Slashdot Mirror
Clean System to Zombie Bot in Four Minutes
Amadaeus writes "According to the latest study by USA Today and Avantgarde, it takes less than 4 minutes for an unpatched Windows XP SP1 system to become part of a botnet. Avantgarde has the statistics in their abstract. Stats of note: Although Macs and PC's got hit with equal opportunity, the XP SP1 machine was hit with 5 LSASS and 4 DCOM exploits while the Mac remained clean. The Linux desktop also was impenetrable, but only was only targeted by 0.26% of all attacks." See also our story on the survival time for unpatched systems.
Does that mean I have to install XP, download SP2. Burn the SP2 archive onto a CDROM, reinstall XP with the network cable disconnected, and then patch? Geez that'll get old fast
As long as you don't download crap off the internet or don't do port forwarding to an internal server, your NAPT router is a good defense.
I am curious how effective NAT (e.g. a cable modem router) is at slowing or stopping these attacks for the the typical user
Should be pretty effective. A NAT can be looked at as a simple (stateless) firewall with all ports closed by default.
My advice to anyone with Windows XP SP1 planning a clean install - get the SP2 CD (free from Microsoft) and install it before connecting to the internet.
I installed a fresh Windows XP (SP2 integrated) box with internet connection. The firewall was enabled by default so I didn't get any worms or viruses. :) Windows can be quite, I don't want to say safe, but at least it is now safer than without SP2
At least at the moment (and if you have at least a certain amount of brain in your head
There was an SP2 machine included in the same test. It went unmolested, due largerly to the new firewall enabled by default. This particular test environment included no user activity, i.e. no email reading, no web browsing.
Generally speaking, I'm pleased with SP2. As long as you're running XP, and it won't affect your critical functionality adversely, install it. It won't be exploit proof moving forward, but it's the easiest way to patch the current set of problems.
Oh yes, I'll include other UNIXes, Linux, BSDs, etc.
However, the article summary only mentioned Macs (which is why I did), and also, many of these other systems are used as servers, and do in fact have many more open ports than a typical Mac OS X system, which often has none. This isn't to say they're "insecure" because of it; just that there are channels of potential access.
Now, a Mac OS X (or Mac OS X Server) machine used in a "server" role is likely to share a similar level of exposure.
But my reference is to a typical consumer or desktop machine, which represents by far the largest proportion of machines out there, and which is primarily what this article is referring to. And in the cases of these machines, Windows has remote avenues of attack, and Mac OS X does not - at all.
Nothing beyond that. However, I should point out that, for the most part, we didn't let the machine continue long after compromise. After an intrusion was detected, we restored it, patched that particular hole, and put it back. We also made no particular effort to analyze what happened on disk and in memory, the bulk of the analysis being done from the wire.
At least a couple of times, a minimal rootkit was installed. It's highly likely that if we had left them, the 0wners in the IRC channel would have finished moving in at some point.
This is why operating systems should use delta compression for distributing security patches. You're never going to have a perfectly secure operating system; you can, however, make sure that you can fix the security flaws before they are exploited. Put another way: Size matters!
For the record, using FreeBSD Update and my binary diff tool, downloading all existing security patches for FreeBSD 4.8 (released April 2003) only requires 568kB of files to be downloaded -- which takes under 3 minutes even with a 28.8kbps modem.
Tarsnap: Online backups for the truly paranoid
Which? It's in the USA Today story. You mean the Slashdot synopsis?
Yes, the SP2 machine, SP1 w/Zonealarm, and Linspire machines all had software firewalls, which appear to do their jobs just fine. One of the reasons the Max registered so many attacks is because one of the enabled services was Samba. Rather funny to watch all the Windows worms try their exploits on Samba, actually.
Typical many-to-one NAT will act like a simple firewall. Highly recommended for purposes of downloading all your patches. There's basically zero chance you'd be able to patch a stock Win2K/XP SP1 machine before you got nailed on an open Internet connection.
The NAT won't help much with the client-side holes.
Cars. Getting a driver's license requires months of education, plus passing two tests (one written, one actually driving). This doesn't teach you how to build or maintain a car, just how to drive it safely.
Guns. In at least some states, you have to take safety classes to teach you how to use (and store!) a gun safely and responsibly.
There may be others, but those are the two that came to mind immediately...
"I still run SP1, but I have all of my up-to-date security patches done"
Isn't that pretty much the same as installing the glorified selection of patches that is...SP2?
You think because AV finds nothing, your box is clean? Not necessarily. If you're rooted, you're rooted, and you'll never know unless you boot from trusted media. Once your box is not your own, the OS will never tell you the truth again.
Using a router to check bandwidth usage or even a firewall or rrdtools-type system of graph would show if an external user is using your box.
- dshaw
Good questions. I kinda expected more people to ask that, and I wish the article had covered those aspects better. Of course, reporters will report what they like, and the USAToday guys kept pointing out that they were targeting a less techical audience.
:)
Anyway...
Attacks were counted by Snort with a default ruleset, as of early September when I set it up. I.e. For the most part, I could only count attempts that could be delivered. That means that any of the hundreds of thousands of TCP connection attempts to the firewalled machine couldn't be completed, and so no TCP payload, and no attack signature matching. Hence, the attempts recorded on the firewalled machines represented mostly UDP and ICMP traffic. For UDP, think SQL Slammer. Yes, this included things that many people would consider fairly innocuous, like ICMP information leak-class packets.
