catseyenu
Ack Pfft
Premium
join:2001-11-17
Fix East
| reply to Link Logger
Re: Nachi the new champion bad boy
Saw a test where it took less than 6 seconds for infection after connecting an unpatched XP box.
The days of the "ignorance is bliss" user is about over.
I fear the consequences of protecting "users" will cost the rest of us.
--
Cox Support Arrogance... faster than you can say overpriced. |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| said by catseyenu  :
Saw a test where it took less than 6 seconds for infection after connecting an unpatched XP box.
I don't think Microsoft has any option concerning enabling the ICF by default in the upcoming XP SP2, it has to be done. If users disable it then they do so at their own risk and hopefully they realize that and take appropriate steps to maintain their security.
I wonder how many computer shops install all the service packs and patches before shipping/releasing a computer to a customer?
Does anyone have CPU utilizations stats surround the Nachi worm as I would think it eats a fair bit of CPU?
Blake
--
»www.SonicLogger.com - Logging Software for SonicWall and 3Comhttp://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel |
|
gheezer
Compooters R Us
Premium
join:2002-12-20
Henrietta, NY
| reply to catseyenu
This is an Excellent report. Although I suspect the estimates of numbers infected at 2% is way too conservative. here in the US, I suspect initially, at the onset of the outbreak, 10% would have been a conservative estimate.
By my own observations with another American ISP, I suspect they had 10's of THOUSANDS of infected users. (MILLIONS nationwide...!)
I understand they have given up on notifiying infected users, and have been actively shutting down infected workstations for some time now. But with 10's of thousands of infected users, and only so many hours a day, and only so many bodies available to actively search for infected users.....and lets not forget, newly infected users come on line every day....well......it's an uphill battle.
It's a shame it had to come to that though....truly.
But your explanation of the IP Scanning algorythm, and the SCAN effect on local bandwidth clearly demonstrates how devastating just a COUPLE infected machines can be on a whole community.
Nachi EATS bandwidth....massively.
I am linking to this article from a couple other forums.
--
Join the NAVY, see the world....It's mostly water! |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| 2% is my very conservative estimate and I would agree with you in that its likely much more.
ISPs are not setup for doing user notifications of this magnitude and I doubt they ever could, as the cost would certainly be prohibitive, as their user base would certainly balk at the increased user fees. Most ISPs have been reducing staff and to track down and notify users of infected systems is a labour intensive process, especially if you try to help people fix their systems. I'm sure everyone here has tried to help someone over the phone with a computer problem and found it to be a frustrating experience at best. In short ISP are not going to be able to help much when it comes to mass infections and nor can they be expected to for the price they charge. Can they filter traffic, certainly, but can you really filter ICMP traffic, what about the next attack vector, and filtering for the most part is only a delaying tactic.
When MSBlast was released, it was likely the most anticipated worm ever, as everyone had lots of advanced notice as to what vulnerability it was going to attack and even scan tools were available to located systems vulnerable to the impending attack. I conducted an internet survey and posted my results in the Security Forum »Re: Defcon5? Impact if(when) Dcom worm released? two days before we captured our first instance of the MSBlast worm »New Capture on TCP port 135 and found that despite all the warnings little was being done to reduce the threat level.
Now we hear about new threats »Hackers crack latest Windows flaw for example would seem to be an impending mass attack and the question is did we learn anything from MSBlast in that preparations will be better this time? Certainly those who are aware of such things will make preparations (or more likely will check that their normal mode of operations has already installed the required patches etc), but once again the masses will not and we will all share in the results.
I see a foot race coming in that Black hats are going to try to release their worms before Microsoft gets XP SP2 out as enabling ICF by default is certainly going to dampen the success of worm authors (virus authors on the other hand are a different story as social engineering will always be their most effective weapon and can defeat even the best network security).
Blake
--
»www.SonicLogger.com - Logging Software for SonicWall and 3Comhttp://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel |
|
GotGhosts
Premium
join:2002-07-16
boo
·RoadRunner Cable
| reply to Link Logger
quote:
Blake:I wonder how many computer shops install all the service packs and patches before shipping/releasing a computer to a customer?
Microsoft is still selling the Windows XP OS software to computer companies that don't have the MS updates? I think this would be a good place for the buck to stop here!
Thats like buying a brand new car without any brakes.
Something needs to be done about that, even though everyone needs to be educated on computer security. |
|
vfpguy
Alias Dotnetguy
join:2001-07-21
Wayne, NJ
| reply to Link Logger
said by Link Logger :
I wonder how many computer shops install all the service packs and patches before shipping/releasing a computer to a customer?
I do. I run MS's SUS Server on my network server. When I build a new computer I connect it to my network and redirect Automatic Updates to my server. I come back in 20 minutes and the new system is up to date.
--
"...a great, serene and peaceful future can slip from us quite as irrevocably by neglect, division and inaction, as by spectacular disaster." -- H. Truman, 6/21/56 |
|
