Slashdot Mirror
How To Avoid Viruses At Windows Install Time?
reallocate writes "Can a home user install and update Windows without being attacked by a virus or worm? I'm a Linux user; have been since 1995. Recently, I needed to install Windows XP Pro on a home desktop machine with a Roadrunner cable connection. I tried twice. Both times, the machine was attacked and rendered unusable before I was able to pull down the first update from Windows Update." Read on for more details of what went wrong and when.
Here's a synopsis of my install method:
- Put the Windows XP CD in the drive;
- Disconnect the cable modem from the network card;
- Reboot and install Windows;
- The box remains off the net during the entire install: no registering, no setting up an ISP, no activation, no network configuration, no nothing. (BTW, the only networking component that I install is tcp/ip. All the other MS stuff never gets on the machine.)
- Reboot; Windows runs and all is well;
- Install the current version of Norton Internet Security Professional from a shrinkwrapped CD (firewall, anti-virus, etc.);
- Configure the Roadrunner net connection and reboot to pick up a DHCP lease;
- Launch the Norton update facility (per Norton's recommendation, the built-in XP firewall is turned off);
- Complete the Norton update and reboot;
- Launch Windows Update;
- Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off.
That's as far I got. During the first attempt, I acquired a virus or worm before I could finish the Norton update (machine powered down). On the second attempt, I got as far as Windows Update and SP1(continual rebooting).
So...how would you do it?"
Duh.
Perhaps also turning on the firewall just actually might work. Windows is targeted for the average Joe. Microsoft doesn't want to have to incur the support costs of explaining to average Joe how firewalls work, so they suggest you keep it off.
If you've really been using Linux that long, you'd have a clue. Really, this submission just sounds like a troll...
You could also download it from your linux machine, and then do the whole installation offline
Or better yet, use a morphix bootCD. You should be able to download the patches to Welchia et al directly (not using windows update), then reboot w/o the network cable in, patch, reboot, and you should be able to get the other less critical updates without being infected by RPC viruses.
If definitely believe him. I've seen it happen all the time. My situation may be unique since I'm on a large college network, but I've seen blaster/welchia/gaobot/sasser infect a machine in a quarter of that time without the proper Windows Updates.
I'm putting XP on my laptop next to me right now actually. I think it is pretty safe because a) it is connected to the net using NAT, not directly to the modem and b) I slipstreamed SP1 into my XP CD, so that when I install it I'm already at SP1 level. See here for instructions (that's win2k, but same for winxp of course). And I dunno why you'd bother with Norton Anything quite frankly. Maybe you can just buy a cheap router doing NAT and put it between the modem and computer while you get updates.
I don't believe you when you say that you get viruses over the 20 minutes that it takes
Aside from the terminology, consider that at the peak of infection, many nimda attacks were being logged EVERY SECOND by logging machines setup for capturing and monitoring attacks. Slammer was scanning 55 million hosts PER SECOND. These things just pick random addresses and spit data out. If you haven't been getting any of these hits then either you're behind a firewall, or you're less random than the rest of the internet.
20 minutes is a long time to go without protection in computer time, especially on today's wild west of an internet.
Agreed though, the questioner should have just gone and gotten a firewall (or used one of his linux machines). I've never seen anything on windows update suggest that I turn off my firewall.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Actually.... jusdging by my router logs, I can believe it now...
Sunday, June 20, 2004 20:12:54 Unrecognized access from 24.164.33.43:9118 to UDP port 1026
Sunday, June 20, 2004 20:16:48 Unrecognized access from 218.88.103.123:3822 to TCP port 1025
Sunday, June 20, 2004 20:16:51 Unrecognized access from 218.88.103.123:3822 to TCP port 1025
Sunday, June 20, 2004 20:16:57 Unrecognized access from 218.88.103.123:3822 to TCP port 1025
Sunday, June 20, 2004 20:21:46 Unrecognized access from 195.250.112.73:35973 to TCP port 443
Sunday, June 20, 2004 20:22:18 Unrecognized access from 222.183.185.252:3881 to TCP port 1025
Sunday, June 20, 2004 20:22:21 Unrecognized access from 222.183.185.252:3881 to TCP port 1025
Sunday, June 20, 2004 20:22:27 Unrecognized access from 222.183.185.252:3881 to TCP port 1025
Sunday, June 20, 2004 20:31:26 Unrecognized access from 193.227.0.37:3365 to UDP port 1434
Sunday, June 20, 2004 20:45:50 Unrecognized access from 24.164.31.171:8860 to UDP port 1026
Excellent article. And this is the number one article on the sans.org reading list. ... Couldn't help noticing number three with its provocative title: Penetration 101.
