Windows Updates is showing WGA even though I hid WGA last fall (?!)

[XP Guy]

I perform manual Windows-Update sessions on a particular system with
XP sp2.

Last fall, when Micro$haft came out with a WGA update, I hid that update
so I wouldn't see it again.

The last time I performed an update check was on March 9 or 10. No
issues with that update session.

Today, I performed another update check, and low and behold Microsoft is
offering Windows Genuine disAdvantage to me. What? I told Windoze
Updates to hide that piece of shit spycode. Again I select "hide this
update". There are 4 other updates, and I select and install them.

I check the list of updates I've chosen to hide. I'm expecting to see 2
entries for WGA. But instead I only see one. It's KB905474.

So I assume that Milkro$oft has corrupted it's own "hide this update"
settings by foisting this WGA update upon me. Is this Macro$haft's way
of getting WGA onto systems that are set to auto-update and that have
otherwise hidden or ignored that update in the past?

Is this a known issue? Am I the first to observe it?

Are we ready for the avalanche of users that will being posting their
WGA problems?

Is there some registry key that I can set that will insure that WGA
never gets installed regardless of what games Micro$lap plays with
windowsupdate?

 

[1PW]

I perform manual Windows-Update sessions on a particular system with
XP sp2.

Last fall, when Micro$haft came out with a WGA update, I hid that update
so I wouldn't see it again.

The last time I performed an update check was on March 9 or 10. No
issues with that update session.

Today, I performed another update check, and low and behold Microsoft is
offering Windows Genuine disAdvantage to me. What? I told Windoze
Updates to hide that piece of shit spycode. Again I select "hide this
update". There are 4 other updates, and I select and install them.

I check the list of updates I've chosen to hide. I'm expecting to see 2
entries for WGA. But instead I only see one. It's KB905474.

So I assume that Milkro$oft has corrupted it's own "hide this update"
settings by foisting this WGA update upon me. Is this Macro$haft's way
of getting WGA onto systems that are set to auto-update and that have
otherwise hidden or ignored that update in the past?

Is this a known issue? Am I the first to observe it?

Are we ready for the avalanche of users that will being posting their
WGA problems?

Is there some registry key that I can set that will insure that WGA
never gets installed regardless of what games Micro$lap plays with
windowsupdate?

On an otherwise well working system, you have little to fear from WGA.
I really can understand your initial suspicions regarding WGA when it
first came on scene. However, those initial problems have been addressed.

However, if you believe that your OS is not quite legal, that's another
situation.

BTW - you really should bring your system up to SP3. SP3 is also a good
thing.

Pete

 

[XP Guy]

On an otherwise well working system, you have little to fear
from WGA.

That's not the point.

Microsoft deployed a "hide this update" mechanism in windows update.

I have experienced an occurrance of that mechanism not working and I'm
describing it here.

Microsoft defines WGA as a "critical" update or a "security" update. It
is neither.

WGA can cause serious system stability problems and I have chosen to NOT
install it on this system and I have chosen to HIDE it from all future
windowsupdate sessions.

If I am being accused of being idiosyncratic or eccentric for NOT
wanting to install it, then by rights Microsoft can and should be
accused of being idiosyncratic (if not worse) for trying to PUSH it on
me in a way that breaks their own "hide update" mechanism.

BTW - you really should bring your system up to SP3. SP3 is also
a good thing.

I have asked and have done research into the differences between a
system with a fully patched and up-to-date SP2 installation and one with
a fully-patched and up-to-date SP3 installation and have found pretty
much nothing.

Please tell how a fully patched and up-to-date SP3 system differs from
that of a fully-patched and up-to-date SP2 system. What extra
capabilities will the SP3 system have? What system vulnerabilities will
the SP2 system have that the SP3 system will not have?

 

[1PW]

That's not the point.

Microsoft deployed a "hide this update" mechanism in windows update.

I have experienced an occurrence of that mechanism not working and I'm
describing it here.

Microsoft defines WGA as a "critical" update or a "security" update. It
is neither.

WGA can cause serious system stability problems and I have chosen to NOT
install it on this system and I have chosen to HIDE it from all future
windows update sessions.

If I am being accused of being idiosyncratic or eccentric for NOT
wanting to install it, then by rights Microsoft can and should be
accused of being idiosyncratic (if not worse) for trying to PUSH it on
me in a way that breaks their own "hide update" mechanism.

