Darren has yet another reason why I will never put a windows system directly connected to the internet without a firewall of some sort. Hell, even a fully patched one I’d be nervous about.
When I got back, Norton Antivirus had a HUGE message up about a virus found on the system, which it stalled to awaite my decision on what to do.
It turns out the laptop was the victim of the OPAServ worm. 5 minutes.
Now that said, I wouldn’t put a freshly installed and unpatched linux system directly onto the internet either, especially an older one (I think the mean time to root for a redhat 6.2 system on a honeynet was something like 8 minutes). Something I’ve either compiled from scratch (ie: Gentoo) or something that gives me a lot of control over the install process (ie: Debian) though I’d be more trusting, as at least then you know what is running (or at least, should).
The problem really is that the genie is out of the bottle, and these woms and virii are out there running rampant. New security patches from Microsoft are great, but chances are that if the person wasn’t installing them before (or just hits “ignore” as I know people do… bad, bad people, naughty, bad people) the new patches are useless.
While I congratulate Microsoft for putting the patches out there (two more today, on top of the two or three a couple of days ago), I think that some thought should be put towards fixing the problems out there right now. Sadly a mass nuke of all the unpatched systems isn’t possible. Or maybe it is. Write a worm or virii that exploits all the holes that existing worms and virii do and simply send a command to shut down the sytem with a “update your system now dumbass” message and not allow the user access to any website except the update site. Stuff like Dana‘s project will help if it’s installed, but chances are it will only help for a) new installations and b) places where they care about security already. Granny or mom and pop who just use the computer to read their spam probably don’t notice the slowdown from worms, spyware and virii, don’t care, or ignore it altogether. These are the people that are contributing to the problem far more (IMHO, I could be wrong of coursee) than a fortune 500 company with 10,000 computers in it. Those are the places where they have an IS department or a security consultant or at least a firewall. Most of the scans and worms I see are from cable and DSL networks for home users at least.
But like I said, I might be wrong. I’m still not putting a windows box on the Internet without a firewall though.