On Tue, 4 May 2004 02:42:10 -0400 (EDT) Sean Donelan <sean@donelan.com> wrote:
On Mon, 3 May 2004, william(at)elan.net wrote:
Similarly when settting up computers for several of my relatives (all have dsl) I've yet to see any infection before all updates are installed.
The folks at CAIDA can do the math, but it turns out many of the recent worms have some interesting gaps in their address scanning routines. There are some Internet address ranges scanned every few seconds, while other address ranges may go weeks between scans. This is part of the reason why "network telescope" estimates of how many infected computers are so wrong. They assume a uniform distribution of worm scans and infected computers.
I think that their math is challenged in general - Sasser appears to do TCP scanning of the entire multicast address range, which betrays a lack of knowledge or concern about Internet routing. Regards Marshall Eubanks
I've seen "raw" Windows boxes connected to the Internet for 4 weeks without being compromised. A watched honeypot never attracts the bear :-) I've also seen Windows boxes compromised during the boot process between the time the network interface is enabled and XP's built-in firewall being activated, less than 1 second.
Of course we still have the human factor. Some system compromises require the user to save an attachment, rename the file, open the file, enter a password, extract another file and then run it in order to compromise the computer. Its amazing how many infected computers are behind NAT/firewalls. Firewalls and antivirus help, but please when you get a message from your ISP saying your computer is infected check it out. Don't assume it can't happen to you just because.
I have not found an official Microsoft source for MD5 hashes of Windows, so its difficult to find unknown stuff on your computer. There are some third-party products which can do change monitoring of Windows. But I agree with Rob Thomas and others, the only way to restore trust in your Windows' system is to re-install from a known, good distribution. Unfortunately, this is beyond the capabilities of many home (and even office) users.