In a well cared for system, you will have nothing to fear. The time for
raging at WGA has passed. I shared your outrage then. Now I must move
on. When you have more than a few systems to care for, you cleanse
those systems the best you can and tend to the more important things.

I have asked and have done research into the differences between a
system with a fully patched and up-to-date SP2 installation and one with
a fully-patched and up-to-date SP3 installation and have found pretty
much nothing.

Please tell how a fully patched and up-to-date SP3 system differs from
that of a fully-patched and up-to-date SP2 system. What extra
capabilities will the SP3 system have? What system vulnerabilities will
the SP2 system have that the SP3 system will not have?

It's not /usually/ the primary intent of a service pack to render
additional capabilities. However, SP3 provides better networking (NAP)
and system administration & security. Of course these may not be
important to you.

The day after your support runs out for SP2, you will need to determine
how to best support your now expired system(s). I'd call that a
vulnerability. There are just too many other things that will need
support and attention.

Again, on a properly cared for system, SP2 > Sp3 won't harm the OS.

I've been where you are now. I had to move on. My best wishes for you.

Pete

 

[XP Guy]

In a well cared for system, you will have nothing to fear.

From what I've read, many people with a "well cared for" system (and a
legit product key) got ****ed over by WGA, some to the point that their
only recourse was to buy another license.

The time for raging at WGA has passed. I shared your outrage then.

Every time that Micro$hit escalates WGA, they bring back the rage.

When you have more than a few systems to care for, you cleanse
those systems the best you can and tend to the more important
things.

Cleanse?

What are you talking about?

You give your machines an enema?

However, SP3 provides better networking (NAP) and system
administration & security. Of course these may not be
important to you.

They are not. I think I looked at NAP, but I forget what the hell that
was.

The day after your support runs out for SP2, you will need to
determine how to best support your now expired system(s).

For how much longer will XP be supported - period? I thought it was 10
years after it was introduced - making it the fall of 2011. When is the
technical end-support date for SP2 vs SP3?

I'd call that a vulnerability.

That's why my main systems are still running win-98.

Again, on a properly cared for system, SP2 > Sp3 won't harm
the OS.

I just never understood what SP3 was supposed to do. If you're doing a
new install, then sure go with SP3 (has microsoft put a rolled-up
version of SP3 on the system-builder version of the XP cd)?

But when it comes to an existing system, again I fail to see how SP3
isin't just a set of IE and other rollups that you've already applied to
an existing SP2 machine when performing routine windoze updates.

I've been where you are now. I had to move on.
My best wishes for you.

Ok, see ya later Obiwan.

 

[Jonathan Harker]

From what I've read, many people with a "well cared for" system (and a
legit product key) got ****ed over by WGA, some to the point that their
only recourse was to buy another license.

Your reading has been frightfully limited to the wrong material.

[snip]

For how much longer will XP be supported - period? I thought it was 10
years after it was introduced - making it the fall of 2011. When is the
technical end-support date for SP2 vs SP3?

Official free support for XP ends next month.

http://blogs.zdnet.com/microsoft/?p=2365

 

[1PW]

From what I've read, many people with a "well cared for" system (and a
legit product key) got ****ed over by WGA, some to the point that their
only recourse was to buy another license.

Then, those systems had been in some way(s) corrupted or incomplete.

Every time that Micro$hit escalates WGA, they bring back the rage.

Have you considered a popular Linux based system? A different set of
problems. But, no Microsoft influences like you are at odds with.

Cleanse?

What are you talking about?

You give your machines an enema?

Using all good tools and utilities, you perform all due diligence to
insure an uncorrupted, complete, and up to date system.

They are not. I think I looked at NAP, but I forget what the hell that
was.

If you don't have a need to network with other nearby computers, then
you probably would benefit.

Then you might benefit from the security (encryption) and administration
improvements and better help files.

For how much longer will XP be supported - period?

Different types of "Support" come in different flavors:

SP2: Your compatibility and installation support has run out.
SP3: Your compatibility and installation support runs out 14-APR-2009.

Receiving automatic Windows updates is a whole other issue.

I thought it was 10

years after it was introduced - making it the fall of 2011. When is the
technical end-support date for SP2 vs SP3?


That's why my main systems are still running win-98.

I agree. If that works for you, that's marvelous! W98SE is seldom
picked on by malware authors. Still - watch out for Conficker. You are
/not/ immune.

