Slashdot Mirror
How To Avoid Viruses At Windows Install Time?
reallocate writes "Can a home user install and update Windows without being attacked by a virus or worm? I'm a Linux user; have been since 1995. Recently, I needed to install Windows XP Pro on a home desktop machine with a Roadrunner cable connection. I tried twice. Both times, the machine was attacked and rendered unusable before I was able to pull down the first update from Windows Update." Read on for more details of what went wrong and when.
Here's a synopsis of my install method:
- Put the Windows XP CD in the drive;
- Disconnect the cable modem from the network card;
- Reboot and install Windows;
- The box remains off the net during the entire install: no registering, no setting up an ISP, no activation, no network configuration, no nothing. (BTW, the only networking component that I install is tcp/ip. All the other MS stuff never gets on the machine.)
- Reboot; Windows runs and all is well;
- Install the current version of Norton Internet Security Professional from a shrinkwrapped CD (firewall, anti-virus, etc.);
- Configure the Roadrunner net connection and reboot to pick up a DHCP lease;
- Launch the Norton update facility (per Norton's recommendation, the built-in XP firewall is turned off);
- Complete the Norton update and reboot;
- Launch Windows Update;
- Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off.
That's as far I got. During the first attempt, I acquired a virus or worm before I could finish the Norton update (machine powered down). On the second attempt, I got as far as Windows Update and SP1(continual rebooting).
So...how would you do it?"
Duh.
Perhaps also turning on the firewall just actually might work. Windows is targeted for the average Joe. Microsoft doesn't want to have to incur the support costs of explaining to average Joe how firewalls work, so they suggest you keep it off.
If you've really been using Linux that long, you'd have a clue. Really, this submission just sounds like a troll...
It seems more likely you have a dodgy connection or overheat problem than a virus there. Did you detect a virus with Norton or are the shutdowns/reboots all you base this on?
Barring the fact that I don't believe you when you say that you get viruses over the 20 minutes that it takes to download and install the patches, the fix is simple: get some sort of router/firewall combo, or install a soft firewall before doing the update.
Alternatively, shut down all the services so that you have nothing listening, but if you're too lazy to do that, go out and spend $40 on a Netgear router and voila, you're safe from that crap.
You could also download it from your linux machine, and then do the whole installation offline
Or better yet, use a morphix bootCD. You should be able to download the patches to Welchia et al directly (not using windows update), then reboot w/o the network cable in, patch, reboot, and you should be able to get the other less critical updates without being infected by RPC viruses.
I'm putting XP on my laptop next to me right now actually. I think it is pretty safe because a) it is connected to the net using NAT, not directly to the modem and b) I slipstreamed SP1 into my XP CD, so that when I install it I'm already at SP1 level. See here for instructions (that's win2k, but same for winxp of course). And I dunno why you'd bother with Norton Anything quite frankly. Maybe you can just buy a cheap router doing NAT and put it between the modem and computer while you get updates.
I'll second this. putting on the Built in Firewall in XP will stop Blaster from infecting the machine. Pretty unplug from the network, install XP, turn on the built in firewall and hit windowsupdate until you get all the patches.
With Windows 2000 however, it gets fun since there is no built in firewall for that. You can use zonealarm to block the virus traffic, or you can use a Router/Firewall to block traffic. I know you can set IP security policies in windows 2000 without downloading anything but I never tried it on a machine that was unpatched and able to be infected.
In Soviet Russia, Trojan exploits YOU!
Excellent article. And this is the number one article on the sans.org reading list. ... Couldn't help noticing number three with its provocative title: Penetration 101.
Have you Meta Moderated t
Buy a LinkSys cable/dsl router for $50, which includes a firewall (if you can't afford a Cisco Pix). I've never had anything get through to any Windows box I was installing up to the point I got it completely updated.
No one should have any Windows box directly on a cable/dsl line anyway.
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
" Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off."
Firewall is on before I connect to my cable modem if you're going to be DUMB enough to connect it without a hardware firewall protecting the machine. Get an intermediary device like a Linksys or Netgear router, and now you don't have to worry about it. And seriously. Don't install your AV until AFTER you've installed all your updates. You're only complicating the registry before it needs to be.
Seriously, is Slashdot a "News for Nerds", or "HOWTOs for N00bs"? Some of these questions would be better handled by Google and half a brain about networking.
Can you ping me now? Gooood! | Manhappenin.Net - Things to do
How do you get them? All the RPC Worms which currently inflict unpatched Windows NT based OSes is how. These worms do network sweeps and will find a vulnerable machine anywhere from a few seconds to a few minutes depending on the size of your network.
I recall one particular instance at work where an outside laptop that was infected got plugged into the network (our network has about 2000 various boxes connected to it). Our security team got alerted by our intrusion detection systems was on the way to whack the offending user with a clue stick and unplug the laptop. Too late....
During that time I had just finished ghosting a machine with SP4 integrated into the build. In only a matter of a minute or two the new box I was working on became infected and started doing net sweeps of its own (the whole process of infection was done silently of course). I don't doubt the tales of machines becoming infected in a very short period of time given the rate of infection with RPC based worms because I have seen it. All it takes is one rogue machine to infect other boxes it can talk to.
G. Washington on Government "it is force. Like fire, it is a dangerous servant and a fearful master."
There's really no such thing as a hardware firewall. All hardware firewalls are in fact software firewalls running on a peice of hardware, just like all software firewalls do. Perhaps a better re-statement of your point is to say that you should use a seperate non-windows-based firewall rather than one which is installed locally on the windows machine. Personally I use a Sparc/Linux box for this, but you can have good results just using a netgear nat box or something. NAT is the ultimate home firewall anyways, just dont start routing inbound ports through it to your PC and you're gtg.
