Interesting Virus/Trojan From Clean Install

[Ari Silverstein]

But surfing with a totally unpatched Windows
(whichever version) *is* hazardous and irresponsible. IMNSHO.

BeAr

Surfing? I was making the first connection to my ISP's website (I know you
aren't necessarily directing your comments at me but by golly I started
this thread!

Since when does a "totally unpatched Windows" version become one. Hint to
answer. XP SP1. Is XP SP2 fully matured?

 

[Ari Silverstein]

Well, I would not call receiving a Messenger spam message being
"compromised". Annoying, yes, but Messenger spam is relatively harmless.

You _could_ still be compromised, though. There are far worse holes in a
default XP installation than an active Messenger service.

W2K but still the same issue

Yes. Worms bombard random IP addresses all the time. If you are not
protected, it is only a matter of time before you catch a stray bullet.
And that's rarely enough time to do a full patchup at WindowsUpdate.


No. A default Windows XP installation sans SPs and patches has several
running services expecting and accepting network connections. Some of
these services have displayed serious security vulnerabilities.

Not on a network, a simple dialup after a clean install of W2K from a
cruddy laptop.

I do have a question. How is it that a worm, if not on my laptop, gets into
my laptop if all I do is dialup to a known, often used BellSouth number, I
get popup spams which, I think, ultimately redirected me to a webpage that
was never displayed?

Where did this come from? Assuming the laptop was fully cleaned
(WipeOut/formatted), there are no viri etc on the install CD of W2K.

 

[David]

W2K but still the same issue


Not on a network, a simple dialup after a clean install of W2K from a
cruddy laptop.

Yes, dial-up is treated as a network.

I do have a question. How is it that a worm, if not on my laptop, gets into
my laptop if all I do is dialup to a known, often used BellSouth number, I
get popup spams which, I think, ultimately redirected me to a webpage that
was never displayed?

Easy. The pop-up may have been a Messenger SPAM or it may have been
the precursor to a serious attack to see if you were there. Enable
alerts in a firewall and I'll almost guarantee that, within a few
minutes of you connecting, you will see an alert telling you that
something has been blocked. While it doesn't always happen it does
happen more often than not.

Where did this come from? Assuming the laptop was fully cleaned
(WipeOut/formatted), there are no viri etc on the install CD of W2K.

From your network connection via your ISP.

 

[morten.skarstad]

Ari Silverstein skrev:

W2K but still the same issue


Not on a network, a simple dialup after a clean install of W2K from a
cruddy laptop.

Same thing. When you dial up to an ISP that connects you to the
internet, you have a public IP address on the worlds largest network.
That puts you smack in the middle of harms way.

I do have a question. How is it that a worm, if not on my laptop, gets into
my laptop if all I do is dialup to a known, often used BellSouth number, I
get popup spams which, I think, ultimately redirected me to a webpage that
was never displayed?

Where did this come from? Assuming the laptop was fully cleaned
(WipeOut/formatted), there are no viri etc on the install CD of W2K.

As mentioned, a clean installation of Windows (XP, 2K, whatever) has
running services that can be exploited. And if you have a public IP
address (most dialup users do) then everybody and their grandmothers
can reach these exploitable services.

I recommend that you get yourself a friend with a broadband connection
and a CD burner. Buy yourself a writable CD. Bring it to your friend
and download SP4 (make sure you get the redistributable version), the
security rollup package and some freeware personal firewall. Burn it
all on your CD, bring it home, reinstall your OS again and then install
everything from your CD. _Then_ you might connect your computer to the
internet without risking worms peeping in and out of every hole.

 

[morten.skarstad]

Surfing? I was making the first connection to my ISP's website

Surfing is not a prerequisite. Simply connecting your computer to the
internet is. The mentioned worms does not get to your computer through
a hole in IE or something like that, they get into services that are
installed and running by default.

Since when does a "totally unpatched Windows" version become one.

New secutiry holes will of course always show up. But still, I believe
Microsoft (finally) did the right thing when they made the built-in
firewall active by default. AFAICR, this happened in XP SP2. Windows
2000 still relies on a third party firewall.

Worms are not able to penetrate a simple firewall, and will no longer
pose a threat once you have one installed and running. So even if your
computer is not 100% updated at this point, it should still be safe to
connect it to the net to download the missing patches.

