funsec mailing list archives
RE: Gadi Busted In Massive Conspiracy
From: "Randy Abrams" <abrams () eset com>
Date: Fri, 3 Feb 2006 11:56:33 -0800
-----Original Message----- From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] Sent: Friday, February 03, 2006 7:34 AM To: Randy Abrams Cc: nick () virus-l demon co uk; funsec () linuxbox org Subject: Re: [funsec] Gadi Busted In Massive Conspiracy On Thu, 02 Feb 2006 22:10:02 PST, Randy Abrams said:They don't even know they are running the tool. This is a silent download (after the first time) that runs in the background. It is delivered with Windows Update automatically and there is no UI until it
finds something.
All it takes is a default XPSP2.Does this happen even if autoupdate isn't enabled? Or on pre-XPSP2 systems, of which there are a lot? Or if it decides to update at 3:17AM, and the box is turned off then? Or if the person is on dialup? Or if a proxy/NAT needs to be configured? (I don't know, as I don't do Windows that extensively...)
It certainly won't happen every month if they don't have autoupdate. If they do have autoupdate it will happen on dialup too. Most commercial home use routers (linksys, Dlink) do not need any special configuration. I expect that products like Zone Alarm would try to stay out of the way of Windows update too. There are millions of PCs using Windows update. I don't recall the exact numbers though. I could try to get some stats. Jason said at AVAR that much of this info will be made public. I don't recall which older OS's can run it. Clearly it isn't going to hit everyone.
As an aside, consider that there's a clear existence proof that anything delivered along with the auto-update doesn't get to as many places as we'd wish - after Patch Tuesday, there's still a significant number of unpatched machines out there...
The MSRT with MSBlaster demonstrated far better penetration than has been achieve with "Install AV Software" advice. AV estimates of infection rates were found to be extremely understated.
I'll skip the paranoid concept that the XPSP2 EULA gives the tool the right to declare critical files from a Firefox or OpenOffice install 'malicious' and nuke them without notifying the user... Even MS wouldn't stoop *that* low. (Although the legalistics that would happen with a sufficiently big false positive *would* be amusing to watch from the sidelines. ;) (Of course, if it's rammed down user's throats with XPSP2, then there's probably a few percent at least, and making the extrapolation becomes statistically viable. At least *if* you can get your hands on Microsoft's stats from the service....)
I'll see what I can find. The stats will be able to be measured against other malware the MSRT deals with and should provide a fairly good comparative prevalence picture. Cheers, Randy _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Gadi Busted In Massive Conspiracy, (continued)
- Re: Gadi Busted In Massive Conspiracy Drsolly (Feb 03)
- Re: Gadi Busted In Massive Conspiracy Nick FitzGerald (Feb 02)
- RE: Gadi Busted In Massive Conspiracy Randy Abrams (Feb 02)
- RE: Gadi Busted In Massive Conspiracy Gary Funck (Feb 02)
- RE: Gadi Busted In Massive Conspiracy Randy Abrams (Feb 02)
- RE: Gadi Busted In Massive Conspiracy Nick FitzGerald (Feb 02)
- RE: Gadi Busted In Massive Conspiracy Gary Funck (Feb 03)
- Re: Gadi Busted In Massive Conspiracy Valdis . Kletnieks (Feb 02)
- RE: Gadi Busted In Massive Conspiracy Randy Abrams (Feb 02)
- Re: Gadi Busted In Massive Conspiracy Valdis . Kletnieks (Feb 03)
- RE: Gadi Busted In Massive Conspiracy Randy Abrams (Feb 03)
- RE: Gadi Busted In Massive Conspiracy Nick FitzGerald (Feb 03)
- RE: Gadi Busted In Massive Conspiracy Sean Donelan (Feb 04)
- RE: Gadi Busted In Massive Conspiracy Nick FitzGerald (Feb 04)
- RE: Gadi Busted In Massive Conspiracy Sean Donelan (Feb 04)
- RE: Gadi Busted In Massive Conspiracy Nick FitzGerald (Feb 04)
- Re: Gadi Busted In Massive Conspiracy Drsolly (Feb 04)
- Re: Gadi Busted In Massive Conspiracy Valdis . Kletnieks (Feb 04)
- Re: Gadi Busted In Massive Conspiracy Drsolly (Feb 04)