Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Avoid Viruses At Windows Install Time?

Posted by timothy on from the good-luck-with-all-that dept.

reallocate writes "Can a home user install and update Windows without being attacked by a virus or worm? I'm a Linux user; have been since 1995. Recently, I needed to install Windows XP Pro on a home desktop machine with a Roadrunner cable connection. I tried twice. Both times, the machine was attacked and rendered unusable before I was able to pull down the first update from Windows Update." Read on for more details of what went wrong and when.

Here's a synopsis of my install method:

  1. Put the Windows XP CD in the drive;
  2. Disconnect the cable modem from the network card;
  3. Reboot and install Windows;
  4. The box remains off the net during the entire install: no registering, no setting up an ISP, no activation, no network configuration, no nothing. (BTW, the only networking component that I install is tcp/ip. All the other MS stuff never gets on the machine.)
  5. Reboot; Windows runs and all is well;
  6. Install the current version of Norton Internet Security Professional from a shrinkwrapped CD (firewall, anti-virus, etc.);
  7. Configure the Roadrunner net connection and reboot to pick up a DHCP lease;
  8. Launch the Norton update facility (per Norton's recommendation, the built-in XP firewall is turned off);
  9. Complete the Norton update and reboot;
  10. Launch Windows Update;
  11. Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off.

That's as far I got. During the first attempt, I acquired a virus or worm before I could finish the Norton update (machine powered down). On the second attempt, I got as far as Windows Update and SP1(continual rebooting).

So...how would you do it?"

10 of 833 comments (clear)

  1. Use NAT by hkb · · Score: 4, Interesting

    Duh.

    Perhaps also turning on the firewall just actually might work. Windows is targeted for the average Joe. Microsoft doesn't want to have to incur the support costs of explaining to average Joe how firewalls work, so they suggest you keep it off.

    If you've really been using Linux that long, you'd have a clue. Really, this submission just sounds like a troll...

    --
    /* Moderating all non-anonymous trolls up since 2004 */
  2. Re:If you can stand waiting... by phorm · · Score: 4, Interesting

    You could also download it from your linux machine, and then do the whole installation offline

    Or better yet, use a morphix bootCD. You should be able to download the patches to Welchia et al directly (not using windows update), then reboot w/o the network cable in, patch, reboot, and you should be able to get the other less critical updates without being infected by RPC viruses.

  3. Re:Simple, Get an external Router. by tomakaan · · Score: 4, Interesting

    If definitely believe him. I've seen it happen all the time. My situation may be unique since I'm on a large college network, but I've seen blaster/welchia/gaobot/sasser infect a machine in a quarter of that time without the proper Windows Updates.

  4. i'm installing right now... by phrasebook · · Score: 5, Interesting

    I'm putting XP on my laptop next to me right now actually. I think it is pretty safe because a) it is connected to the net using NAT, not directly to the modem and b) I slipstreamed SP1 into my XP CD, so that when I install it I'm already at SP1 level. See here for instructions (that's win2k, but same for winxp of course). And I dunno why you'd bother with Norton Anything quite frankly. Maybe you can just buy a cheap router doing NAT and put it between the modem and computer while you get updates.

  5. Re:Simple, Get an external Router. by kevlar · · Score: 4, Interesting

    Actually.... jusdging by my router logs, I can believe it now...

    Sunday, June 20, 2004 20:12:54 Unrecognized access from 24.164.33.43:9118 to UDP port 1026
    Sunday, June 20, 2004 20:16:48 Unrecognized access from 218.88.103.123:3822 to TCP port 1025
    Sunday, June 20, 2004 20:16:51 Unrecognized access from 218.88.103.123:3822 to TCP port 1025
    Sunday, June 20, 2004 20:16:57 Unrecognized access from 218.88.103.123:3822 to TCP port 1025
    Sunday, June 20, 2004 20:21:46 Unrecognized access from 195.250.112.73:35973 to TCP port 443
    Sunday, June 20, 2004 20:22:18 Unrecognized access from 222.183.185.252:3881 to TCP port 1025
    Sunday, June 20, 2004 20:22:21 Unrecognized access from 222.183.185.252:3881 to TCP port 1025
    Sunday, June 20, 2004 20:22:27 Unrecognized access from 222.183.185.252:3881 to TCP port 1025
    Sunday, June 20, 2004 20:31:26 Unrecognized access from 193.227.0.37:3365 to UDP port 1434
    Sunday, June 20, 2004 20:45:50 Unrecognized access from 24.164.31.171:8860 to UDP port 1026

  6. Re:Windows XP: Surviving the First Day by eltoyoboyo · · Score: 4, Interesting

    Excellent article. And this is the number one article on the sans.org reading list. ... Couldn't help noticing number three with its provocative title: Penetration 101.

