2005/04/08

The Dangers of Broadband

A couple of days ago I decided to revitalise an old laptop that had been sitting dormant for a while. It had an old copy of XP that (long story) had a dubious Product Key, so wouldn't upgrade to newer versions. Since I had a spare (real) copy lying around I booted from this and did a recovery - that installed the new Product Key while hopefully maintaining all the programs etc that had been installed. That actually went very well, slow, but well.

Next step run Windows Update and get the system into a reasonable state, again slow (just due to the system - there's a fast broadband connection) but all went well. Then install Microsoft's new Anti spyware system and Grisoft's AVG (free version while testing). They immediately showed problems, a virus and lots of spyware. Several attempts at scanning and deleting just didn't seem to work. Unplugging the LAN connection did improve things but as soon as the Ethernet was reconnected up pops the spyware. Something was badly wrong. Leave it until morning ...

Next decision was to completely reinstall XP (actually SP1), plug the system in and leave XP installing. After the initial load of CD, XP reported 39 minutes remaining - which took more like 2 hours, but at least it could just get on with it. Then do the updates etc. and install the Anti spyware software. Somehow the system had become infected again. I'd guess that either the original spyware reports itself to a site which then probes you, or the system was just randomly attacked (probably the former). It seems that when XP is installing it leaves NetBIOS turned on which since it's unpatched at that point leaves the system open to attack.

This had taken most of the morning and dragged into the early afternoon. But since I couldn't get rid of the spyware - another reinstall. This time I unplugged the system from the LAN and started again. I also made sure I had SP2 and the anti spyware/virus software on CD. Eventually XP installed and then installed the software (which noticed NetBIOS was turned on and turned it off) and did the local SP2 upgrade. It was now evening but it seemed to work. SP2 comes with a pretty lame firewall, but at least it's a firewall so I made sure that was running, then plugged the system into the LAN. No spyware/virii appeared and I managed to get the system updated. It's been like that ever since.

I also happen to run a Samba server (which is an open source file/print sharing system for UNIX that emulates a Microsoft Domain controller) so I can keep important files centrally. I decided I'd check the logs, and lo and behold there have been consistant attempts to connect to it. As a precaution I've always only allowed machines on the local network to connect, but I'm sure if it had been left open it would have been severely comprimised by now.

I'm now going to start filtering at the router connection to my broadband provider. It may make things slightly more restrictive, but stopping external probes and even attacks is more important. It shows that there are nasty things at work on the Internet.

The moral of the story is run a firewall if possible at border of you and your broadband provider, if not firewall every PC that connects to the Internet.

No comments: