there's a problem except for stupid people, we're not likely to find a solution. --Steve Bellovin, http://www.research.att.com/~smb
Re: Worms versus Bots
Steven M. Bellovin wrote: However, up to 90% of the users *are* stupid: Or is it possible there are other explanations? Don Norman has argued quite eloquently that it's a technology and human factors failure -- see, for example, http://www.interesting-people.org/archives/interesting-people/200312/msg00105.html (reprinted from RISKS Digest). Now, I'm not saying that it's easy to get things like this right, and I've argued loudly against the notion that auto-patching is a sane approach. But if we deny that there's a problem except for stupid people, we're not likely to find a solution. That last sentence is the point I was trying to get to. After all, nearly half the people here are below the average for intelligence. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
Re: Worms versus Bots
At 4:19 PM -0500 5/4/04, Laurence F. Sheldon, Jr. wrote: chuck goolsbee wrote: However, up to 90% of the users *are* stupid: I didn't say that, I only quoted (Valdis Kletnieks) it... to which I replied that compensating for stupidity is a zero-sum game. Seriosuly though, the Internet might be a better place for it. After all, 90% of those stupid people just want email and HTTP. Do we have a pointer to a rigorous study that indicates either assertion? First of all, I was disagreeing with Valdis' assessment of stupidity... a more accurate term would be non-technical. I have no rigorous study to point to sorry. But I will say virtually all the home users I have encountered are running Windows for the purpose of getting email and using the Web. That machine is usually in some unprotected, or already compromised state. I make similar/same suggestions to them that have already been stated here: Nuke/pave, enable what security features are available in the OS, get a firewall, NAT, etc etc. The prescription seems to be viewed to be as difficult as the disease it cures. Zero-sum. So maybe they WOULD be better with a WebTV model. Or a Macintosh. Or is it possible there are other explanations? Perhaps. I'm just reporting what I am seeing. What will be do when they figure out that paying us to let them hurt themselves is a sub-optimal use of their money? How is WebTV doing these days? Since it is now Microsoft can their boxen get rooted/zombied/botted now too? I'll admit I never paid too much attention to WebTV. Perhaps there is a market for safe Internet access... I don't know. But I suspect the barrier to entry is either making it work with the dominant platform, or asking the market take the leap to another platform. Both are unlikely. What I do know is that the dominant platform is inherently insecure, and many of its users, those non-technical folks I referred to... they seem to be mostly unaware of the danger they pose to themselves and everyone else on the Network. --chuck
Re: Worms versus Bots
At 11:04 PM 5/2/2004, Sean Donelan wrote: The antivirus vendors are bemoaning the fact the Sasser worm has been slow to spread. On the other hand, most of the vulnerable computers seem to have already been taken over by one or more Bots days or weeks before the worms arrived. Other than the obvious, don't let a bot on get on your computer in the first place, are there any opinions about the best anti-bot tools for naive computer users? The major virus vendors seem to be having a bit of trouble dealing with bots, frequently recommending manual editing of files and use of regedit. There is also a much longer delay between the apperance of a new bot and updates to antivirus packages. One of my concerns is that it's easy to download an anti-virus package which will most likely delete (it seems that unless it's a VBA macro virus the files can never be cleaned!) some of the 100% worm or virus files. The trojan programs, bots, and spyware stick around. It would be a wonderful program that scanned for and cleaned up BOTH virus and bot files... Rob Nelson [EMAIL PROTECTED]
Re: Worms versus Bots
Sean Donelan wrote: Other than the obvious, don't let a bot on get on your computer in the first place, are there any opinions about the best anti-bot tools for naive computer users? The major virus vendors seem to be having a bit of trouble dealing with bots, frequently recommending manual editing of files and use of regedit. There is also a much longer delay between the apperance of a new bot and updates to antivirus packages. I personally stick with the BCP backup, reformat and reinstall from your original media. That goes for worms and bots. Just because a machine has a bot/worm/virus that didn't come with a rootkit, doesn't mean that someone else hasn't had their way with it. Then again, I've seen businesses who had sensitive client financial data on compromised systems completely ignore this advice, so it's generally given without much hope, esp. where the stakes are lower.
