MadAdmin wrote:
 
> I do recall building a new Win2K box in the DMZ and went to download
> SP1 and it got infected.... SO had to download the SP from another
> machine and rebuild the box again. I forget which bug that was but
> obviously I'd forgotten it was loose when I did that....

The phenomena of Windoze 2k and XP systems that were hacked by worms
faster than their first round of updating could be performed was
measured in terms of how long those systems could be exposed to a
network (either local LAN or the internet at large).  That measurement
was known as the "internet survival time", and it was measured in
minutes.

===========================
Internet Survival Time by Sophos

Anti-virus company Sophos published their own statistic regarding
"internet survival time". Their number was 12 minutes. The survival time
currently reported by dshield.org is 31 minutes. Their story also has
some interesting statistics on the number of viruses in the first half
of 2005 compared to last year. But don't let it spoil your weekend. If
you are in the security field professionally, just think of it as job
security.

https://isc.sans.edu//diary.html?date 05-07-01

=============================

1 July 2005

Virus writing on the up as average time to infection spirals down

Sophos charts virus activity for first six months of 2005

Sophos, a world leader in protecting businesses against viruses and
spam, has revealed results of its comprehensive research into the last
six months of virus activity. In 2005 so far, Sophos has detected and
protected against 7,944 new viruses - up 59% from the first six months
of last year.

In line with this substantial increase in virus writing, is the rapidly
decreasing average time to infection. There is now a 50% chance of being
infected by an internet worm in just 12 minutes of being online using an
unprotected, unpatched Windows PC.  (they mean NT-based Windows PC - but
they always fail to explicitly state that).
=============================

Even back in 2005, they constantly tried to confuse the issue of NT's
vulnerability compared to 9x/me by simply referring to NT-based windows
as simply "windows".

The truth is that Win-9x/me was not vulnerable to any of the known 5 or
6 families of network-based worms.  You could take a default install of
win-98, connect it to the internet, give it a DMZ or directly-routable
IP address, perform NO updates on it, and no worm could touch it.

Contrast that with Win-2K or XP.  Do the same thing, and before your
first round of updates could be downloaded, your system would already be
comprimized.

===============================
The longstanding Zafi-D worm accounts for more than a quarter of all
viruses reported to Sophos so far this year. Dominating the top of the
monthly virus charts for the first four months, this Hungarian worm uses
the guise of a Christmas greeting to trick users into opening its
infected attachment.

"Most surprising is that Zafi-D managed to hang around long after the
festive season and well into the Spring," said Graham Cluley, senior
technology consultant at Sophos. "It's only in the last two months that
Zafi-D has started to lose its stranglehold on the chart, but it's still
a significant threat."

The bilingual Sober-N, which takes third place on the six-month chart
having first emerged in May, stormed to the top of the virus chart last
month - finally knocking Zafi-D from the top spot. Posing as tickets to
the 2006 World cup in Germany, Sober-N compromised thousands of PCs in
40 countries.

Sober-N waited silently in the background of infected PCs, before
upgrading itself to a newer version in order to churn out German
nationalistic spam from the compromised, 'zombie' computers.

"The Sober family of worms show just how much damage can now be done
through a zombie machine," said Cluley. "The combined effort of
spammers, virus writers and their zombie armies are certainly a force to
be reckoned with. Increasingly, legitimate organisations are being
thrown into the firing line - finding themselves being identified as
sources of spam."

"The threats are consolidating - its becoming more blurred as to whether
something is a spam, a spyware, a phish, or a virus problem. Businesses
must ensure they are protected against all of these threats," continued
Cluley. "Furthermore, it makes sense to source your security solution
from a vendor who has expertise in all of these areas in-house -
allowing nothing to slip through the net."

Another old-timer, Netsky-P, which was the hardest-hitting virus of
2004, has enjoyed an extremely long reign near the top of the virus
chart so far in 2005. German teenager Sven Jaschan, who admitted writing
the Netsky and Sasser worms more than a year ago, will face trial next
week for computer sabotage, data manipulation and disruption of public
systems.

"Even though Jaschan's worms continue to spread and cause problems for
many computer users, he's likely to avoid a prison sentence because of
his age," said Cluley. "When comparing a dumb teenager with other
internet criminals who plot to steal millions of credit card details or
bank account information from infected PCs, it's clear who should get
the harsher sentences."

2005 has so far seen several highly publicised arrests relating to
computer crime. In May, Israeli police managed to track down a London
based couple, who were arrested for writing malicious software that was
used by Israeli companies to spy on their competitors. The previous
month saw the arrest of a Cypriot man who spied on a 17-year old girl
via her webcam after infecting her PC with a Trojan horse. A similar
scenario resulted in a Spanish student being fined.

Sophos has seen a threefold increase in the number of keylogging Trojans
so far this year. Trojans are delivered to target organisations via
email attachments or links to websites. They are often used by remote
hackers to steal privileged information and very often, to launch
further attacks. In June, an NISCC investigation, which Sophos assisted
with, found that nearly 300 UK government departments and businesses
have been the subject of Trojan horse attacks.

"What we are witnessing is a stampede of new Trojan horses every day,"
said Cluley. "Although some familiar worms have a tight grip on the
charts, the growth in Trojan horses is perhaps the most significant
development in malware-writing. Trojans don't normally make the charts
because they don't spread under their own steam, and are increasingly
being used for targeted attacks designed to make money or steal
information."

The prevalence of organised computer crime is higher than ever. The
attempted breach at the Sumitomo Mitsui bank in London and the
MasterCard hack are prime examples of the continued trend towards
financially motivated computer crime.

Variants of the Mytob worm are also prevalent in the chart at sixth and
eighth places. More recent versions of the worm have adopted a new
trick, most commonly used by phishers, which includes a faked web link
pointing to the malicious code. Each new Mytob variant has been tweaked
slightly differently, which indicates that the authors may be searching
for the elements of their malicious code that will help them create a
super worm. Sophos believes that it is unlikely that we have seen the
last of this family of worms.

The total number of viruses protected against by Sophos now stands at
106,218. 

http://web.archive.org/web/20051101010532/http://www.sophos.com/pressoffice/pre
ssrel/uk/midyearroundup2005.html
===================================
--- NewsGate v1.0 gamma 2