    --
    Have you Meta Moderated t
  7. Re:Simple, Get an external Router. by ScrewMaster · · Score: 4, Interesting

    My firewall logs show that I get worm propagation attempts at a significant rate, sometimes dozens per second (you can hear the drive in my firewall machine chattering when that happens.) Mind you, I'm on Comcast and there's a bunch of machines on my subnet that are infected as hell (I've reported this to Comcast, but the same IPs keep showing up, sometimes with attempts from multiple worms!) but I have no problem believing that this dude got infected in twenty minutes. I'm surprised it took even that long. Last year, my cousin hooked up her Win2K box to her brand, spanking new cable modem. After two or three minutes, a console window popped up and she watched some nut case typing in "SECEDIT" trying to guess her admin password. Things happen FAST nowadays.

    --
    The higher the technology, the sharper that two-edged sword.
  8. Re:RTFQ by photon317 · · Score: 4, Interesting


    There's really no such thing as a hardware firewall. All hardware firewalls are in fact software firewalls running on a peice of hardware, just like all software firewalls do. Perhaps a better re-statement of your point is to say that you should use a seperate non-windows-based firewall rather than one which is installed locally on the windows machine. Personally I use a Sparc/Linux box for this, but you can have good results just using a netgear nat box or something. NAT is the ultimate home firewall anyways, just dont start routing inbound ports through it to your PC and you're gtg.

    --
    11*43+456^2
  9. Re:Odd by ktakki · · Score: 4, Interesting
    How do you get these worms? This sounds incredulous...

    Here's a snippet of the log from my Linksys router:
    00:00:26 TCP from 200.63.154.32:4927 to XXX.XXX.XXX.XXX:445
    00:00:29 TCP from 68.219.231.103:2712 to XXX.XXX.XXX.XXX:445
    00:00:29 TCP from 200.63.154.32:4927 to XXX.XXX.XXX.XXX:445
    00:00:32 TCP from 68.219.231.103:2712 to XXX.XXX.XXX.XXX:445
    00:00:42 TCP from 68.144.136.248:3225 to XXX.XXX.XXX.XXX:445
    00:00:59 TCP from 81.185.113.170:3646 to XXX.XXX.XXX.XXX:445
    00:01:36 TCP from 68.144.169.29:2873 to XXX.XXX.XXX.XXX:445
    00:01:52 TCP from 4.41.255.6:3139 to XXX.XXX.XXX.XXX:445
    00:02:07 TCP from 200.223.92.184:4958 to XXX.XXX.XXX.XXX:445
    00:02:08 TCP from 68.94.121.110:3927 to XXX.XXX.XXX.XXX:445
    00:02:10 TCP from 200.223.92.184:4958 to XXX.XXX.XXX.XXX:445
    00:02:11 TCP from 68.94.121.110:3927 to XXX.XXX.XXX.XXX:445
    00:02:19 TCP from 81.218.207.145:4814 to XXX.XXX.XXX.XXX:445
    00:02:28 TCP from 80.198.29.151:4015 to XXX.XXX.XXX.XXX:445
    00:02:48 TCP from 63.230.237.96:3181 to XXX.XXX.XXX.XXX:445
    00:03:00 TCP from 209.50.93.166:4294 to XXX.XXX.XXX.XXX:445
    00:03:12 TCP from 24.80.105.49:2350 to XXX.XXX.XXX.XXX:445
    The timestamp is hours:minutes:seconds. XXX.XXX.XXX.XXX is my WAN address (redacted), an East Coast Verizon DSL line. Port 445 is probably being targetted by W32.Sasser.

    Sixteen attempts in 3 minutes and 12 seconds.

    A couple of things are interesting about this log excerpt. First, there are no attempts from the 141.154.* netblock (where my WAN address resides). Second, I usually see a number of different ports listed (139, 1025, 1026, 1080, 3129, 5000), from both viruses and people probing for open proxies. Then again, it's Sunday night. I've noticed that virus traffic is higher during business hours in the US.

    k.
    --
    "In spite of everything, I still believe that people are really good at heart." - Anne Frank
  10. Re:If you can stand waiting... by jonfelder · · Score: 4, Interesting

    You're being awfully pedantic there. Yes, technically the updates to Linux (i.e. the kernel) are small. However, I'm sure if you just patch kernel32.exe or whatever the binaries for the kernel under windows are, the updates would be small too.

    A system consisting of just the kernel and a few command line tools would be awfully boring and not a particularly fair comparison.

    By "Linux" I'm referring to the kernel itself, along with X and the base applications that come along with gnome or KDE. Installing a distro with the base set of libraries, GUI, window manager, apps, etc that give a reasonable approximation of what you get with windows (no gimp, no koffice, etc) will require a considerable amount of downloading of patches if it's as old as XP.