Worms versus Bots

The antivirus vendors are bemoaning the fact the Sasser worm has been
slow to spread. On the other hand, most of the vulnerable computers
seem to have already been taken over by one or more Bots days or weeks
before the worms arrived.

Other than the obvious, don't let a bot on get on your computer in
the first place, are there any opinions about the best anti-bot tools
for naive computer users? The major virus vendors seem to be having
a bit of trouble dealing with bots, frequently recommending manual
editing of files and use of regedit. There is also a much longer
delay between the apperance of a new bot and updates to antivirus
packages.

One of my concerns is that it's easy to download an anti-virus package which will most likely delete (it seems that unless it's a VBA macro virus the files can never be cleaned!) some of the 100% worm or virus files. The trojan programs, bots, and spyware stick around. It would be a wonderful program that scanned for and cleaned up BOTH virus and bot files...

Rob Nelson
ronelson@vt.edu

Sean Donelan wrote:

Other than the obvious, don't let a bot on get on your computer in
the first place, are there any opinions about the best anti-bot tools
for naive computer users? The major virus vendors seem to be having
a bit of trouble dealing with bots, frequently recommending manual
editing of files and use of regedit. There is also a much longer
delay between the apperance of a new bot and updates to antivirus
packages.

I personally stick with the BCP "backup, reformat and reinstall from your original media". That goes for worms and bots.

Just because a machine has a bot/worm/virus that didn't come with a rootkit, doesn't mean that someone else hasn't had their way with it.

Then again, I've seen businesses who had sensitive client financial data on compromised systems completely ignore this advice, so it's generally given without much hope, esp. where the stakes are lower.

Hi, NANOGers.

] Just because a machine has a bot/worm/virus that didn't come with a
] rootkit, doesn't mean that someone else hasn't had their way with it.

Agreed.

A growing trend in the "0wnage" category is the installation of
multiple bots on a single host. This isn't intentional, but a
result of the multiple infection vectors bots employ. Bot01
goes after open Win2K shares (TCP 445), and Bot02 comes along
and enters through Kuang2 (TCP 17300).

One of the more popular bots has at least 13 distinct scan and
sploit methods. WebDav, NetBios, MSSQL, Beagle, Kuang2, and
the list goes on.

The record I've seen thus far was a host with 14 distinct and
active bots on it. I'm guessing the LEDs on that cable modem
never blinked.

One bot, Coldlife, actually took advantage of this trend. It
would hunt for certain bot configuration files on the host it
infected, and report the contents to the Coldlife botherd.
Ka-ching, another botnet stolen. Things have evolved in a
distributed manner from this feature.

Thanks,
Rob.

ditto. i have some very specific memories of explaining to a CEO
who should have known better (an ex engineer) why we really
needed to "nuke the servers from orbit, it's the only way to be sure"
after an infestation at a startup some years back.

sigh,
  richard

] Just because a machine has a bot/worm/virus that didn't come with a
] rootkit, doesn't mean that someone else hasn't had their way with it.

Agreed.

Won't help. What's the first thing people do after re-installing
the operating system (still have all the original CDs and keys and
product activation codes and and and)?

Connect to the Internet to download the patches. Time to download patches
60+ minutes. Time to infection 5 minutes. Patches are Microsoft's
intellectual property and can not be distributed by anyone without
Microsoft's permission.

Ok, so you order Microsoft's patch CD. Unfortunately it only includes
patches through October 2003.

Microsoft is selling over 10 million Windows licenses every month.
Patches not included.

The record I've seen thus far was a host with 14 distinct and
active bots on it. I'm guessing the LEDs on that cable modem
never blinked.

The problem with Bots is they aren't always active. That makes them
difficult to find until they do something.

> ] Just because a machine has a bot/worm/virus that didn't come with a
> ] rootkit, doesn't mean that someone else hasn't had their way with it.
>
> Agreed.

Won't help. What's the first thing people do after re-installing
the operating system (still have all the original CDs and keys and
product activation codes and and and)? Connect to the Internet to
download the patches. Time to download patches 60+ minutes.
Time to infection 5 minutes.

