Security Basics: Re: Windows 98 box is 'owned'

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2004-09-30 Darren Kirby wrote:
> After following the link provided by Bob Bermingham:
> > Sounds like the box is "owned", but not in the way you suspect. From
> > your description, it looks like she is infected with Netsky.P:
> >
> > http://antivirus.about.com/cs/allabout/a/netskyp.htm
> I can confirm this is indeed the Netsky.P virus. The filenames listed
> are EXACTLY the ones on this box. From reading the description it
> would seem this is very old virus...so she (my mom) is running a very
> old unpatched windows 98?
A box can't be patched against Netsky et al. since they exploit a
layer-8 vulnerability. Tell her to use Mozilla or Opera instead of
IE/OE and to not open suspicious attachments (read as: attachments she
didn't ask for).

> Please let me reiterate at this point that I
> am really ignorant of windows...but I have heard that Microsoft has
> ended support for this old OS.
Yes.

> Is there still a patch available?
Again: there is no such thing like a patch against Netsky et al.

[...]
> RandyW posted:
> > Without constant monitoring though, the PC WILL become infected
> > again, it's just a matter of time.
> This is discouraging, as I don't have the time (nor knowledge) to
> monitor this computer all the time. Perhaps it is time to say screw it
> and install Slackware with a nice KDE desktop for her, because at
> least I would know how to help with her problems, and it seems a lot
> easier than:
>
> 1) reinstall OS
Maybe switch to Windows 2000/XP or Linux.

> 2) install firewall, AV, etc...
For Windows 98: just AV. For Windows 2000/XP I suggest to disable the
services that are not needed [1] and probably use a hardware router
rather than using a PFW.

Make sure file and printer sharing is not installed. Also have the AV
software update its signature files automatically (I suggest to update
on a daily basis).

Have her use Mozilla or Opera.

> 3) patch OS in 5 minute window available (as mentioned by Kelly Martin)
What "5 minute window"? If Kelly was referring to Blaster, Sasser and
their like: there is no such window. It may take hours til infection or
just a couple seconds.

AFAIK Windows 98 is not vulnerable, especially if no file and printer
sharing is installed. If you decide to install Windows 2000/XP use a PFW
or (better) a hardware router to block incoming connection attempts
until the patches are installed. On Windows 2000/XP you should also set
up Automatic Updates to download *and* install hotfixes in the
background.

> 4) educate Mom on use of AV, anti-spyware, good web practices (don't
> open attachments, click on pop-ups etc...)
Yes. However, you will most likely experience a lot less trouble if you
install Mozilla or Opera and have her use one of them instead of IE/OE.
In that case limit IE to WindowsUpdate.

> 5) monitor until eventually another virus finds its way in.
> 6) Lather/rinse/repeat.
Yep.

> Sorry if I sound affected here, but being a unix guy I do not see how
> this makes windows an 'easier' desktop to use.
Unfortunately Windows is easy to use, but not easy to secure :(

BTW: did I already mention that she should use Mozilla or Opera instead
of IE/OE? ;)

[1] http://www.ntsvcfg.de/ntsvcfg_eng.html

Regards
Ansgar Wiechers
-- 
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin