Stop Christmas-Gift PCs From Feeding Worms

An Anonymous Reader writes "If you recently set up a new PC with Windows XP, or if you had the pleasure to do a 'reinstall from scratch,' you probably found that many XP systems as they are shipped today are not patched against common issues like Blaster. Given that these worms are still going strong, it doesn't take long for a new system to be infected. In particular, if you have to connect it to the Internet to download all the patches. Well, help is in sight. The SANS Institute released a paper entitled Windows XP: Surviving the First Day." (Read on below.) Update: 12/24 17:59 GMT by T : Thanks for reader Bill Curnow for the updated link. Update: 12/24 19:15 GMT by T : Besides the workaround suggested below, Roblimo has a good suggestion on avoiding the first-day-of-Windows altogether.

"With many screen shots, it will walk you through the procedure to enable the XP firewall and downloading the patches without getting infected while doing so. This could be the (free) stocking stuffer that may save Christmas for your folks ;-). Given that its probably to late now to start downloading your favorite Linux distro."

But if you do have the time and bandwidth, and you're stuck on Windows, a nice live-CD distro like Knoppix or Mepis means you can download patches without racing the worms, and install your patches while offline. (And if you have time to download 50MB, you have time to grab Damn Small Linux.)

Need for Microsoft patch CD

[jaredmauch]

Microsoft needs to ship everyone who does "Product Activation/Registration" with them a CD [google.com] that includes the patches necessary to secure ones systems. Yes, it will always be out of date, but at least you won't get infected with some 1-2 year old vulnerability.

People should return non-patched systems that are shipped from the manufacturer, and return systems where the install CDs don't put them to the same patch level they are shipped with.

while this isn't a cure-all solution to the patch mania that is necessary, but will go a long way to help bring up the baseline security of all these end-user hosts on the internet.

First day?

[Xzzy]

Try first ten minutes.

Due to some oddities in the purchasing orders for new hardware this year, it ended up that some of us unix guys were tasked with hauling new windows boxes around the workplace for people. We weren't expected to set them up, just unpack, plug em in, and turn em on. Ignorant of how vulnerable windows boxen are, we did just that, doing the silly clicky crap that any OEM relase makes you do, and walked off.

Within ten minutes, the traffic sniffers the security team has up were getting alarms caused by the machines we had set up and their ports got blackholed in about 15 minutes. One of the machines was already being used as a spam relay, the rest all had whatever viruses are still floating around.

Was quite an eye opener, I'd thought those viruses were over and done with and weren't a cause for concern anymore. Made me wonder how much bandwidth is being wasted that we don't even acknowledge. Spam is easy because it generates email.. but there's this underlying background noise sucking up bandwidth that you don't even see.

Course us "unix guys" had a good laugh over it, patting ourselves on the back in true bigot fashion over how secure unices are. But later that afternoon the nfs server that serves our home directories puked it's guts up so it put us in our place pretty quick.

Sadly enough

[jsav40]

We received a couple of new machines from Dell last week. They were missing just a few patches... actually a few *months* worth of patches. Inexcusable on the vendor's part- how hard is it for them to keep their base install/image up to date??? I had a CD ready to go with the relevant patches etc. & got all of the critical stuff installed before ever connecting to the internet. No wonder that so many home machines are unpatched, people incorrectly (but justifiably) assume that the new PC they just purchased will be reasonablt current as far as security patches goes. That and getting the plethora of XP patches, service packs etc. over a dial-up is very nearly impossible...

Re:Easy Alternative

[B3ryllium]

No, the proper technique is called a "reach around". You reach around behind the box, unplug the network cable or phone line (I caught a worm over dialup once, that was the most hilarious thing ever), and consider yourself lucky.

Linux CDs for checkout at the local public library

[Simonetta]

I believe that we should start trying to make Linux CDs available for checkout at the local public library.

No enough people have the broadband or fast enough download capabilities to handle file sets that above a few megabytes.

Having the inexpensive CD-R sets available for checkout at the local public library would go a long way to solving the distribution problem of the general public.

Plus the local Linux group could keep the circulating distributions current and the latest patches available.

I think that there was a discussion about this on Slashdot recently, but I don't recall.

Install from stratch...

[VariableSanity]

I recentally had to install xp from scratch (because my roomate downloaded some virus). After I get xp running again, and get all my programs installed again. I went and bought Nortin Anti-Virus. After the first scan a few hours after I re-insalled everything I already had the blaster worm and some other type of worm! I guess that is what I get for not installing the patches the moment I install xp...

Here on the Hell Desk...

[uncleroot]

I do DSL tech support for a large telco with a three letter name starting with "S" and ending with "C" and I have to bite my lip every time these poor, dumb people call in connecting their brand new Dells and Compaqs to the DSL with no firewall and not a clue as to what Windows Update is and why they need it. The reason I bite my lip is that Windows Update and firewalls are outside my scope of support and I was already told by my team lead not to waste time helping people with that stuff. Even worse, offical training tells us to leave the Windows firewall off when configuring a PPPoE connection - I am not making that up!

It's sad and irresponsible to let these people wander onto the Internet with their unprotected Windows computers like dogs wandering onto the freeway.

My father had to fight to install XP

[AsmordeanX]

A friend of my Dad gave him XP Pro as a gift a month ago. He installed it then connected to the net. It took 4 minutes until he was hit by blaster.

He finally had to resort to getting the guy that gave him XP to make a CD up of the patches so he could actually use XP on the net.

Personally I just have to say thanks to my linux firewall.

Re:First day?