I just never understood what SP3 was supposed to do. If you're doing a
new install, then sure go with SP3 (has microsoft put a rolled-up
version of SP3 on the system-builder version of the XP cd)?

Improper SP3 "slip streaming" can lead to a worthless system.

But when it comes to an existing system, again I fail to see how SP3
isn't just a set of IE and other rollups that you've already applied to
an existing SP2 machine when performing routine windoze updates.

Your IE would be unaffected. If you had IE6, you keep IE6. However,
many would have you abandon IE for other browsers.

Ok, see ya later Obiwan.

The Force will be with you, always. --Obi-Wan

Pete

 

[XP Guy]

Official free support for XP ends next month.

That type of support is irrelavent for most people. If you haven't
noticed, when people have issues or problems with XP, they find a forum
to post it in. Nobody I know or work with has have contacted Microsoft
for help or support for any OS.

It's the hotfixes and critical or security patches that are the issue
(the stuff that's pushed out by WindowsUpdates).

That end-date is still years away, and using SP2 doesn't influence your
access to those updates.

 

[XP Guy]

If you don't have a need to network with other nearby computers,
then you probably would benefit.

If I *don't* have any networked machines, then I *would* benefit from
NAP?

I don't get it.

Then you might benefit from the security (encryption) and
administration improvements and better help files.

We have 2 NT4 servers that just keep running week after week, month
after month. I rarely touch them.

We have 3 developers with their own machines that they "administer"
themselves. There's 2 or 3 shared servers that they also use.

There is really no machine in our shop that you can say is being
"administered" by anyone. The concept of administration is some-what a
foreign concept for us. We don't have the need, or the time, for that
sort of shit. We have 1/2 dozen office systems running win-98, and 2 or
3 other systems running XP.

Different types of "Support" come in different flavors:

Most of which is irrelavent for most people. As I've said in my
previous post, nobody in our shop has ever contacted Micro$oft for any
support.

The deal-breaker for most people has always been -> when will
internet-based security vulnerabilities stop being patched.

Receiving automatic Windows updates is a whole other issue.

And for most people it's the *only* issue.

People will always continue to look at on-line forums for support. I
bet there is more "support" for win-98, 2K, and XP being delivered by
web forums and usenet than has ever been provided telephonically or via
e-mail directly from Microsoft.

I agree. If that works for you, that's marvelous! W98SE is
seldom picked on by malware authors. Still - watch out for
Conficker. You are /not/ immune.

What exploit does conflicker use to trigger a system to download the
real payload?

Many exploits (buffer over-runs for example) don't work (or don't work
"properly") on win-98. The recent .PDF exploits triggered within
Acrobat don't work on win-98 (I've tested them).

Improper SP3 "slip streaming" can lead to a worthless system.

My question was regarding Microsoft's own product (XP-pro, OEM,
SystemBuilder edition) which I've bought in the past, and for which the
last version was the SP2 version (SP2 slip-streamed). I'm asking if
their latest (and probably last) version of SystemBuilder OEM (which I
believe they are still selling until July 2009) has been changed to SP3.

Your IE would be unaffected. If you had IE6, you keep IE6.
However, many would have you abandon IE for other browsers.

The system I have in mind does indeed still have IE6, but I'm under the
impression that IE7 can be installed regardless if you have SP2 or SP3.

 

[XP Guy]

Are comments being accepted on this page?

Update to WGA Notifications for Windows XP Pro

http://blogs.msdn.com/wga/archive/2...xp-pro.aspx?CommentPosted=true#commentmessage

I posted a comment yesterday but it's not showing up.

 

[Jonathan Harker]

That type of support is irrelavent for most people. If you haven't
noticed, when people have issues or problems with XP, they find a forum
to post it in. Nobody I know or work with has have contacted Microsoft
for help or support for any OS.

It's the hotfixes and critical or security patches that are the issue
(the stuff that's pushed out by WindowsUpdates).

That end-date is still years away, and using SP2 doesn't influence your
access to those updates.

Then why did you ask the question, bozo?

 

[Jonathan Harker]

Are comments being accepted on this page?

Update to WGA Notifications for Windows XP Pro

http://blogs.msdn.com/wga/archive/2...xp-pro.aspx?CommentPosted=true#commentmessage

I posted a comment yesterday but it's not showing up.

You posted at least two... and they are showing up here.

