The antivirus vendors are bemoaning the fact the Sasser worm has been slow to spread. On the other hand, most of the vulnerable computers seem to have already been taken over by one or more Bots days or weeks before the worms arrived. Other than the obvious, don't let a bot on get on your computer in the first place, are there any opinions about the best anti-bot tools for naive computer users? The major virus vendors seem to be having a bit of trouble dealing with bots, frequently recommending manual editing of files and use of regedit. There is also a much longer delay between the apperance of a new bot and updates to antivirus packages.
At 11:04 PM 5/2/2004, Sean Donelan wrote:
The antivirus vendors are bemoaning the fact the Sasser worm has been slow to spread. On the other hand, most of the vulnerable computers seem to have already been taken over by one or more Bots days or weeks before the worms arrived.
Other than the obvious, don't let a bot on get on your computer in the first place, are there any opinions about the best anti-bot tools for naive computer users? The major virus vendors seem to be having a bit of trouble dealing with bots, frequently recommending manual editing of files and use of regedit. There is also a much longer delay between the apperance of a new bot and updates to antivirus packages.
One of my concerns is that it's easy to download an anti-virus package which will most likely delete (it seems that unless it's a VBA macro virus the files can never be cleaned!) some of the 100% worm or virus files. The trojan programs, bots, and spyware stick around. It would be a wonderful program that scanned for and cleaned up BOTH virus and bot files... Rob Nelson ronelson@vt.edu
Sean Donelan wrote:
Other than the obvious, don't let a bot on get on your computer in the first place, are there any opinions about the best anti-bot tools for naive computer users? The major virus vendors seem to be having a bit of trouble dealing with bots, frequently recommending manual editing of files and use of regedit. There is also a much longer delay between the apperance of a new bot and updates to antivirus packages.
I personally stick with the BCP "backup, reformat and reinstall from your original media". That goes for worms and bots. Just because a machine has a bot/worm/virus that didn't come with a rootkit, doesn't mean that someone else hasn't had their way with it. Then again, I've seen businesses who had sensitive client financial data on compromised systems completely ignore this advice, so it's generally given without much hope, esp. where the stakes are lower.
Hi, NANOGers. ] Just because a machine has a bot/worm/virus that didn't come with a ] rootkit, doesn't mean that someone else hasn't had their way with it. Agreed. A growing trend in the "0wnage" category is the installation of multiple bots on a single host. This isn't intentional, but a result of the multiple infection vectors bots employ. Bot01 goes after open Win2K shares (TCP 445), and Bot02 comes along and enters through Kuang2 (TCP 17300). One of the more popular bots has at least 13 distinct scan and sploit methods. WebDav, NetBios, MSSQL, Beagle, Kuang2, and the list goes on. The record I've seen thus far was a host with 14 distinct and active bots on it. I'm guessing the LEDs on that cable modem never blinked. One bot, Coldlife, actually took advantage of this trend. It would hunt for certain bot configuration files on the host it infected, and report the contents to the Coldlife botherd. Ka-ching, another botnet stolen. Things have evolved in a distributed manner from this feature. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
On Mon, 3 May 2004, Rob Thomas wrote:
] Just because a machine has a bot/worm/virus that didn't come with a ] rootkit, doesn't mean that someone else hasn't had their way with it.
Agreed.
Won't help. What's the first thing people do after re-installing the operating system (still have all the original CDs and keys and product activation codes and and and)? Connect to the Internet to download the patches. Time to download patches 60+ minutes. Time to infection 5 minutes. Patches are Microsoft's intellectual property and can not be distributed by anyone without Microsoft's permission. Ok, so you order Microsoft's patch CD. Unfortunately it only includes patches through October 2003. Microsoft is selling over 10 million Windows licenses every month. Patches not included.
The record I've seen thus far was a host with 14 distinct and active bots on it. I'm guessing the LEDs on that cable modem never blinked.
The problem with Bots is they aren't always active. That makes them difficult to find until they do something.
On Mon, 3 May 2004, Sean Donelan wrote:
On Mon, 3 May 2004, Rob Thomas wrote:
] Just because a machine has a bot/worm/virus that didn't come with a ] rootkit, doesn't mean that someone else hasn't had their way with it.
Agreed.
Won't help. What's the first thing people do after re-installing the operating system (still have all the original CDs and keys and product activation codes and and and)? Connect to the Internet to download the patches. Time to download patches 60+ minutes. Time to infection 5 minutes.