11*43+456^2
Here's a snippet of the log from my Linksys router:The timestamp is hours:minutes:seconds. XXX.XXX.XXX.XXX is my WAN address (redacted), an East Coast Verizon DSL line. Port 445 is probably being targetted by W32.Sasser.
Sixteen attempts in 3 minutes and 12 seconds.
A couple of things are interesting about this log excerpt. First, there are no attempts from the 141.154.* netblock (where my WAN address resides). Second, I usually see a number of different ports listed (139, 1025, 1026, 1080, 3129, 5000), from both viruses and people probing for open proxies. Then again, it's Sunday night. I've noticed that virus traffic is higher during business hours in the US.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
EXCEPT that the stupid XP firewall service is not started when the interface is started. You have your ass in the wind every time the machine boots.
+++ ATH0 +++
There isn't if you don't have a cd burner and you live out in the middle of nowhere (as she does now).
I'm going to end up having to mail her a patch cd, which is really pretty stupid when you think about it.
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
It's not as incredulous as it might seem. I use a Mac for my day to day operations - so I don't get virii or trojans or worms - but I do keep a Windows laptop around - I usually only use it when I'm travelling on the road or the mac breaks down. Well, my cable modem's out for about 24 hours, so I decide to take the laptop for a spin earlier this month - connecting to my ISP through the phone line. This, of course, bypasses the router I usually keep the Windows computer on. Without exaggeration, the computer got attacked by the sasser worm within two minutes. PCCillin caught it, but not before it did some damage. I didn't think much of it, and I was back on the Mac within days and let the computer go through a reformat. A few days later, my girlfriend's computer starts having problems - basically, the guy who put it together was a whiz with the hardware but messed up on several software related issues - he didn't install service packs, he even got the partition table wrong (Over 2/3rds of the hard drive was unpartitioned - my girlfriend was using 40 gigs of a 120 gig drive.) So, we decide to reformat and install Windows XP. Now, I'm part of a university which has a licence to software, so I can just download stuff like antivirus programs and firewalls. I decide to download the antivirus first, then the spybot, then the service packs, then the hotfixes... big mistake. After waiting hours to do a complete reformat and another couple of hours tinkering with it to get it to work right, Windows XP reboots unexpectedly then keeps rebooting. I know *exactly* what this is, but the only way to fix it is a reformat - which means that we're going to get hit with the same problems again as soon as it comes online - we have to go online to download the patches... gah! Eventually, we drove back to my place, used my macintosh to download all the patches and hotfixes and whathaveyou - and we made sure to install the firewall -first-. The firewall did the trick, of course, and we were able to get it going. I had to explain to my girlfriend how to *use* the firewall, but considering the alternative, she was very pleased. But the fact that this can happen is completely insane! When the hell will Microsoft fix their operating system? Viruses have gotten progressively worse and more destructive over the past couple of years - and Longhorn is WAY too far away from release (not that I'd want all the DRM crap on it anyway) If it wasn't for the fact that games usually don't work on Linux, I'd have told my girlfriend just to switch over that day...
You're being awfully pedantic there. Yes, technically the updates to Linux (i.e. the kernel) are small. However, I'm sure if you just patch kernel32.exe or whatever the binaries for the kernel under windows are, the updates would be small too.
A system consisting of just the kernel and a few command line tools would be awfully boring and not a particularly fair comparison.
By "Linux" I'm referring to the kernel itself, along with X and the base applications that come along with gnome or KDE. Installing a distro with the base set of libraries, GUI, window manager, apps, etc that give a reasonable approximation of what you get with windows (no gimp, no koffice, etc) will require a considerable amount of downloading of patches if it's as old as XP.
For the most part, people don't realize there are other options. (Check any number of previous /. discussions.) In certain instances they don't know they have other options. Dell/HP/Compaq/Gateway don't offer Linux. They tell you they include Windows.
In other cases they literally do NOT have a choice. My brother in law is headed to medical shcool. He was presented with a list of requirements for his computer. One of those is that the computer have Windows XP Professional installed. Half of the requirements are to prevent the students' computers from bringing down the school's network. All of those could be met by using a Mac or installing Linux. Neither is presented as an option. It will take considerably more effort on my brother in law's part to find out if he can use a Linux computer than it would to just click on the "purchase here" link.
I've strongly suggested that he make the effort to see if he can use Linux and avoid having to purchase the software they recommend (which cost more than the hardware). However, he isn't so interested in that effort or the effort the might be required in running a linux box.
I have no question why he thinks his only option is a Windows computer. He wants to be a physical therapist, not a computer expert.
Paul
The easiest way is to turn on the Windows XP firewall before you plug in the network/cable/dsl wire.
* Install Windows
* Install network drivers
* TURN ON FIREWALL on the external connection
* Plug in and dial the 'net
* Run through Windows Update
* (At your discretion) turn the firewall off again.
perl -e 'print "Just another Perl newbie\n";'
Mod parent up. I don't understand why this guy simply didn't use the XP firewall and be done with it. It would've worked better, and he wouldn't have had to install Norton BS. Plus, in step 11 HE TURNS ALL FIREWALLS OFF. Of course he's getting infected. I don't think many people have pointed that out, but he got infected because he turned off the damn firewall like an idiot. Reading MS's line on the subject: here, they say to turn off ANTIVIRUS, not firewall. So he probably turned off all of NISP, not just the AV portion.
"No one likes working in a hamster wheel, and your shop smells of cedar shavings from here." - TaleSpinner