But I know WTF I'm doing.

 

[1PW]

If I *don't* have any networked machines, then I *would* benefit from
NAP?

I don't get it.

That's because a ran out of beer. Should have put a "n't" in there
somewhere...

We have 2 NT4 servers that just keep running week after week, month
after month. I rarely touch them.

We have 3 developers with their own machines that they "administer"
themselves. There's 2 or 3 shared servers that they also use.

There is really no machine in our shop that you can say is being
"administered" by anyone. The concept of administration is some-what a
foreign concept for us. We don't have the need, or the time, for that
sort of shit. We have 1/2 dozen office systems running win-98, and 2 or
3 other systems running XP.

Comes the day you loose one of your NT4 servers, think about going to a
CentOS 5 based solution. It's free, and the basic update support (Red
Hat Enterprise Linux) wouldn't run out for many years to come. It too
is as stable as a proverbial rock.

Most of which is irrelevant for most people. As I've said in my
previous post, nobody in our shop has ever contacted Micro$oft for any
support.

The deal-breaker for most people has always been -> when will
internet-based security vulnerabilities stop being patched.

Perhaps all of you are behind a well maintained NAT router.

And for most people it's the *only* issue.

People will always continue to look at on-line forums for support. I
bet there is more "support" for win-98, 2K, and XP being delivered by
web forums and usenet than has ever been provided telephonically or via
e-mail directly from Microsoft.

You are probably correct.

What exploit does conflicker use to trigger a system to download the
real payload?

Sp. -10 Conficker Right this moment, I don't know what the latest
attack vectors are for Conficker.C, but they seem to all be Internet
based, however you will want to guarantee yourself that MS08-067 has
been installed in everything from water fountains to weed eaters well
before the end of the month, just for starters.

<RAGE> I understand that if you want the officially supported MS08-067
for your NT4 servers, you'll have to *BUY IT* from Microsoft with a

Many exploits (buffer over-runs for example) don't work (or don't work
"properly") on win-98. The recent .PDF exploits triggered within
Acrobat don't work on win-98 (I've tested them).

My belief is that Windows 98 is not immune from the
Conficker/Downadup/Kido worm nor has a MS08-067 been written for it.

My question was regarding Microsoft's own product (XP-pro, OEM,
SystemBuilder edition) which I've bought in the past, and for which the
last version was the SP2 version (SP2 slip-streamed). I'm asking if
their latest (and probably last) version of SystemBuilder OEM (which I
believe they are still selling until July 2009) has been changed to SP3.

I honestly don't know. I'll beg for the kindness of others for this
knowledge. However, it's nearly as easy to disconnect the system from
the Internet, while it's being built, and then update from a previously
burned CD with the SP3 update. Presto!

The system I have in mind does indeed still have IE6, but I'm under the
impression that IE7 can be installed regardless if you have SP2 or SP3.

You are *absolutely* correct. I revived an old XP Pro system last week
and upgraded it's IE6 to IE7 without trouble. If it's pre-SP3 you
wouldn't be able to roll back after an SP3 update though. However, if
you were to do the SP3 update and then go IE6 to IE7, I understand you'd
still be able to roll back.

Be safe!

Pete

 

[XP Guy]

Perhaps all of you are behind a well maintained NAT router.

Who isin't these days?

As for being "well maintained", I've never known a modem or router to
need maintaining. Perhaps I wipe the dust off it from time to time. I
keep my car well-maintained - does that count?

Certainly any shop with more than one PC has no choice but to be behind
a NAT router (unless you've got a /x IP subnet, but anyone with one of
those will also likely have more sophisticated network appliances in
place anyways).

Sp. -10 Conficker

I don't understand what "Sp. -10 Conficker" means or stands for.

How is Conflicker currently being boot-strapped into affected machines?
Is it through the various .PDF exploits currently being hosted by hacked
websited? Is it by socially-engineered e-mail attachments?

Does a machine already need to be infected or part of a botnet in order
to receive and install conflicker?

Right this moment, I don't know what the latest attack vectors
are for Conficker.C, but they seem to all be Internet based,

Um, what vectors (that are worth bothering about) *aren't* internet
based?

<RAGE> I understand that if you want the officially supported
MS08-067 for your NT4 servers, you'll have to *BUY IT* from
Microsoft with a valid NT4 custom support agreement! </RAGE>

I'm sure any machine that can be patched via WU has been patched in our
shop. And MS08-067 doesn't pertain to win-98.