For an explanation of worms, read
http://www.vernalex.com/guides/malware/define.shtml#worms

For information about the Messenger service (which you opened this
thread with) read http://www.itc.virginia.edu/desktop/docs/messagepopup/

 

[Ari Silverstein]

Easy. The pop-up may have been a Messenger SPAM or it may have been
the precursor to a serious attack to see if you were there. Enable
alerts in a firewall and I'll almost guarantee that, within a few
minutes of you connecting, you will see an alert telling you that
something has been blocked. While it doesn't always happen it does
happen more often than not.


From your network connection via your ISP.

Let me see if I understand this. I dialup from a clean laptop, over a
telephone line installed by BellSouth (AT/T) that goes to some BellSouth
Central Office (switch). From there the connection continues on BellSouth
owned lines to BellSouth Networks, the ISP.

Somewhere in there, somebody has jumped into the BSouth owned commo lines
or have I missed something?

 

[Ari Silverstein]

As mentioned, a clean installation of Windows (XP, 2K, whatever) has
running services that can be exploited. And if you have a public IP
address (most dialup users do) then everybody and their grandmothers
can reach these exploitable services.

I recommend that you get yourself a friend with a broadband connection
and a CD burner. Buy yourself a writable CD. Bring it to your friend
and download SP4 (make sure you get the redistributable version), the
security rollup package and some freeware personal firewall. Burn it
all on your CD, bring it home, reinstall your OS again and then install
everything from your CD. _Then_ you might connect your computer to the
internet without risking worms peeping in and out of every hole.

Yes, I see, so the attack was aimed at my IP.

The CD idea is good (I was after the rollup dload) except that the CD, for
some odd reason, will read the W2K disc but won't read other data discs. I
get a d:Not Available or incorrect drive parameter. Of course, the floppy
doesn't work either and I can't get the f...ing mouse to work on anything
except the USB, the dip...t touch pad is dead. so I can't use my USB drive
to transfer data.

 

[Ari Silverstein]

New secutiry holes will of course always show up. But still, I believe
Microsoft (finally) did the right thing when they made the built-in
firewall active by default. AFAICR, this happened in XP SP2. Windows
2000 still relies on a third party firewall.

Worms are not able to penetrate a simple firewall, and will no longer
pose a threat once you have one installed and running. So even if your
computer is not 100% updated at this point, it should still be safe to
connect it to the net to download the missing patches.

For an explanation of worms, read
http://www.vernalex.com/guides/malware/define.shtml#worms

For information about the Messenger service (which you opened this
thread with) read http://www.itc.virginia.edu/desktop/docs/messagepopup/

Thanks, I run Kerio 2.15 on my local machines, had none running on this
laptop. Learned a lesson.

As to XP2 firewall, better than nothing but I don;t thinkit checks outgoing
(logging).

 

[Morten Skarstad]

Ari Silverstein skrev:

As to XP2 firewall, better than nothing but I don;t thinkit checks outgoing
(logging).

No, it does not. But you don't need that to protect against worms.

 

[Craig]

Ari Silverstein skrev:



No, it does not. But you don't need that to protect against worms.

True.

But it's mighty helpful in determining zombie status.

 

[Borked Pseudo Mailed]

The honeynet project has determined that the average time to compromize
for an unpatched windows machine directly on the net is under a minute.

Surely you realize that the honeypot project counts sharks by chumming the
waters, then slitting the wrists of the victim before throwing them
overboard, right?

I have archived logs going back about a year and a half that include a
synopsis (port, packet count, and IP/host) of ALL unsolicited connection
attempts for two locations at opposite ends of the US, with two completely
different providers on opposite sides of our now infamous "backbone fence".

There's no way in hell this "minute average" holds any water in the real
world. There just aren't that many random scans taking place to cover the
IP space that thoroughly.

If you think about it, the quantity of traffic that would be necessary to
"inspect" every possible IP address an average of once a minute would
bring most networks to their knees. Even taking into consideration a
limiting of scans to blocks of IP addresses we're talking about a
monstrous amount of traffic unless those blocks are relatively small, and
we know that's not the case. For the most part these worms generate IP
addresses randomly, with only a few exemptions.

There may be some fluctuation between different areas or IP allocations,
but if you're in an ISP neighborhood that's being scanned end to end every
minute your whole IP block probably unusable anyway. Or pretty small, and
specifically targeted.

 

[B. R. 'BeAr' Ederson]

I have archived logs going back about a year and a half that include a
synopsis (port, packet count, and IP/host) of ALL unsolicited connection
attempts for two locations at opposite ends of the US, with two completely
different providers on opposite sides of our now infamous "backbone fence".

There's no way in hell this "minute average" holds any water in the real
world. There just aren't that many random scans taking place to cover the
IP space that thoroughly.

That's varying on a very broad scale. There are days where I get only
one break-in try every 40 minutes or so. And there are other days where
I can connect using different IP's and always see attacks faster than
one a second. Either way: An *open* security hole will result in break-in
sooner or later.

I've seen WinXP systems which only tried to download SP1 after a clean
installation using MS update service and got infected. (No surfing or
else. Just plain connection to MS via ISP...) Of course, others had more
luck. But luck's not the way to go.

If you think about it, the quantity of traffic that would be necessary to
"inspect" every possible IP address an average of once a minute would
bring most networks to their knees. Even taking into consideration a
limiting of scans to blocks of IP addresses we're talking about a
monstrous amount of traffic unless those blocks are relatively small, and
we know that's not the case.

Do we?! Some setups are those, that only IP addresses from the same
network segment will be scanned. There are enough compromised systems
out there to do the job. Only a small part of the tries to break-in
or to infect originates from direct aimed attacks.

For the most part these worms generate IP addresses randomly, with only a
few exemptions.

Some do it this way, some another. The more systems are infected, the
higher are chances to "hear" from them. Either way.

There may be some fluctuation between different areas or IP allocations,
but if you're in an ISP neighborhood that's being scanned end to end every
minute your whole IP block probably unusable anyway. Or pretty small, and
specifically targeted.

Neither this nor that. ISP's have to shoulder much more traffic than
this. You have to take into account, that we don't talk about a single
hacker which uses a single computer to scan these IP ranges. It is
mostly some kind of white noise (or better black noise, coming to this)
from compromised/infected systems. Large IP ranges have a higher
probability to see attacks from different computers at a given time.
That's why, the network traffic per IP address doesn't have to increase
if a bigger net gets completely scanned in the same time frame as a
smaller one.

BeAr

 

[B. R. 'BeAr' Ederson]

Let me see if I understand this. I dialup from a clean laptop, over a
telephone line installed by BellSouth (AT/T) that goes to some BellSouth
Central Office (switch). From there the connection continues on BellSouth
owned lines to BellSouth Networks, the ISP.

What I now tell you is over-simplified and maybe also misleading in
some ways. But you may get to the gist of the problem this way:

Think of the Internet as conventional mail. (I'm *not* only talking
about email, at the moment!) People all over the world can send each
other mails, parcels, and packets. If someone wants to spread harm,
he sends letter-bombs to randomized or specially selected addresses.
The letter containing the bomb will be transported from post-office
to post-office until it reaches *your* post-office (BellSouth).

They look onto the envelope and bring the letter to your letterbox.
They only wouldn't do this, if you told them to *only deliver*
mail from certain originators or to check for some known letter-
bomb characteristics first (some proxy and filtering setups,
special closed ports). In all other cases, the letter will be
delivered.

If you took security precautions, the postman has to pass your dog
(a hardware firewall). That one may sniff the bomb and you're safe.
If not, the postman will try to put the letter in your box.

Fortunately, you have different letter-boxes for letters, parcels,
and packets (computer ports for Html-transport, Mail-transport,
Ftp-transport, and so on). If you don't await letters at the
moment, you may have closed the slit for letters, while the hole
for parcels and the other hole for packets still are opened.

Because the postman is only permitted to deliver each kind of
post to the correct box, you'd be save again. But if you left the
letter box open, the letter-bomb gets into the box.

If the letter is very thick, the letter-box may not take another
letter (denial of service). Until this point, nothing *really*
terrible has happened.

But the architect of your house (Microsoft) tried to make you feel
*very* comfortable. So they added some kind of transportation to
some of your letter-boxes, which brings the content directly to
your breakfast-table.

Moreover, you bought a new/faster/better-looking means for transport
from do-it-yourself store (a program from another vendor), just the
other day. If such a connection (Microsoft or other vendor) is
directly connected to the letter-box (a service or process running
in your computer system) when the letter-bomb was delivered, than
you only can hope, that it has a *working* letter-bomb detection.
(Else you are hacked/infected/...)

Of course, you may also have a dog indoor (software-firewall or
other anti-malware software). But indoor dogs are a bit tricky.
Some are mollycoddles and rather speed-up the delivering of the
letter-bomb than hindering it. Some are overstressed by the many
floors and steps of your house and therefore often come too late.

As difficult as it seems to prevent letter-bombs from appearing
on your table, as difficult you'll find a secure computer setup.
The most secure situation would be no communication with the
outside. But that's often not an option...

BeAr

 

[B. R. 'BeAr' Ederson]

Surfing? I was making the first connection to my ISP's website (I know you
aren't necessarily directing your comments at me but by golly I started
this thread!