Patches are Microsoft's intellectual property and can not be distributed by anyone without Microsoft's permission. I don't think this is quite true. Microsoft makes available all patches as indidual .exe files. There are quite many of these updates and its really a pain to actually get all of them and install updates manually. But I've never seen written anywhere that I can not download these .exe files and distribute it inside your company or to your friends as needed to fix the
The problem with Bots is they aren't always active. That makes them difficult to find until they do something. As opposed to what, viruses? Not at all! Many viruses have period wjhen they are active and afterwards
Its possible its a problem on dialup, but in our ISP office I setup new win2000 servers and first thing I do is download all the patches. I've yet to see the server get infected in the 20-30 minutes it takes to finish it (Note: I also disable IIS just in case until everything is patched..). Similarly when settting up computers for several of my relatives (all have dsl) I've yet to see any infection before all updates are installed. Additional to that many users have dsl router or similar device and many such beasts will provide NATed ip block and act like a firewall not allowing outside servers to actually connect to your home computer. On this point it would be really interested to see what percentage of users actually have these routers and if decreasing speed of infections by new virus (is there real numbers to show it decreased?) have anything to do with this rather then people being more carefull and using antivirus. Another option if you're really afraid of infection is to setup proxy that only allows access to microsoft ip block that contains windows update servers And of course, there is an even BETTER OPTION then all the above - STOP USING WINDOWS and switch to Linux or Free(Mac)BSD ! :) problems these patches are designed for. they go into "sleep" mode and will not active until some other date! Additionally bot that does not immediatly become active is good thing because of you do weekly or monthly audits (any many do it like that) you may well find it this way and deal with it at your own time, rather then all over a sudden being awaken 3am and having to clean up infected system. -- William Leibzon Elan Networks william@elan.net
On Mon, 3 May 2004, william(at)elan.net wrote:
Similarly when settting up computers for several of my relatives (all have dsl) I've yet to see any infection before all updates are installed.
The folks at CAIDA can do the math, but it turns out many of the recent worms have some interesting gaps in their address scanning routines. There are some Internet address ranges scanned every few seconds, while other address ranges may go weeks between scans. This is part of the reason why "network telescope" estimates of how many infected computers are so wrong. They assume a uniform distribution of worm scans and infected computers. I've seen "raw" Windows boxes connected to the Internet for 4 weeks without being compromised. A watched honeypot never attracts the bear :-) I've also seen Windows boxes compromised during the boot process between the time the network interface is enabled and XP's built-in firewall being activated, less than 1 second. Of course we still have the human factor. Some system compromises require the user to save an attachment, rename the file, open the file, enter a password, extract another file and then run it in order to compromise the computer. Its amazing how many infected computers are behind NAT/firewalls. Firewalls and antivirus help, but please when you get a message from your ISP saying your computer is infected check it out. Don't assume it can't happen to you just because. I have not found an official Microsoft source for MD5 hashes of Windows, so its difficult to find unknown stuff on your computer. There are some third-party products which can do change monitoring of Windows. But I agree with Rob Thomas and others, the only way to restore trust in your Windows' system is to re-install from a known, good distribution. Unfortunately, this is beyond the capabilities of many home (and even office) users.
On Tue, 4 May 2004 02:42:10 -0400 (EDT) Sean Donelan <sean@donelan.com> wrote:
On Mon, 3 May 2004, william(at)elan.net wrote:
Similarly when settting up computers for several of my relatives (all have dsl) I've yet to see any infection before all updates are installed.
The folks at CAIDA can do the math, but it turns out many of the recent worms have some interesting gaps in their address scanning routines. There are some Internet address ranges scanned every few seconds, while other address ranges may go weeks between scans. This is part of the reason why "network telescope" estimates of how many infected computers are so wrong. They assume a uniform distribution of worm scans and infected computers.
I think that their math is challenged in general - Sasser appears to do TCP scanning of the entire multicast address range, which betrays a lack of knowledge or concern about Internet routing. Regards Marshall Eubanks
I've seen "raw" Windows boxes connected to the Internet for 4 weeks without being compromised. A watched honeypot never attracts the bear :-) I've also seen Windows boxes compromised during the boot process between the time the network interface is enabled and XP's built-in firewall being activated, less than 1 second.
Of course we still have the human factor. Some system compromises require the user to save an attachment, rename the file, open the file, enter a password, extract another file and then run it in order to compromise the computer. Its amazing how many infected computers are behind NAT/firewalls. Firewalls and antivirus help, but please when you get a message from your ISP saying your computer is infected check it out. Don't assume it can't happen to you just because.
I have not found an official Microsoft source for MD5 hashes of Windows, so its difficult to find unknown stuff on your computer. There are some third-party products which can do change monitoring of Windows. But I agree with Rob Thomas and others, the only way to restore trust in your Windows' system is to re-install from a known, good distribution. Unfortunately, this is beyond the capabilities of many home (and even office) users.
On Mon, 3 May 2004, william(at)elan.net wrote:
Its possible its a problem on dialup, but in our ISP office I setup new win2000 servers and first thing I do is download all the patches. I've yet to see the server get infected in the 20-30 minutes it takes to finish it (Note: I also disable IIS just in case until everything is patched..).
The frequency of scans is such that I'd say you have been lucky. Some worms also weight scans by IP (ie they can the local /16 more than the local /8 more than the /0).. in which case if you're a <large ISP> dialup customer you stand a higher chance of infection Steve
On Mon, 03 May 2004 13:51:35 -0600 Mike Lewinski <mike@rockynet.com> wrote:
Then again, I've seen businesses who had sensitive client financial data on compromised systems completely ignore this advice, so it's generally given without much hope, esp. where the stakes are lower.
ditto. i have some very specific memories of explaining to a CEO who should have known better (an ex engineer) why we really needed to "nuke the servers from orbit, it's the only way to be sure" after an infestation at a startup some years back. sigh, richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
participants (8)
-
Marshall Eubanks
-
Mike Lewinski
-
Richard Welty
-
Rob Nelson
-
Rob Thomas
-
Sean Donelan
-
Stephen J. Wilcox
-
william(at)elan.net