And I don't see how or why I need to bother about MS08-067 on our NT4
boxes, given that the exploit can't get through a NAT router.

My belief is that Windows 98 is not immune from the
Conficker/Downadup/Kido worm

That depends on what actions and what conditions are necessary to
install those things on a given system.

Most web browsers are configured to automatically spawn acrobat within
the browser and render any PDF material that is found in-line in any web
pages that the user happens to be looking at. If the underlying
combination of OS, browser, and PDF-renderer are collectively not
compatible with the exploit mechanism being deployed (such as win-98)
then Conflicker will not be able to be introduced to that machine via
that route. So again I ask what route or exploit is being used to
introduce or expose systems to Conflicker?

My belief is that Windows 98 is not immune from the
Conficker/Downadup/Kido worm nor has a MS08-067 been
written for it.

Win-98 does not need a patch for MS08-067 because it does not host the
RPC services that are being exploited.

 

[1PW]

Who isn't these days?

Noobies. People who obtain computers and haven't the slightest notion
what malware is and what system security & protection is about.

As for being "well maintained", I've never known a modem or router to
need maintaining. Perhaps I wipe the dust off it from time to time. I
keep my car well-maintained - does that count?

Your car likes it.

It's not unheard of that modems/routers need their firmware updated.

Certainly any shop with more than one PC has no choice but to be behind
a NAT router (unless you've got a /x IP subnet, but anyone with one of
those will also likely have more sophisticated network appliances in
place anyways).

Cost cutting can make managers do stupid things.

The router manufacturers do come out with occasional updates to their
firmware. The Linksys router I got last year got a firmware update few
weeks ago.

I don't understand what "Sp. -10 Conficker" means or stands for.

I took off ten points for the spelling error. However, you already made
it back by keeping your car well maintained.

How is Conficker currently being boot-strapped into affected machines?
Is it through the various .PDF exploits currently being hosted by hacked
websited? Is it by socially-engineered e-mail attachments?

Exploiting old versions of wnetapi32.dll/netapi32.dll through Internet
attacks or by folks carrying it in through USB thumb drives, laptops,
portable USB HDDs, email and probably other vectors.

Does a machine already need to be infected or part of a botnet in order
to receive and install Conficker?

Yes. That's my understanding. The SRI folks, and others, have been
taking conficker/downadup/kido apart and found some astounding facts:

Um, what vectors (that are worth bothering about) *aren't* internet
based?

Folks bringing files in from outside via laptops, CDs, USB drives, thumb
drives, email...

I'm sure any machine that can be patched via WU has been patched in our
shop. And MS08-067 doesn't pertain to win-98.

But careful! We've read that Windows 95/98 is *not* immune.

And I don't see how or why I need to bother about MS08-067 on our NT4
boxes, given that the exploit can't get through a NAT router.

I don't know that it can't! Poorly managed networks is one of the ways
it gets in.

That depends on what actions and what conditions are necessary to
install those things on a given system.

Most web browsers are configured to automatically spawn acrobat within
the browser and render any PDF material that is found in-line in any web
pages that the user happens to be looking at. If the underlying
combination of OS, browser, and PDF-renderer are collectively not
compatible with the exploit mechanism being deployed (such as win-98)
then Conficker will not be able to be introduced to that machine via
that route. So again I ask what route or exploit is being used to
introduce or expose systems to Conficker?

tcp/udp 445? Perhaps port 445 should be blocked in your router(s)?

Perhaps you can closely read the following:

<http://mtc.sri.com/Conficker/addendumC/index.html>

However, this work is still in progress.

Win-98 does not need a patch for MS08-067 because it does not host the
RPC services that are being exploited.

I'd love to believe it's that simple. However, I have the feeling it's not.

No less than Avira states that even Windows 95 is not immune. I'd
rather not bet against them.

<http://www.avira.com/en/threats/section/fulldetails/id_vir/4474/worm_conficker.html>

I'd hate to hear from you later that your shop got hit by this... but
somehow I think all my evangelism is misplaced. Yes?


Pete

 

[XP Guy]

Noobies. People who obtain computers and haven't the slightest
notion what malware is and what system security & protection is
about.

I don't think you can make a blanket statement like "noobies are likely
to not be behind a NAT router".