Its possible its a problem on dialup, but in our ISP office I setup new
win2000 servers and first thing I do is download all the patches. I've yet
to see the server get infected in the 20-30 minutes it takes to finish it
(Note: I also disable IIS just in case until everything is patched..).

Similarly when settting up computers for several of my relatives (all
have dsl) I've yet to see any infection before all updates are installed.

Additional to that many users have dsl router or similar device and many
such beasts will provide NATed ip block and act like a firewall not
allowing outside servers to actually connect to your home computer.
On this point it would be really interested to see what percentage of
users actually have these routers and if decreasing speed of infections by
new virus (is there real numbers to show it decreased?) have anything to
do with this rather then people being more carefull and using antivirus.

Another option if you're really afraid of infection is to setup proxy that
only allows access to microsoft ip block that contains windows update servers

And of course, there is an even BETTER OPTION then all the above -
STOP USING WINDOWS and switch to Linux or Free(Mac)BSD !

Patches are Microsoft's
intellectual property and can not be distributed by anyone without
Microsoft's permission.

I don't think this is quite true. Microsoft makes available all patches as
indidual .exe files. There are quite many of these updates and its really
a pain to actually get all of them and install updates manually. But I've
never seen written anywhere that I can not download these .exe files and
distribute it inside your company or to your friends as needed to fix the
problems these patches are designed for.

The problem with Bots is they aren't always active. That makes them
difficult to find until they do something.

As opposed to what, viruses?
Not at all! Many viruses have period wjhen they are active and afterwards
they go into "sleep" mode and will not active until some other date!

Additionally bot that does not immediatly become active is good thing
because of you do weekly or monthly audits (any many do it like that) you
may well find it this way and deal with it at your own time, rather then
all over a sudden being awaken 3am and having to clean up infected system.

The folks at CAIDA can do the math, but it turns out many of the recent
worms have some interesting gaps in their address scanning routines.
There are some Internet address ranges scanned every few seconds, while
other address ranges may go weeks between scans. This is part of the
reason why "network telescope" estimates of how many infected computers
are so wrong. They assume a uniform distribution of worm scans and
infected computers.

I've seen "raw" Windows boxes connected to the Internet for 4 weeks
without being compromised. A watched honeypot never attracts the bear
I've also seen Windows boxes compromised during the boot process between
the time the network interface is enabled and XP's built-in firewall
being activated, less than 1 second.

Of course we still have the human factor. Some system compromises require
the user to save an attachment, rename the file, open the file, enter a
password, extract another file and then run it in order to compromise
the computer. Its amazing how many infected computers are behind
NAT/firewalls. Firewalls and antivirus help, but please when you
get a message from your ISP saying your computer is infected check
it out. Don't assume it can't happen to you just because.

I have not found an official Microsoft source for MD5 hashes of
Windows, so its difficult to find unknown stuff on your computer. There
are some third-party products which can do change monitoring of Windows.
But I agree with Rob Thomas and others, the only way to restore trust
in your Windows' system is to re-install from a known, good distribution.
Unfortunately, this is beyond the capabilities of many home (and even
office) users.

The frequency of scans is such that I'd say you have been lucky.

Some worms also weight scans by IP (ie they can the local /16 more than the
local /8 more than the /0).. in which case if you're a <large ISP> dialup
customer you stand a higher chance of infection

Steve

> Similarly when settting up computers for several of my relatives (all
> have dsl) I've yet to see any infection before all updates are installed.

The folks at CAIDA can do the math, but it turns out many of the recent
worms have some interesting gaps in their address scanning routines.
There are some Internet address ranges scanned every few seconds, while
other address ranges may go weeks between scans. This is part of the
reason why "network telescope" estimates of how many infected computers
are so wrong. They assume a uniform distribution of worm scans and
infected computers.

I think that their math is challenged in general - Sasser appears to
do TCP scanning of the entire multicast address range, which betrays a
lack of knowledge or concern about Internet routing.

Regards
Marshall Eubanks