North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
How long before infected - Internet addresses are not uniform
On Mon, 3 May 2004, william(at)elan.net wrote: > Similarly when settting up computers for several of my relatives (all > have dsl) I've yet to see any infection before all updates are installed. The folks at CAIDA can do the math, but it turns out many of the recent worms have some interesting gaps in their address scanning routines. There are some Internet address ranges scanned every few seconds, while other address ranges may go weeks between scans. This is part of the reason why "network telescope" estimates of how many infected computers are so wrong. They assume a uniform distribution of worm scans and infected computers. I've seen "raw" Windows boxes connected to the Internet for 4 weeks without being compromised. A watched honeypot never attracts the bear :-) I've also seen Windows boxes compromised during the boot process between the time the network interface is enabled and XP's built-in firewall being activated, less than 1 second. Of course we still have the human factor. Some system compromises require the user to save an attachment, rename the file, open the file, enter a password, extract another file and then run it in order to compromise the computer. Its amazing how many infected computers are behind NAT/firewalls. Firewalls and antivirus help, but please when you get a message from your ISP saying your computer is infected check it out. Don't assume it can't happen to you just because. I have not found an official Microsoft source for MD5 hashes of Windows, so its difficult to find unknown stuff on your computer. There are some third-party products which can do change monitoring of Windows. But I agree with Rob Thomas and others, the only way to restore trust in your Windows' system is to re-install from a known, good distribution. Unfortunately, this is beyond the capabilities of many home (and even office) users.