It's my impression that the majority of residential cable and DSL modems
have been shipping with NAT functionality turned-on for the past 3 to 5
years, if not more. And certainly anyone with more than 1 machine
connected to the internet will defacto be using a NAT router. A noobie
may not know what a NAT router is, but he probably is behind one.

It's not unheard of that modems/routers need their firmware updated.

Yes - but modems / routers are still low on the totem-pole of
exploitability.

Exploiting old versions of (...) or by folks carrying it in
through USB thumb drives, laptops, portable USB HDDs, email
and probably other vectors.

I tend not to focus on the currently-circulating malware, but instead
focus on the exploit vectors that enable that malware to be bootstrapped
into a system. In that regard, I don't see how conflicker is doing
anything new or novel or that I need to do new or different things to
prevent it from entering my PC's.

Yes. That's my understanding.

So conflicker is not really a threat (to me anyways).

Anyone who is vulnerable to conflicker has already lost the war (ie
they're already infected by something).

Folks bringing files in from outside via laptops, CDs, USB drives,
thumb drives, email...

So what are you going to do?

Cut people's hands off?

Pour epoxy into their corporate USB, optical and floppy drives?

If the corporate e-mail system is already locked down, then what more
can you do? Go back to typewriters and adding machines?

But careful! We've read that Windows 95/98 is *not* immune.

Microsoft's security bulletins are legendary at *claiming* that a given
bulletin applies to Windows 98 in the introductory statements of the
bulletin. But when you drill down into the details, the only mention of
98 you'll find is a bland statement that simply repeats MS's support
policy and support life-cycle for windows 98. That is the case for
MS08-067.

If that's how you've read that win-98 is *affected* by the MS08-067
bulletin, I suggest you look deeper, or elsewhere, for something really
definative regarding MS08-067 and Win-98. My position is that such
material doesn't exist, mainly because win-98 doesn't replicate the RPC
server service as NT-based OS's do.

I don't know that it can't! Poorly managed networks is one of
the ways it gets in.

Management shmanagement.

RPC-based exploits can't get past a NAT-router. If an internal PC has
been hacked and is hosting an RPC-based exploit then you've already
failed at some level.

tcp/udp 445? Perhaps port 445 should be blocked in your
router(s)?

Don't you know how a nat-router works?

It blocks ALL unsolicited external packets from entering your LAN,
regardless of the port number. That means all netbios ports too.

I'd love to believe it's that simple. However, I have the feeling
it's not.

Win-98, either by design or just sheer dumb luck, is not vulnerable to
any known network worm. Period.

You can take a win-98se CD, circa 1999, and install it on a PC, using
it's default settings, turn that PC on, connect it directly to the
internet (no AV software, no firewall, no NAT router) and then just
watch. Nothing will happen. There is no known netbios or RPC or SQL
injection that can infect it. Now, if you attempted the same thing with
Win2K or XP-gold, XP-sp1, then your machine would be "owned" within 20
minutes (google "internet survival time").

Win-98 owes a great deal of that invulnerability to the fact that file
and print sharing is not enabled by default, but it is in win-2k and
XP. Even with file and print sharing turned on, I'm not sure if that
can be leveraged to take control of a win-98 machine anyways.

No less than Avira states that even Windows 95 is not immune.

The fact that I can take conflicker.exe and put it on any machine and
run it and it will run is not very useful information.

I can take calc.exe and put it on any machine and it will run too.

What is more important to know is - what does it take to actually put
and then execute conflicker.exe on a system without the user's knowledge
or concious effort? Explain how that happens on a win-95 or win-98
system.

 

[1PW]

I don't think you can make a blanket statement like "noobies are likely
to not be behind a NAT router".

It's my impression that the majority of residential cable and DSL modems
have been shipping with NAT functionality turned-on for the past 3 to 5
years, if not more. And certainly anyone with more than 1 machine
connected to the internet will defacto be using a NAT router. A noobie
may not know what a NAT router is, but he probably is behind one.

About 18 months ago, I had Comcast activate their lowest tier
"High-Speed Internet" at my residence. Their local offices don't reveal
that a Linksys router can be requested, so I was leased a rebadged
DOCSIS 2.0 Scientific-Atlanta DPC2100. My oldest son received the exact
same model cable modem when Comcast recently set him up in a near-by
community (differing Comcast office). My daughter too. Also in a
different near-by community w/yet a different Comcast office.

I guess YMMV.