I used "surfing" in a broad sense. The moment you connect your computer
to a network you're (to some extent) exposed to all other computers.
If your ISP does no extraordinary filtering, any attempt to contact
your computer will be transmitted. The moment you connect with your
ISP, you get an address and can be reached.

Since when does a "totally unpatched Windows" version become one. Hint to
answer. XP SP1. Is XP SP2 fully matured?

Hm. My above cited comment is a bit general. You can disable most (if
not all) *direct* ways to break-in. A good place to look is here:

www.ntsvcfg.de/ntsvcfg_eng.html

But I think, WinXP should at least have SP1 and (depending on the
installed software, used functionality,...) some additional fixes
before connecting it to the Internet. Look here (from a secure system,
of course) for requirements:

www.microsoft.com/technet/security/current.aspx

BeAr

 

[David]

[...]

Let me see if I understand this. I dialup from a clean laptop, over a
telephone line installed by BellSouth (AT/T) that goes to some BellSouth
Central Office (switch). From there the connection continues on BellSouth
owned lines to BellSouth Networks, the ISP.

Somewhere in there, somebody has jumped into the BSouth owned commo lines
or have I missed something?

That is correct. The moment you open a connection you are given an IP
number from the block owned by BSouth. Any computer can contact your
computer using this number. If you are lucky it will not happen but
some ISPs seem to attract more attacks than others. A firewall blocks
these attacks for the most part.

 

[Ari Silverstein]

I used "surfing" in a broad sense. The moment you connect your computer
to a network you're (to some extent) exposed to all other computers.
If your ISP does no extraordinary filtering, any attempt to contact
your computer will be transmitted. The moment you connect with your
ISP, you get an address and can be reached.


Hm. My above cited comment is a bit general. You can disable most (if
not all) *direct* ways to break-in. A good place to look is here:

www.ntsvcfg.de/ntsvcfg_eng.html

But I think, WinXP should at least have SP1 and (depending on the
installed software, used functionality,...) some additional fixes
before connecting it to the Internet. Look here (from a secure system,
of course) for requirements:

www.microsoft.com/technet/security/current.aspx

BeAr

Thanks Bear, er, BeAr

 

[George Orwell]

That's varying on a very broad scale. There are days where I get only one
break-in try every 40 minutes or so. And there are other days where I can
connect using different IP's and always see attacks faster than one a
second. Either way: An *open* security hole will result in break-in sooner
or later.

I never claimed anything to the contrary. But the notion that you'll be
compromised in a minute average is ridiculous. A wildly over stated
representation of the problem.

I've seen WinXP systems which only tried to download SP1 after a clean
installation using MS update service and got infected. (No surfing or

I've seen literally hundreds accomplish the task just fine. And yes, a
fair number that have failed. I'd make a knee jerk guess from a couple
years of on hands experience that the "one minute average" assertion is
closer to a 24 hour window, and that maybe 2% to 5% of fresh windows
installs with updates being done over the net will be nailed before the
updates complete.

That's just an estimate, I've never actually sat down and tried to
incident count for any length of time.

else. Just plain connection to MS via ISP...) Of course, others had more
luck. But luck's not the way to go.

Never said it was. th smart money is on having your updates handy and
hardening the box before you even install a NIC. But then wasn't it NT4
SP3 that wouldn't allow installation of a NIC after it was installed? If
memory serves, at one time it had to be uninstalled, the NIC and drivers
installed, and the SP reapplied.

There's a lot of scenarios where the "ideal" is impossible, and a whole
bunch of home users who have no chice but to play the odds. Scaring them
with "one minute" alarmist nonsense doesn't accomplish a thing.

Do we?! Some setups are those, that only IP addresses from the same
network segment will be scanned. There are enough compromised systems out
there to do the job. Only a small part of the tries to break-in or to
infect originates from direct aimed attacks.

Yes, that is EXACTLY why it's silly to believe any given IP address is
going to be examined every minute on the average. This is a random thing
from a large number of sources. If the attacks were more focused, then I'd
agree that it could be accomplished. But what's being asserted is that
roughly 42 billion addresses are being scanned once a minute. At the very
LEAST this sort of traffic load would cause huge problems at the
boundaries of major providers.

Some do it this way, some another. The more systems are infected, the
higher are chances to "hear" from them. Either way.

I'm not aware of any virus or worm that restricts propagation to some CIDR
or IP block. It would seem highly counter productive to design such a
thing to begin with.

Neither this nor that. ISP's have to shoulder much more traffic than this.

