Survival Time for Unpatched Systems Cut by Half

UnderAttack writes "The Internet Storm Center published a graph showing historic trends for the "Survival Time" of unpatched, unprotected (windows) computers connected to the internet. Turns out, this number dropped from about 40 minutes last year, to 20 minutes this year. The survival time is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe. The data is collected from a large number of networks with different types of upstream protection. So if you are on an unprotected cable/DSL line, you may see probes much more frequently. Either way, 20 minutes is not long enough to download patches. The Honeynet Project did publish a paper with some stats back in 2001."

Patch CDs

[Oculus+Habent]

Microsoft should make Patch CD ISOs available. You could swing by a friend's house and get one, drop into your local computer store and have them burn you one for a few bucks, or pick up a Microsoft produced copy at your local gas station, like AOL CDs.

Re:Patch CDs

[Jarnis]

They do. At least in europe retailers are giving out 'Microsoft Windows Security Update CD's. Works on any windows version, but sadly is not quite up to date on XP patches anymore. Next edition is coming soon (called 'Windows XP Service Pack 2 CD') - I fully expect MS to hand out those for free via retailers as well. You can already order one via MS webpage.

Re:Patch CDs

[networkBoy]

You know? That's actually a good idea . . .
which means it'll never happen
-nB

Re:Patch CDs

[YrWrstNtmr]

err...they do. Free. Not as continuously up to date as it might be, but they do have them.

hmm...or rather, they did.

Re:Patch CDs

[moojuece]

I'm just trying to understand how you don't see the need to reinstall the OS 'every few months' as being a problem.

not trying to start a flame/OS/holy war, but I would deffinatly see this as a problem

WinXP SP2 slipstreamed CD for the win!

[Jarnis]

Install the Windows XP off a CD that includes SP2 slipstreamed in, and your survival time online 'unpatched' goes up dramatically. Something about a reasonably good firewall that is turned on by the default installation...

20 minutes??

[AnswerIs42]

Try 50 seconds :(

No, not joking. At work, somewhere, there is an infected computer and while rebuilding a computer I plugged it in to run the updates for 2K and antivirus. Less than a minute after pluging it in, I was crashing and burning.

Had to go to a patched computer, download the needed updates and burn them to CD and update the computer that way first before plugging it onto the network.

REALLY anoying.. and when I find the user with the infected computer.. well, lets say I'll have a new storage location for this dead notebnook hard drive...

Re:20 minutes??

[It'sYerMam]

Also, it's trivial to download a better firewall on another computer, smack it onto USB drive/CD and install that. Unlike downloading all the patches, which is not trivial at all.

Is anyone else...

[ScytheBlade1]

...not suprised at all? This isn't intended to be a troll, but back when blaster was "new" and I was formatting, I was hit three times within two minutes of booting, which gave me a whopping 3 minutes to download (not an issue) and install (BIG issue) the corresponding patch.

In the end I had to swap some CD burners around, download+burn the patch, and then unplug the box from the internet while booting.

Dodgy assumptions

[Westley]

The name "survival time" suggests that it's the average amount of time an unpatched system would last before being compromised. That assumes that every single worm targets every single unpatched system, and is always successful. That's not exactly realistic - many worms target specific programs which may well not be on the unpatched system, or target specific operating system versions.

It would be much more interesting to see average compromise times for a vanilla install of various different OS versions (with no ISP protection, of course). In the mean time, the name should be changed, in my view.

Update during Install

[funkdid]

Microsoft should have an auto-update during install feature. (If you have broadband). During the install process it could run the windows update, blah blah blah once your nic was initialized for the first time and IP granted etc.

Re:Update during Install

[kuiken]

chances are you will get infected before the install is finished then

the trick is easy tho :
1) unplug network
2) install xp
3) install firewall or activate build-in FW
4) plug and config network
5) patch the system

there 5 easy steps for a "safe" install

Ditto

[Moth7]

I had a a similar problem (albeit with a home box) under XP. The worst of it is that you can't just download the update installer and unplug the 'net connection because the installer itself does downloading. Since the other two boxes in my house run Gentoo and Redhat I couldn't download the patches from there (Does this look familiar?) and had to just race against time for 5 or 6 attempts before it worked.

Re:Ditto

[karnal]

Read the bottom of that page...

" If you prefer to use a different Web browser, updates to Windows may be downloaded from the Microsoft Download Center."

With a link within the text "Microsoft Download Center." I'm guessing you can at least get some necessary patches from there (SP's, some critical patches) before letting your machine full-bore on the 'net without a firewall.

I know there are some home users out there that still aren't natting or using some sort of stateful firewall, but come on - you have 2 linux boxes there and can't get a nat to work? Hell, I'll buy you a linksys, they're getting darn cheap after rebates nowadays.

Hardware firewall

[pqdave]

This is why the average broadband connection should be behind at least a consumer router, even if it's the only machine connected. Routers are too cheap and easy to skip.

Re:C'mon now! The patch is out!

[hattig]

Thing is, Both MacOS and Linux have had numerous RELEASE updates in the time that Microsoft haven't changed anything with the default XP install CD. Which means that if you need to reinstall XP now, you run the risk of being pwned, but if you install Linux or MacOS, you will be doing it from a much more recent CD that is far less susceptible.

I don't know how often Mac users reinstall, but if they had to, and their hardware was good enough, I'm sure that they'd upgrade to the latest version at the same time. You simply can't do that with Windows, you have your 3 year old install CD. Of course, you didn't have to pay $120 each year since like with MacOS X, although you did get extra features with that as well as bug fixes.

I doubt that many people would burn a specialised SP2 CD and do it right. Human nature - their current system has it installed via Windows Update, why download it again as a whole? They probably wouldn't even know about it.

But there is a secure microsoft system!

[swordofstars]

Microsoft Replies: In light of this new data, we would like to announce a new, more secure operating system. It is based on our Windows ME technology. By simply accelerating the timer for the essential bluescreen feature we feel confident that NO hacker will be able to make use of a corrupted machine.

Further, we are offended by all the FUD spread about our products by the open source community. Our security features include and expanded install size, which severly limits the space available on disk available to anyone who co-opts your computer for use as an illicit server.

Also, the times recorded by this survey are non-relevant and obviously flawed. They claim that their machines were only compromised after more than 15 minutes of CONTINUOUS uptime. This simply does not occur on our new ME+ varient. We cannot accept responsibility for those who remove our essential security features by removing 'buggy' components, or running a 'stable' GUI.

End Sarcasm;

Low survival time

[yamla]

The record shortest survival time, last time I checked, at the University of Alberta is four seconds. That's from the time they plugged in an unprotected Windows XP machine until the time it was compromised.

That's not enough time to engage your software firewall pre-SP2. I'm not sure of the condition post-SP2.

Re:Low survival time

[Darth_brooks]

Walk down the street in downtown Detroit counting $20 dollar bills and see how long it takes for you to get mugged. Then do the same on mainstreet in West Bumblefuck, Iowa (population 15, if'n Pastor Smith isn't out of town). Betcha you last longer in Iowa. In other words that time is probably dependant on how nasty the computing environment is.

IIRC Sasser and Blaster chose their target IP's at random, starting with IP addresses in the same subnet then moving to random IP's. So if a machine gets infected four seconds after it's plugged in, that's not just a product of how poorly secured windows is, it's also a product of U of Alberta having a network chock full of RPC 'sploiting goodness. Now, if they'd have plugged in the same in an environment that had been properly patched, firewalled, etc. The box would've been fine for hours, days, or maybe it would've never been comprimised at all.

Firewall and Snort logs can give you the true tale of the tape. Some days my home firewall (SBC residential DSL) is turning away worm attempts like a goalie on speed. Other days I go 10-12 hours without so much as a nibble or a port scan.

But it is so much fun to talk about how "WIUNDOWS IS TEH GHEY! IT GOTS PWN3D IN TEH SECONZ!!LOL!!!11ONE@!!!@!

Re:Low survival time

[yamla]

Actually, the University of Alberta has a pretty good network as far as security and patches are concerned, though your point is undoubtedly valid. The Computing Science department, particularly the undergraduate part thereof, is a huge supporter of OpenBSD and that is generally what the undergrad public machines run.

Fundamentally, I'm not sure what they could do differently. There's no doubt that it is a hostile environment, but the only alternative seems to be to simply shut down network access, something that just isn't reasonable at a university.

I should point out, of course, that the 4-seconds-to-0wn time is from the results of testing they did. None of the system administrators there would ever plug in a unpatched machine they weren't planning on immediately wiping.

No big deal - just install behind a firewall

[EricLivingston]

I do all my machine builds and initial updates with the box sitting behind a netgear router, fully NATted and with no port forwarding - i.e. the box is invisible to the net. I've merrily built and updated many machines in this way and have never been compromised (and my last step is to virus, spyware, and trojan scan with several of each type of tool).

If you just throw a cheap hardware router/NAT/firewall in front of your box when you build, this isn't really big deal I've found.

Re:No big deal - just install behind a firewall

[MsGeek]

Exactly. Those little router boxes are so cheap, even if you only have ONE machine there is no excuse not to use one.

Maybe they are not proof against all hacks, and a determined and skilled cracker might be able to get around it with ease, but the boxes will protect you against worms. Problem solved.

