[Dshield] 0wnlng Windows machines

Stasiniewicz, Adam stasinia at msoe.edu
Sun Feb 25 18:41:52 GMT 2007

Hi Tonni,
The major reason you see Windows computers is simply because they are the most abused.  While most Novell, Linux, Unix, etc systems are maintained by IT staff who ensure they are properly functioning, most Windows computers are used by clueless consumers.  What often happens is these clueless consumers will buy their computer from Best-Buy or wherever and it will have the latest patches on it.  They might even have a friends/relative/etc look at the computer once or twice a year to "clean it up".  During those times, the folks will usually install the latest patches and AV.  But in the space between, the clueless consumer will not patch their computer or update their AV (since again, they are clueless).  They will open virus infected emails and install the latest crap on their machine.  For this reason, about 80% of all spam comes from computers infected with spam viruses.  The remaining 20% comes from hijacked netblocks and foreign countries with weak cyber laws.
As for 2003 the main reason you are seeing it lower is because of the limitations of your tool.  Your tool can't tell the different between the client versions of Windows and the server versions.  So, if you could, you would most likely see that 2000 server also has a very low rejection rate.  But because 2003 has no direct client version, you are only see stats for a server OS.  And going back to my first point about Novell, Unix, and Linux, 2003 servers tend to be professionally managed by IT folks, who are much better at keeping junk off those machines.
Does that answer your question?
Adam Stasiniewicz


From: list-bounces at lists.dshield.org on behalf of Tony Earnshaw
Sent: Sat 2/24/2007 4:10 AM
To: list at lists.dshield.org
Subject: [Dshield] 0wnlng Windows machines

Hi list,

I'm the mailadmin of a low-volume high school site in Amsterdam NL, we
run a Postfix 2.3 MTA with lots of knobs to twiddle.

One of the things I do is twiddle the knobs; as I've written before, we
block a lot of stuff before we accept it. We don't block it at the
perimeter, we let the MTA block it, mostly using cidr subnet blocks, but
also using rules detailed in rfc[2]821 and greylisting, as well as as a
last resort 4 DNSRBL sites. Postfix also makes it possible to see each
refused connection, together with the smtp conversation that takes place
and why we refuse clients. I make full use of that possibility.

We also run a utility called p0f with which I analyze the operating
system of each client connecting to port 25 on our MTA. For instance, it
tells me that iceman12-int.giac.net is running Linux 2.4-2.6 and was up
for 3413 hours on Feb 24 at 01:47:28 CET.

I produce pretty bar graphs with it, and these will be available for a
couple of days at https://mail.barlaeus.nl/p0f. Normally they're
excluded from unrestricted Internet access.

One of the things I've found out over the past few months, is that
around 98% of all the clients we block are Windows machines; which
variants you can see from the graphs. It's patently obvious that most
0wn3d machines are w2k with patch 4/XP with patch 1 and very few are
W2003. Now assuming the w2k and XP users have been savvy enough to patch
their W2k/XP machines, can anyone tell me the most obvious reasons that
they're getting 0wn3d? Presumably the users intelligent enough to patch
are also savvy enough not to click on things they're told not to, to
enable stupid p2p, to visit nasty web sites and so on. Or are they? And
why are there (proportionally) so few w2003 machines refused?

One of the reasons I ask, apart from curiosity, is noting how new
spammer software patterns develop, how much spammer keeps to the same
old stupid configuration and similar.



PS: All of our site's 100 or so Windows XP workstations (which I don't
configure, thank goodness) get their Internet stuff over a Smoothwall
blocking proxy, all are forced to SASL authenticate to our MTA alone for
sending, their mail (when it comes in) has gone through 3 AV scanners
and a hyper-good spam filter, and they run Sophos SAV regularly on their
ghost-imaged HDs. Their profiles and other Windows stuff is kept on a
Linux Samba 2.0.22 NT PDC (which I do configure) on which Sophos Sweep
runs regularly, so they're kept from sinning; if they were to,
reformatting and imaging their local HDs is relatively easy to do, with
loss of no personal data.

Tony Earnshaw
Email: tonni at hetnet dot nl

SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
taught by our top rated instructors plus a huge vendor tools expo.
Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)

More information about the list mailing list