Certainly NOT at the levels that would need to be maintained to produce an
average one minute "shelf life" of a naked Windows box.

You have to take into account, that we don't talk about a single hacker
which uses a single computer to scan these IP ranges. It is mostly some

Obviously, but it's pretty much irrelevant except for the fact that
overlap would likely cause more noticeable problems in seemingly random
areas and random times as multiple attackers happen to hit the same
topography at the same time.

Something else we don't see very often, outside the realm of targeted
attacks. Mostly DoS attacks. ;-)

kind of white noise (or better black noise, coming to this) from
compromised/infected systems. Large IP ranges have a higher probability
to see attacks from different computers at a given time. That's why, the
network traffic per IP address doesn't have to increase if a bigger net
gets completely scanned in the same time frame as a smaller one.

???

The "network traffic per IP" is a fixed number here. It's the figure
that's in question. Network load to cover 255 IP addresses every second
would certainly be less than network load to cover 65000 a second,
wouldn't you say?

 

[Ari Silverstein]

I used "surfing" in a broad sense. The moment you connect your computer
to a network you're (to some extent) exposed to all other computers.
If your ISP does no extraordinary filtering, any attempt to contact
your computer will be transmitted. The moment you connect with your
ISP, you get an address and can be reached.


Hm. My above cited comment is a bit general. You can disable most (if
not all) *direct* ways to break-in. A good place to look is here:

www.ntsvcfg.de/ntsvcfg_eng.html

But I think, WinXP should at least have SP1 and (depending on the
installed software, used functionality,...) some additional fixes
before connecting it to the Internet. Look here (from a secure system,
of course) for requirements:

www.microsoft.com/technet/security/current.aspx

BeAr

That's very helpful, thanx for taking the time to write it.

 

[Ari Silverstein]

That is correct. The moment you open a connection you are given an IP
number from the block owned by BSouth. Any computer can contact your
computer using this number. If you are lucky it will not happen but
some ISPs seem to attract more attacks than others. A firewall blocks
these attacks for the most part.

Well, shit, I knew that I have no idea where my brain went. I was so pissed
off...thanks, D.

 

[Ari Silverstein]

What I now tell you is over-simplified and maybe also misleading in
some ways. But you may get to the gist of the problem this way:

Think of the Internet as conventional mail. (I'm *not* only talking
about email, at the moment!) People all over the world can send each
other mails, parcels, and packets. If someone wants to spread harm,
he sends letter-bombs to randomized or specially selected addresses.
The letter containing the bomb will be transported from post-office
to post-office until it reaches *your* post-office (BellSouth).

They look onto the envelope and bring the letter to your letterbox.
They only wouldn't do this, if you told them to *only deliver*
mail from certain originators or to check for some known letter-
bomb characteristics first (some proxy and filtering setups,
special closed ports). In all other cases, the letter will be
delivered.

If you took security precautions, the postman has to pass your dog
(a hardware firewall). That one may sniff the bomb and you're safe.
If not, the postman will try to put the letter in your box.

Fortunately, you have different letter-boxes for letters, parcels,
and packets (computer ports for Html-transport, Mail-transport,
Ftp-transport, and so on). If you don't await letters at the
moment, you may have closed the slit for letters, while the hole
for parcels and the other hole for packets still are opened.

Because the postman is only permitted to deliver each kind of
post to the correct box, you'd be save again. But if you left the
letter box open, the letter-bomb gets into the box.

If the letter is very thick, the letter-box may not take another
letter (denial of service). Until this point, nothing *really*
terrible has happened.

But the architect of your house (Microsoft) tried to make you feel
*very* comfortable. So they added some kind of transportation to
some of your letter-boxes, which brings the content directly to
your breakfast-table.

Moreover, you bought a new/faster/better-looking means for transport
from do-it-yourself store (a program from another vendor), just the
other day. If such a connection (Microsoft or other vendor) is
directly connected to the letter-box (a service or process running
in your computer system) when the letter-bomb was delivered, than
you only can hope, that it has a *working* letter-bomb detection.
(Else you are hacked/infected/...)

Of course, you may also have a dog indoor (software-firewall or
other anti-malware software). But indoor dogs are a bit tricky.
Some are mollycoddles and rather speed-up the delivering of the
letter-bomb than hindering it. Some are overstressed by the many
floors and steps of your house and therefore often come too late.

As difficult as it seems to prevent letter-bombs from appearing
on your table, as difficult you'll find a secure computer setup.
The most secure situation would be no communication with the
outside. But that's often not an option...

BeAr

This is the post of the year, BeAr, appreciate your time.