This again?

[Otter]

Either way, 20 minutes is not long enough to download patches.

Perhaps a "TURN THE GODDAMN FIREWALL ON BEFORE YOU CONNECT TO THE NETWORK!" notice somewhere on the front page would get the point across? I've done exactly two Windows installs in my life and I know how how to safely set up a new XP system.

Re:What do they mean by survival time?

[WWWWolf]

What do they mean by survival time?

I'm guessing here, but time between when machine is first brought online and when it's first discovered/probed/found alive by a worm or hax0r scanners - in other words, time before worm infection or other kind of intrusion, because after it dawns to the world that there's an unpatched system right before their noses, there sure isn't much time left before that system is owned.

Network Cable?

[WhoseHouse]

Did you ever learn anything about computer security? On a machine that you do not want to be compromised, absolutely do not connect it to the network/internet. have all relevant patches available on removeable media - that has been verified authentic - and install sans network.

Then once you are certain that everything is hunky dory, plug it into the network or internet with a firewall (for both incoming and outgoing).

And this isn't an issue with Windows or Linux or FreeBSD for all the fanboys out there. This applies to all OS's. Windows is targeted more because there are more people using it. There are plenty of exploitable vulnerabilities in any OS. It's a matter of work / payoff ratio.

Windows Update Catalog

[abb3w]

For the truly daft and determined, it is possible to use the Windows Update Catalog (Windows Update, Personalize Windows Update, Show Windows Update Catalog) to download everything at once, to burn to DVD and make your own. If you limit yourself to a particular Windows flavor (98/ME/2K/XP), a CD will still hold it all, but IIR the whole shebang for all four goes over a CD these days. On the other hand, it's easier to download only one OS version the way the catalog is set up.

Figure out what the latest service pack for the OS is, and apply that. That should let you get on long enough to use windows update to scan and get a list of the other KB-patches you need. Disconnect, patch, rescan. Repeat. If you want to learn how to use QChain, it can be faster, but that doesn't work on Win 98/ME.

For the truly paranoid, keep a list of what order you need to apply the patches in. Then wipe and reinstall the OS from scratch, and apply the needed patches in order without connecting to the net first.

However, it's a lot easier to use the Update CDs. It would be nice if there was a reliable torrent of the ISO somewhere....

False Analogy

[XanC]

RedHat 5 is how many generations behind the latest?

We're talking about people who want to install from the absolute latest Windows CD, and they have to take severe steps to avoid getting 0wned.

this stuff has been said in other posts, but...

[astrashe]

First of all, if you buy a new machine with the OS pre-installed, it will probably be patched almost up to date out of the box.

Second of all, if you're installing your own OS, you're taking on the responsibility to do things in a minimally competent way. That might mean a NAT router, a slipstream installed CD, or just a CD with the service pack burned on it, so you can install it before you plug into the net.

Third of all, you should be using a hardware firewall anyway.

Maybe the real problem is...

[James+Turpin]

... that the high-speed Cable internet installation CD instructs the user to turn off all anti-virus and fire-wall software during installation. Talk about a security flaw! It's like telling somebody to remove all contraceptives before ... you know ... for the first time.

Get a router, or ZoneAlarm

[Thangodin]

My first recommendation is that you get a router with a hardware firewall--for the price, there's really no reason not to. And any ISP who discourages the use of routers is just plain irresponsible.

If you don't have a router, have the free version of ZoneAlarm handy, and a list of the services you can shut down on Windows (everything you don't need that uses ports or acts as a server.) Shut down these services and install ZoneAlarm before you plug the machine back into the internet. When you do connect to the web, no one will even know you're there.

Between my router, ZoneAlarm, Ad-Aware, and some good anti-virus software, I haven't been touched by anthing out there for 10 years, even when installing and patching.

Surviving first day checklist from PDF

[jonasmit]

Windows XP: Surviving the First Day (Checklist)

• Disconnect Network Connection.
• Setup a secure administrator password.
• Disable Client for Microsoft Networks
  To verify: Start -> Control Panel -> Internet and Network
  Connections -> Network Connection -> select your network
  connection
• Disable File and Printer sharing
  verify using the same dialog as 'Client for Microsoft
  Networks'
• Enable Internet Connection Firewall
  same dialog as 'Client for Microsoft Networks'. Select
  'Advanced' tab.
  Connect Network
• Run Windows Update until there are no more critical updates.
  Start -> Control Panel -> Windows Update -> Scan for
  Updates

PS: If I remember correctly turning on the firewall (Pre SP2) will prevent you from communicating with other computers on your LAN. But you definitely want to turn it on until you get patched or download/buy another firewall.