nanog mailing list archives
Re: How long before infected - Internet addresses are not uniform
From: "Marshall Eubanks" <tme () multicasttech com>
Date: Tue, 04 May 2004 11:55:41 -0400
On Tue, 4 May 2004 02:42:10 -0400 (EDT) Sean Donelan <sean () donelan com> wrote:
On Mon, 3 May 2004, william(at)elan.net wrote:Similarly when settting up computers for several of my relatives (all have dsl) I've yet to see any infection before all updates are installed.The folks at CAIDA can do the math, but it turns out many of the recent worms have some interesting gaps in their address scanning routines. There are some Internet address ranges scanned every few seconds, while other address ranges may go weeks between scans. This is part of the reason why "network telescope" estimates of how many infected computers are so wrong. They assume a uniform distribution of worm scans and infected computers.
I think that their math is challenged in general - Sasser appears to do TCP scanning of the entire multicast address range, which betrays a lack of knowledge or concern about Internet routing. Regards Marshall Eubanks
I've seen "raw" Windows boxes connected to the Internet for 4 weeks without being compromised. A watched honeypot never attracts the bear :-) I've also seen Windows boxes compromised during the boot process between the time the network interface is enabled and XP's built-in firewall being activated, less than 1 second. Of course we still have the human factor. Some system compromises require the user to save an attachment, rename the file, open the file, enter a password, extract another file and then run it in order to compromise the computer. Its amazing how many infected computers are behind NAT/firewalls. Firewalls and antivirus help, but please when you get a message from your ISP saying your computer is infected check it out. Don't assume it can't happen to you just because. I have not found an official Microsoft source for MD5 hashes of Windows, so its difficult to find unknown stuff on your computer. There are some third-party products which can do change monitoring of Windows. But I agree with Rob Thomas and others, the only way to restore trust in your Windows' system is to re-install from a known, good distribution. Unfortunately, this is beyond the capabilities of many home (and even office) users.
Current thread:
- Worms versus Bots Sean Donelan (May 02)
- Re: Worms versus Bots Rob Nelson (May 03)
- Re: Worms versus Bots Mike Lewinski (May 03)
- Re: Worms versus Bots Rob Thomas (May 03)
- Re: Worms versus Bots Sean Donelan (May 03)
- Re: Worms versus Bots william(at)elan.net (May 03)
- How long before infected - Internet addresses are not uniform Sean Donelan (May 03)
- Re: How long before infected - Internet addresses are not uniform Marshall Eubanks (May 04)
- Re: Worms versus Bots Stephen J. Wilcox (May 04)
- Re: Worms versus Bots Rob Thomas (May 03)
- <Possible follow-ups>
- FW: Worms versus Bots Eric Krichbaum (May 03)
- Re: FW: Worms versus Bots Henry Linneweh (May 04)
- RE: Worms versus Bots Buhrmaster, Gary (May 03)
- RE: Worms versus Bots Michel Py (May 03)
- RE: Worms versus Bots Edward B. Dreger (May 04)
- RE: Worms versus Bots William S. Duncanson (May 04)
- Re: Worms versus Bots Valdis . Kletnieks (May 04)
- Re: Worms versus Bots chuck goolsbee (May 04)
- RE: Worms versus Bots Edward B. Dreger (May 04)