On Sun, 18 Apr 2004, Matt Hess wrote:
<late-night-humor> # Do not allow Windows 9x SMTP connections since they are typically # a viral worm. Alternately we could limit these OSes to 1 connection each. block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \ to any port smtp
The OS fingerprint list they have is rather extensive.. </late-night-humor>
This has been suggested before. Remember Windows 9x is essentially a single-user operating system. Once a machine has been compromised, lots of things can be altered by the intruder. Some of the modifications are trivial, such as registry entries. Others changes can get more interesting. Fingerprints work best if the adversary isn't actively trying to munge them. It doesn't always look like another operating system, but it ceases to look like a Windows 9x box. The arms race continues. Figuring out what the intruder changed, and cleaning it up continues to get more complicated. Last year running a major anti-virus program was usually enough. Now it can take hours, and sometimes its faster to re-install the operating system, assuming the user still has their original CD's and various Microsoft anti-piracy keys and then downloads all the patches they were missing. http://www.washingtonpost.com/wp-dyn/articles/A22514-2004Apr18.html The Federal Trade Commission today is hosting a daylong workshop in Washington to discuss the effects of hidden software that may be used to control or spy on a computer without its user's knowledge. So far most "spyware" and "adware" programs, often placed on Windows PCs by such downloaded programs as file-sharing programs, appear to have been used for the relatively benign purpose of tracking consumer preferences, said Howard Beales, director of the FTC's consumer protection division. The FTC is watching to see if criminals start making widespread use of this technology to steal credit-card and Social Security numbers of unwitting computer users, he said.