[unisog] zotob and returning students, what are you going to do?

Matt Ashfield mda at unb.ca
Fri Aug 19 12:23:19 GMT 2005


>From what I can tell, this is not JUST win2k Specific. While win2k machines
are the target as far as infection goes, XP machines and other scan be
"carriers", meaning they can scan your network and try to infect win2k
boxes.

During our outbreak of Blaster 2 years ago, it was the scanning that buried
us, mostly in ARP storms. Mind you, we've taken many steps to minimize the
impact of such scans since then.

Matt Ashfield
Network Analyst
Integrated Technology Services
University of New Brunswick
(506) 447-3033
mda at unb.ca 


-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of STeve Andre'
Sent: August 18, 2005 11:56 PM
To: unisog at lists.sans.org
Subject: Re: [unisog] zotob and returning students, what are you going to
do?

On Thursday 18 August 2005 17:33, Dave Dittrich wrote:
> > I suspect that there are a lot of corporate sites that did the
following:
> >
> > 1) Stayed on W2K rather than move to XP (I seem to recall a survey that
> > said that close to half of corporate nets were still on W2K because the
> > IT management didn't see any must-have features in XP worth the cost of
> > upgrading multiple 10K's of users).
> >
> > 2) Are now suffering in silence unless the worm burpage is enough to
> > cause an externally visible issue (always a problem when gathering the
> > stats on hacks/etc).
> >
> > It's kind of like trying to get an accurate measurement of how many
> > adults in the US have herpes, and for many of the same reasons...
>
> Interesting.  So the conjecture is that a business decision was made
> to NOT upgrade before, to "save" costs.  Now a security problem has
> occured, which only affects the hosts that were not upgraded so as to
> "save" money.  Those businesses now incur a cost for cleanup of each
> host, PLUS they will likely now do the upgrade they avoided before,
> incurring the upgrade cost ANYWAY (and at an inflation adjusted rate
> that is higher then before)!
>
> My gut says that decision to save X dollars in the past has now
> resulted in a real cost of (X*Y)+Z dollars (where Y is 1 + the
> inflation rate, and Z equals the cost of mitigation and damages
> from downtime, which could well be larger than X to begin with,
> more than doubling the cost of just upgrading before.)
>
> --
> Dave Dittrich                           Information Assurance Researcher,
> dittrich at u.washington.edu               The iSchool
> http://staff.washington.edu/dittrich    University of Washington

This current horror seems to be Win2k specific, but I don't see this as
a reason in and of itself to "upgrade" to XP.  Looking at the last 15 or
so security updates, they mostly applied to win2k and xp.  I know
that MS is working on xp (rumor has it that they took ideas from the
W^X code in OpenBSD), but I'm not yet convinced that xp is any
better, and I'm certainly seeing as much weird flakyness on xp as
I ever did with win2k.

--STeve Andre'
MSU Dept. of Political Science
andres at msu.edu
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list