Re: Worms versus Bots
Hi, NANOGers. ] Just because a machine has a bot/worm/virus that didn't come with a ] rootkit, doesn't mean that someone else hasn't had their way with it. Agreed. A growing trend in the 0wnage category is the installation of multiple bots on a single host. This isn't intentional, but a result of the multiple infection vectors bots employ. Bot01 goes after open Win2K shares (TCP 445), and Bot02 comes along and enters through Kuang2 (TCP 17300). One of the more popular bots has at least 13 distinct scan and sploit methods. WebDav, NetBios, MSSQL, Beagle, Kuang2, and the list goes on. The record I've seen thus far was a host with 14 distinct and active bots on it. I'm guessing the LEDs on that cable modem never blinked. One bot, Coldlife, actually took advantage of this trend. It would hunt for certain bot configuration files on the host it infected, and report the contents to the Coldlife botherd. Ka-ching, another botnet stolen. Things have evolved in a distributed manner from this feature. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
Re: Worms versus Bots
On Mon, 3 May 2004, Rob Thomas wrote: ] Just because a machine has a bot/worm/virus that didn't come with a ] rootkit, doesn't mean that someone else hasn't had their way with it. Agreed. Won't help. What's the first thing people do after re-installing the operating system (still have all the original CDs and keys and product activation codes and and and)? Connect to the Internet to download the patches. Time to download patches 60+ minutes. Time to infection 5 minutes. Patches are Microsoft's intellectual property and can not be distributed by anyone without Microsoft's permission. Ok, so you order Microsoft's patch CD. Unfortunately it only includes patches through October 2003. Microsoft is selling over 10 million Windows licenses every month. Patches not included. The record I've seen thus far was a host with 14 distinct and active bots on it. I'm guessing the LEDs on that cable modem never blinked. The problem with Bots is they aren't always active. That makes them difficult to find until they do something.
Re: Worms versus Bots
On Mon, 3 May 2004, Sean Donelan wrote: On Mon, 3 May 2004, Rob Thomas wrote: ] Just because a machine has a bot/worm/virus that didn't come with a ] rootkit, doesn't mean that someone else hasn't had their way with it. Agreed. Won't help. What's the first thing people do after re-installing the operating system (still have all the original CDs and keys and product activation codes and and and)? Connect to the Internet to download the patches. Time to download patches 60+ minutes. Time to infection 5 minutes. Its possible its a problem on dialup, but in our ISP office I setup new win2000 servers and first thing I do is download all the patches. I've yet to see the server get infected in the 20-30 minutes it takes to finish it (Note: I also disable IIS just in case until everything is patched..). Similarly when settting up computers for several of my relatives (all have dsl) I've yet to see any infection before all updates are installed. Additional to that many users have dsl router or similar device and many such beasts will provide NATed ip block and act like a firewall not allowing outside servers to actually connect to your home computer. On this point it would be really interested to see what percentage of users actually have these routers and if decreasing speed of infections by new virus (is there real numbers to show it decreased?) have anything to do with this rather then people being more carefull and using antivirus. Another option if you're really afraid of infection is to setup proxy that only allows access to microsoft ip block that contains windows update servers And of course, there is an even BETTER OPTION then all the above - STOP USING WINDOWS and switch to Linux or Free(Mac)BSD ! :) Patches are Microsoft's intellectual property and can not be distributed by anyone without Microsoft's permission. I don't think this is quite true. Microsoft makes available all patches as indidual .exe files. There are quite many of these updates and its really a pain to actually get all of them and install updates manually. But I've never seen written anywhere that I can not download these .exe files and distribute it inside your company or to your friends as needed to fix the problems these patches are designed for. The problem with Bots is they aren't always active. That makes them difficult to find until they do something. As opposed to what, viruses? Not at all! Many viruses have period wjhen they are active and afterwards they go into sleep mode and will not active until some other date! Additionally bot that does not immediatly become active is good thing because of you do weekly or monthly audits (any many do it like that) you may well find it this way and deal with it at your own time, rather then all over a sudden being awaken 3am and having to clean up infected system. -- William Leibzon Elan Networks [EMAIL PROTECTED]
RE: Worms versus Bots
Microsoft has said Windows XP SP2 will have the firewall turned on by default, and that they have considered reissuing the installation CD's such that a new installation will have the firewall enabled to deal with just this problem. I do not know the current state of the consideration, but to me it seems reasonable that Microsoft should at least make the offer of a new CD (to anyone who has a valid XP license key?) No, many people will not request a new CD, but then many people never apply patches either. I think this is a horse and water problem. Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Krichbaum Sent: Monday, May 03, 2004 8:13 PM To: [EMAIL PROTECTED] Subject: FW: Worms versus Bots I see times more typically in the 5 - 10 second range to infection. As a test, I unprotected a machine this morning on a single T1 to get a sample. 8 seconds. If you can get in 20 minutes of downloads you're luckier than most. Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of william(at)elan.net Sent: Monday, May 03, 2004 11:49 PM To: Sean Donelan Cc: Rob Thomas; NANOG Subject: Re: Worms versus Bots On Mon, 3 May 2004, Sean Donelan wrote: On Mon, 3 May 2004, Rob Thomas wrote: ] Just because a machine has a bot/worm/virus that didn't come with a ] rootkit, doesn't mean that someone else hasn't had their way with it. Agreed. Won't help. What's the first thing people do after re-installing the operating system (still have all the original CDs and keys and product activation codes and and and)? Connect to the Internet to download the patches. Time to download patches 60+ minutes. Time to infection 5 minutes. Its possible its a problem on dialup, but in our ISP office I setup new win2000 servers and first thing I do is download all the patches. I've yet to see the server get infected in the 20-30 minutes it takes to finish it (Note: I also disable IIS just in case until everything is patched..). Similarly when settting up computers for several of my relatives (all have dsl) I've yet to see any infection before all updates are installed. Additional to that many users have dsl router or similar device and many such beasts will provide NATed ip block and act like a firewall not allowing outside servers to actually connect to your home computer. On this point it would be really interested to see what percentage of users actually have these routers and if decreasing speed of infections by new virus (is there real numbers to show it decreased?) have anything to do with this rather then people being more carefull and using antivirus. Another option if you're really afraid of infection is to setup proxy that only allows access to microsoft ip block that contains windows update servers And of course, there is an even BETTER OPTION then all the above - STOP USING WINDOWS and switch to Linux or Free(Mac)BSD ! :) Patches are Microsoft's intellectual property and can not be distributed by anyone without Microsoft's permission. I don't think this is quite true. Microsoft makes available all patches as indidual .exe files. There are quite many of these updates and its really a pain to actually get all of them and install updates manually. But I've never seen written anywhere that I can not download these .exe files and distribute it inside your company or to your friends as needed to fix the problems these patches are designed for. The problem with Bots is they aren't always active. That makes them difficult to find until they do something. As opposed to what, viruses? Not at all! Many viruses have period wjhen they are active and afterwards they go into sleep mode and will not active until some other date! Additionally bot that does not immediatly become active is good thing because of you do weekly or monthly audits (any many do it like that) you may well find it this way and deal with it at your own time, rather then all over a sudden being awaken 3am and having to clean up infected system. -- William Leibzon Elan Networks [EMAIL PROTECTED]
RE: Worms versus Bots
William wrote: but in our ISP office I setup new win2000 servers and first thing I do is download all the patches. I've yet to see the server get infected in the 20-30 minutes it takes to finish it It can happen in 5 or 10 minutes (I've seen it) but only if all of the following conditions are met simultaneously: a) administrator's password blank (or something _really_ easy to guess) b) public IP (no NAT) c) no firewall In other words: if one is stupid, one gets worm'ed or bot'ed. (Note: I also disable IIS just in case until everything is patched..). Not a bad idea, but sometimes you don't have the choice of doing it (with scripted installs or things like SBS). Besides, IIS is not the main source of trouble on a machine that sits on the Internet unprotected. I consider disabling IIS a second or third line of defense, to be used after you implemented the steps not to get screwed in the first place (which you described). Similarly when settting up computers for several of my relatives (all have dsl) I've yet to see any infection before all updates are installed. Me too. Additional to that many users have dsl router or similar device and many such beasts will provide NATed ip block and act like a firewall not allowing outside servers to actually connect to your home computer. Indeed. I have a $10 one that I use for installations (even when I install from a trusted environment), because the danger does not come only from the Internet, it can also come from your own LAN. By putting the machine being installed alone on its own segment behind a NAT box, you also shield yourself from crud that could be on the trusted network. On this point it would be really interested to see what percentage of users actually have these routers and if decreasing speed of infections by new virus (is there real numbers to show it decreased?) have anything to do with this rather then people being more carefull and using antivirus. Difficult to measure, and here's why: recent worms are polymorphic and propagate/replicate using many different mechanisms. How do you make the difference between a) a worm that arrived trough email and then contaminated x machines on your LAN and b) a worm that arrived through a vulnerability of IIS and then contaminated x machines on your LAN? The trouble here is that if you had all the time in the world _and_ if you did not have x users screaming, you could look at logs and such and finally figure out which of the egg or the chicken was first. In a real world, you clean the mess and when you are done you have to catch up with all the stuff you did not do while cleaning, and you never know. Michel.