Have you Meta Moderated t
" Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off."
Firewall is on before I connect to my cable modem if you're going to be DUMB enough to connect it without a hardware firewall protecting the machine. Get an intermediary device like a Linksys or Netgear router, and now you don't have to worry about it. And seriously. Don't install your AV until AFTER you've installed all your updates. You're only complicating the registry before it needs to be.
Seriously, is Slashdot a "News for Nerds", or "HOWTOs for N00bs"? Some of these questions would be better handled by Google and half a brain about networking.
Can you ping me now? Gooood! | Manhappenin.Net - Things to do
My firewall logs show that I get worm propagation attempts at a significant rate, sometimes dozens per second (you can hear the drive in my firewall machine chattering when that happens.) Mind you, I'm on Comcast and there's a bunch of machines on my subnet that are infected as hell (I've reported this to Comcast, but the same IPs keep showing up, sometimes with attempts from multiple worms!) but I have no problem believing that this dude got infected in twenty minutes. I'm surprised it took even that long. Last year, my cousin hooked up her Win2K box to her brand, spanking new cable modem. After two or three minutes, a console window popped up and she watched some nut case typing in "SECEDIT" trying to guess her admin password. Things happen FAST nowadays.
The higher the technology, the sharper that two-edged sword.
How do you get them? All the RPC Worms which currently inflict unpatched Windows NT based OSes is how. These worms do network sweeps and will find a vulnerable machine anywhere from a few seconds to a few minutes depending on the size of your network.
I recall one particular instance at work where an outside laptop that was infected got plugged into the network (our network has about 2000 various boxes connected to it). Our security team got alerted by our intrusion detection systems was on the way to whack the offending user with a clue stick and unplug the laptop. Too late....
During that time I had just finished ghosting a machine with SP4 integrated into the build. In only a matter of a minute or two the new box I was working on became infected and started doing net sweeps of its own (the whole process of infection was done silently of course). I don't doubt the tales of machines becoming infected in a very short period of time given the rate of infection with RPC based worms because I have seen it. All it takes is one rogue machine to infect other boxes it can talk to.
G. Washington on Government "it is force. Like fire, it is a dangerous servant and a fearful master."
There's really no such thing as a hardware firewall. All hardware firewalls are in fact software firewalls running on a peice of hardware, just like all software firewalls do. Perhaps a better re-statement of your point is to say that you should use a seperate non-windows-based firewall rather than one which is installed locally on the windows machine. Personally I use a Sparc/Linux box for this, but you can have good results just using a netgear nat box or something. NAT is the ultimate home firewall anyways, just dont start routing inbound ports through it to your PC and you're gtg.
11*43+456^2
Here's a snippet of the log from my Linksys router:The timestamp is hours:minutes:seconds. XXX.XXX.XXX.XXX is my WAN address (redacted), an East Coast Verizon DSL line. Port 445 is probably being targetted by W32.Sasser.
Sixteen attempts in 3 minutes and 12 seconds.
A couple of things are interesting about this log excerpt. First, there are no attempts from the 141.154.* netblock (where my WAN address resides). Second, I usually see a number of different ports listed (139, 1025, 1026, 1080, 3129, 5000), from both viruses and people probing for open proxies. Then again, it's Sunday night. I've noticed that virus traffic is higher during business hours in the US.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
EXCEPT that the stupid XP firewall service is not started when the interface is started. You have your ass in the wind every time the machine boots.
+++ ATH0 +++
You're being awfully pedantic there. Yes, technically the updates to Linux (i.e. the kernel) are small. However, I'm sure if you just patch kernel32.exe or whatever the binaries for the kernel under windows are, the updates would be small too.
A system consisting of just the kernel and a few command line tools would be awfully boring and not a particularly fair comparison.
By "Linux" I'm referring to the kernel itself, along with X and the base applications that come along with gnome or KDE. Installing a distro with the base set of libraries, GUI, window manager, apps, etc that give a reasonable approximation of what you get with windows (no gimp, no koffice, etc) will require a considerable amount of downloading of patches if it's as old as XP.
Mod parent up. I don't understand why this guy simply didn't use the XP firewall and be done with it. It would've worked better, and he wouldn't have had to install Norton BS. Plus, in step 11 HE TURNS ALL FIREWALLS OFF. Of course he's getting infected. I don't think many people have pointed that out, but he got infected because he turned off the damn firewall like an idiot. Reading MS's line on the subject: here, they say to turn off ANTIVIRUS, not firewall. So he probably turned off all of NISP, not just the AV portion.
"No one likes working in a hamster wheel, and your shop smells of cedar shavings from here." - TaleSpinner