Re: Windows 98 box is 'owned'

From: Ansgar -59cobalt- Wiechers (bugtraq_at_planetcobalt.net)
Date: 10/01/04

  • Next message: GuidoZ: "Re: Tool for EFS breaking" 
    Date: Fri, 1 Oct 2004 02:43:29 +0200
To: security-basics@securityfocus.com

    On 2004-09-30 Darren Kirby wrote:
    > After following the link provided by Bob Bermingham:
    > > Sounds like the box is "owned", but not in the way you suspect. From
    > > your description, it looks like she is infected with Netsky.P:
    > >
    > > http://antivirus.about.com/cs/allabout/a/netskyp.htm
    >
    > I can confirm this is indeed the Netsky.P virus. The filenames listed
    > are EXACTLY the ones on this box. From reading the description it
    > would seem this is very old virus...so she (my mom) is running a very
    > old unpatched windows 98?

    A box can't be patched against Netsky et al. since they exploit a
    layer-8 vulnerability. Tell her to use Mozilla or Opera instead of
    IE/OE and to not open suspicious attachments (read as: attachments she
    didn't ask for).

    > Please let me reiterate at this point that I
    > am really ignorant of windows...but I have heard that Microsoft has
    > ended support for this old OS.

    Yes.

    > Is there still a patch available?

    Again: there is no such thing like a patch against Netsky et al.

    [...]
    > RandyW posted:
    > > Without constant monitoring though, the PC WILL become infected
    > > again, it's just a matter of time.
    >
    > This is discouraging, as I don't have the time (nor knowledge) to
    > monitor this computer all the time. Perhaps it is time to say screw it
    > and install Slackware with a nice KDE desktop for her, because at
    > least I would know how to help with her problems, and it seems a lot
    > easier than:
    >
    > 1) reinstall OS

    Maybe switch to Windows 2000/XP or Linux.

    > 2) install firewall, AV, etc...

    For Windows 98: just AV. For Windows 2000/XP I suggest to disable the
    services that are not needed [1] and probably use a hardware router
    rather than using a PFW.

    Make sure file and printer sharing is not installed. Also have the AV
    software update its signature files automatically (I suggest to update
    on a daily basis).

    Have her use Mozilla or Opera.

    > 3) patch OS in 5 minute window available (as mentioned by Kelly Martin)

    What "5 minute window"? If Kelly was referring to Blaster, Sasser and
    their like: there is no such window. It may take hours til infection or
    just a couple seconds.

    AFAIK Windows 98 is not vulnerable, especially if no file and printer
    sharing is installed. If you decide to install Windows 2000/XP use a PFW
    or (better) a hardware router to block incoming connection attempts
    until the patches are installed. On Windows 2000/XP you should also set
    up Automatic Updates to download *and* install hotfixes in the
    background.

    > 4) educate Mom on use of AV, anti-spyware, good web practices (don't
    > open attachments, click on pop-ups etc...)

    Yes. However, you will most likely experience a lot less trouble if you
    install Mozilla or Opera and have her use one of them instead of IE/OE.
    In that case limit IE to WindowsUpdate.

    > 5) monitor until eventually another virus finds its way in.
    > 6) Lather/rinse/repeat.

    Yep.

    > Sorry if I sound affected here, but being a unix guy I do not see how
    > this makes windows an 'easier' desktop to use.

    Unfortunately Windows is easy to use, but not easy to secure :(

    BTW: did I already mention that she should use Mozilla or Opera instead
    of IE/OE? ;)

    [1] http://www.ntsvcfg.de/ntsvcfg_eng.html

    Regards
    Ansgar Wiechers 

    -- 
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin
  • Next message: GuidoZ: "Re: Tool for EFS breaking"