Monday, August 30, 2004, 1:37:40 AM, I wrote:
XPservicePack 2 very effectively stomps on zombies. Everything that
want to accept incoming Internet connections, or establish new
outgoing ones, requires the user to manually accept this behavior - by
default. There must be lots of unhappy hackers this week, as they
watch their hard-earned zombie armies as they're cut down like flies
:-))
g> Most people select "Ok" or "Yes" when given a choice.
g> They just have no idea what the question is about.
g> In most cases they got the zombie by clicking "Ok" or "Yes"!
g> I bet they will allow the zombie to access the internet.
Correction - only things that want to establish new outgoing
connections prompt the user. Everything accepting *incoming*
connections is completely (silently) blocked - the user (aka zombie PC
owner) would need to manually go into his control panel security
settings, and add the name of the executable (from a list of every
registered .EXE he's installed on his hard drive) of the zombie into
the manual "server allow list" before the rogue code (usually a Socks
proxy) will again accept any incoming connections.
Even all ICMPs are blocked by default.
Typical Microsoft overreaction? - yes.
Secure? - hmm - at least for as long as it takes someone to find a new
exploit in their firewall code...
I notice "ethereal" can still see everything coming in, despite the
firewall, so I guess future zombie code will be smarter still :-(
Chris.