Yes - but modems / routers are still low on the totem-pole of
exploitability.

Let me make sure I tell that to the poor folk that were infested with
the later versions of the Zlob trojan. I don't believe they will be
comforted. But - yes. Perhaps that fad had faded.

I tend not to focus on the currently-circulating malware, but instead
focus on the exploit vectors that enable that malware to be bootstrapped
into a system. In that regard, I don't see how conflicker is doing
anything new or novel or that I need to do new or different things to
prevent it from entering my PC's.


So conflicker is not really a threat (to me anyways).

Anyone who is vulnerable to conflicker has already lost the war (ie
they're already infected by something).

Not necessarily. We still hear that large commercial organizations have
their IT departments vet any and all changes in a laborious process.
Yes - I understand the need for such an action but this is a slow
process in some shops hit by reduced budgets and layoffs. It's rumored
a "very large" telcom in England suffered this fate and were caught
without the benefit of MS08-067. Conficker may have also taken a toll
with the French Air Force.

So what are you going to do?

Permit your computer techs to carry a loaded side arm.

Cut people's hands off?

Soundly scold them in public. Then shoot them, or worse.

Pour epoxy into their corporate USB, optical and floppy drives?

Lashings doesn't seem too harsh. That is exactly one of the
vectors that can take an organization down.

Seriously. Go through a rigorous IT hardening process as if you worked
within the bowels of the NSA itself.

Have all employees read and sign acceptable use policies.

Then, educate, educate, educate.

If the corporate e-mail system is already locked down, then what more
can you do? Go back to typewriters and adding machines?

Make sure that the email really is locked down.

Microsoft's security bulletins are legendary at *claiming* that a given
bulletin applies to Windows 98 in the introductory statements of the
bulletin. But when you drill down into the details, the only mention of
98 you'll find is a bland statement that simply repeats MS's support
policy and support life-cycle for windows 98. That is the case for
MS08-067.

If that's how you've read that win-98 is *affected* by the MS08-067
bulletin, I suggest you look deeper, or elsewhere, for something really
definitive regarding MS08-067 and Win-98. My position is that such
material doesn't exist, mainly because win-98 doesn't replicate the RPC
server service as NT-based OS's do.

At this point, I'd rather err on the side of caution when a reputable
firm like Avira says that Conficker can involve itself with the W95 &
W98 platforms.

<http://www.avira.com/en/threats/section/fulldetails/id_vir/4474/worm_conficker.html>

When the final SRI (or someone's) analysis of Conficker.C is published,
perhaps we will know more.

Management shmanagement.

RPC-based exploits can't get past a NAT-router. If an internal PC has
been hacked and is hosting an RPC-based exploit then you've already
failed at some level.

....and firewalls can be penetrated.

Don't you know how a nat-router works?

I don't know if you use a NAT router there. Is locking down port 445 in
all the systems behind your router plausible?

It blocks ALL unsolicited external packets from entering your LAN,
regardless of the port number. That means all netbios ports too.


Win-98, either by design or just sheer dumb luck, is not vulnerable to
any known network worm. Period.

You can take a win-98se CD, circa 1999, and install it on a PC, using
it's default settings, turn that PC on, connect it directly to the
internet (no AV software, no firewall, no NAT router) and then just
watch. Nothing will happen. There is no known netbios or RPC or SQL
injection that can infect it. Now, if you attempted the same thing with
Win2K or XP-gold, XP-sp1, then your machine would be "owned" within 20
minutes (google "internet survival time").

Win-98 owes a great deal of that invulnerability to the fact that file
and print sharing is not enabled by default, but it is in win-2k and
XP. Even with file and print sharing turned on, I'm not sure if that
can be leveraged to take control of a win-98 machine anyways.


The fact that I can take conflicker.exe and put it on any machine and
run it and it will run is not very useful information.

I can take calc.exe and put it on any machine and it will run too.

What is more important to know is - what does it take to actually put
and then execute conflicker.exe on a system without the user's knowledge
or conscious effort? Explain how that happens on a win-95 or win-98
system.

My understanding is that it's a .dll file with a randomized filename.

I hope you don't have a tale of whoa after 4/1 to tell.

Pete

 

[XP Guy]

You posted at least two... and they are showing up here.

But I know WTF I'm doing.

If you knew what the **** you were doing, then you'd realize that I
wasn't talking about posts to this newsgroup, you shithead.

Go back and read the post.