[Monkelectric]

I work for a company which sells PCs retail, we've had a couple computers which had worms *OUT OF THE BOX* (brand new machines, never openend. We're still trying to figure that out.

Firewall

[Stigmata669]

As much as everyone insists that XP has more holes than swiss cheese, behind a crappy Linksys firewall my two boxes have never had any problems. I'm lazy about patches and tend to ignore them for months but i've never had a virus. Why? because i don't use their crap email client, i have a firewall, and i don't download warez off kazaa.

Computers don't get viruses, users do.

Re:Easy

[jandrese]

The only problem with ZoneAlarm is that it likes to pop up dialog boxes all of the time. This is extremely irritating when you've switched to something fullscreen, and it decides to freeze the network conneciton while it waits for you to answer it's dialog box (which you can't see).

Granted, this is on a work machine where I'm not allowed to change the settings, so maybe it can be fixed with twiddling, but I find the behavior to be extremely annoying. I much prefer ipfw on my FreeBSD box. Just my $0.02US

Re:[Somewhat OT] "Not up to linux yet"

[StormReaver]

"Most people are happy with a 4 year old system that lets them check their e-mail, save the pictures people send them, view web pages, and maybe word processing and a spreadsheet."

There are a LOT of people in this situation, and they are the perfect candidates for using Linux. They have a fixed set of needs. Give them a preinstalled and preconfigured Linux box, and they treat it like a fixed-function appliance.

I'll skip the long details, but my 57 year-old mother got so fed up with Windows' unreliability back in 2000 that she pestered me for weeks to wipe Windows and install Linux. I'd been running it for years and raving to her about its stability and reliability, so she was ready.

Her needs were and are simple. She wants web access for online purchases, she wants email, and she wants word processing. She also wants my nephew to be able to use her computer to play the games that I have on my computer.

I did the backup Windows data/install Linux/restore Windows data to Linux routine with Mandrake 9.0, configured her icons, set up her Internet connection and showed her how to activate it, transferred her email to Mozilla (at her request; she likes the all-in-one feature of Mozilla), showed her how to use AbiWord (which she loves) and put the necessary icons on her desktop.

After a few brief explanations on where Linux was different from Windows (in terms that were useful to her) and how that benefitted her, she was able to use Mandrake for her everyday tasks.

I keep intending to upgrade her to Mandrake 9.1 (and now 9.2) because the old sound driver from Mandrake 9.0 is flakey, but I keep forgetting to do it. Her system is 100% reliable for her, and Mandrake 9.0 is still chugging along now as it was back in 2000.

I haven't had to deal with and computer problems on her system, while my dad's Windows system still needs frequent babysitting. If Yahoo Messenger weren't using a proprietary audio CODED, but used something like Ogg Vorbis instead, he would dump Windows in a heartbeat. He used to be a die-hard Windows user, but even he has finally been broken by Microsoft. He just has that one application.

I used to think like you

[robogun]

I had your attitude until late last month.

I plugged a 98 box into a freshly installed cable modem (Time-Warner RoadRunner if it matters). Within 20 minutes the box was rooted. It was my mistake. I had brought the machine from a network that was behind a hardware router, and placed it directly on the cable modem. I had sharing enabled directly to the c: drive, password protected.

The worm reset the password to null and enabled sharing of other drives.

It then tried to write itself to all the fixed disks on the machine (that is how I detected it: I was transferring photos from a compact flash card, thru a USB, when it hanged. A copy of the virus was found on the card.

It is possible that the infection would not have been detectable without running trojan scan [trojanscan.com] and online antivirus [antivirus.com] particularly when the speed of cable is considered.

The worm installed a backdoor on a Windows box, and then tries to locate and infect and windows shares on the block.

Needless to say, surfing without a condom on a windows machine is dangerous indeed.

Blaster within minutes of a fresh install.

[Shanep]

I recently upgraded a friends PC from ME to XP Home. She purchased XP, which came with a sticker proclaiming that it included SP1a.

Since this was a recent purchase and the after thought SP1a sticker was there, I mistakenly assumed that it would be safe against Blaster.

Regardless, I enabled the built in firewall on the external interface NIC before I connected to the internet via her ADSL.

I couldn't get it going. I was using the ISP PPPoE driver which was supposed to work, but the ISP suggested I use the built in XP PPPoE driver, which worked fine. The phone tech also said that I must disable any firewall due to the use of a heartbeat initiated at their end.

So, I reluctantly did...

Her PC had Blaster literally within a minute or two of connecting.

But here comes the funny part... to get around the 60 seconds to shutdown, I double clicked the time to set the year back to give me a chance to remove the virus and patch her system. Unfortunately, during this, I had to reboot. At this stage the 30 day registration period was still in effect because I had not registered. Upon reboot, the 30 day period was up, XP was demanding I register now without giving me the desktop! Luckily it seems that it automatically connected.

Next time I'll just set it back an hour!

This kind of crap just has not happened to me on my Apple. In the end, I enabled the firewall and she has not had a problem. It might not have happened if I knew XP better (first install), but then I gave up on Microsoft long ago.

Re:Roblimo fud

[darthpenguin]

A linux box for Christmas is all great until little Johnny wants to play Grand Theft Auto: Vice City that he got from his ill-informed mom.

Strange, I *just* played GTA: Vice City on my slackware box, with zero problems. The entire process involved an "installpkg winex.tgz", running "winex3 setup.exe", and navigating to the game in the kde menu. If Little Johnny wants to play Vice City, he should be able to figure out at least this much.