As for the firewalling... The "base" test case was Windows XP. Overall, they were going for SOHO-class machines, as you might get them out of the box. In the XP case, there's relatively little point in having the same config multiple times. Instead, we compare XP SP1 (no firewall) with XP SP1 (w/Zonealarm) and XP SP2. Because there would obviously be questions about the other OSes, the Mac, Linspire, and Win2K3 SBE were included. Linspir has a firewall by default, Win2K3 and OS X don't.
The OS X machine registered so many attempts because it was running Samba, and all the Windows attacks could deliver a payload (and have the attack registered.)
It would have been better described as "number of succesfully delivered attack attempts", but I guess that isn't good copy.
Let me preface this by saying that in my area you can only get 28.8 dialup. There is nothing better available. Not even 56K. (And yes, I know there are some here stuck on 19.2 and 21.6 ... I feel for you all.)
Our gateway box is a Win2k machine. It hasn't been patched in months upon months because it would tie up the connection for a long time. (Downloading patches over 28.8 is slow and we have eight computers in the house sharing that connection.) That gateway machine is totally clean. No spyware, no worms, etc. This is confirmed by proper antivirus and anti spyware software.
Why not either start a download going each night after you go to bed?
If you want a local copy, use wget to retrieve files.
If you don't care, use windows update.
In an 8 hour night, you can pull down about 100mb.
If you want to apply patches to several computers while using windows update, try downloading rather than installing the patches.
I'm just posting this an in interesting observation. This makes sense because a zombie on a dialup line is pretty damn worthles anyway.
Dangerous assumption. The worms don't care what sort of line you are on. In addition, due to asynchronous connections, the upload speed of a dozen or so zombie dialup PC's can match the upload speed of one broadband connection -- rather useful for spamming or DDOSing.
It's not on by default. The Mac was, in fact, given an extra handicap of having some additional services turned on. The Mac zealot in the group felt that might be representative of typical usage. IIRC, during the install procedure, it prompts you with which services to enable, and users can check them on and off with a single checkbox each.
Windows XP, SP1 does include a firewall that is off by default. Google will give you plenty of instructions for enabling it. SP2 merely enables it by default.
Windows firewall was one of the "New features" of windows xp, but you have to turn it on first - no need for service pack 1.
You can get an unpatched windows 2000 machine to connect to the internet [without being comprimised] to download updates just fine, (from my experience, your milage may vary) Just enable TCP/IP filtering in advanced networking and set TCP to permit only (nothing). Can do this on XP as well.
Yes, a NAT firewall is effective against remote exploits, but will do nothing against malicious web pages and other IE based vulnerabilities.
Snowden and Manning are heroes.
Second, the linux box isn't necesarily representative. Mandrake, for example, has open ports and no firewall. I would like to see a fresh mandrake box put on the net rather than the more secure Linspire. Additionally, was it ever figured out what port 7741 was used for? In a digital attack simulation we had, Linspire boxes were hard to characterize for the attackers because of the lack of any ports open on them. 7741 may be a good way to characterize the OS of the box. (Also, I worry more about open ports I don't recognize than ones I do, even if they aren't connected to extremely strong programs.)
Also, the abstract seems to indicate the OSX box was NOT one of the better ones since it seemed to draw so many attempts. (I think this explained in comments as having to do with samba being turned on. Was samba on by default? And is there any implications of having a cloned service on as it draws more attacks even though these attacks are fundamentally hopeless.)
I do security
I mentioned it elsewhere here, someplace...
The die-hard Mac user in the group felt that having a few services on might better represent a typical Mac user. If I'm remembering right (I didn't personally set up the Mac) it prompts you with a group of items to check on and off during the install. Several services, including Samba, were turned on. This was an extra handicap on the Mac. All the Windows machines were installed by Kevin, with some discussion from the rest of the group. The Linspire box was the only one that was literally used out of the box. We unpacked it, gave it a weak root password, and got it on the Internet.
All boxes were given weak passwords, at least initially. It was part of the test that the reporter chose not to emphasize. That was how the Win2K3 box got popped the one time. After that mechanism was used (per box), the password was changed to something harder. Only the Win2K3 and XP SP1 boxes got nailed due to weak password.
They were, actually. The firewall (on by default, we weren't asked during setup) blocked everything.
There must be many people like that: using recovery CD's etc....
Not that *I* have this kind of problem: I'm firewalled by an OpenBSD machine, but the concern is genuine.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
If I'm remembering right (I didn't personally set up the Mac) it prompts you with a group of items to check on and off during the install.
Nowhere during the OS X install process does it present the user with an option to enable Samba. That has to be done separately from the Sharing preference pane.
dude, you should seriously consider changing the OS of your gateway box. If you have the skills or time, learn to use something like OpenBSD or FreeBSD. Both currently include the amazing PF packet filter, which supports NAT and amazing packet filtering capabilities. Everything is well documented on OpenBSD FAQ web page.
Due to your slow link, consider getting regular CVS patches via CTM, one way of keeping your CVS tree updated via email. Patches are usually small and can be quickly downloaded via FTP.
Good luck.
Well, try OpenBSD instead. I donate every year to the project. :-) I think it's well worth it.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
Boot the machine without connecting it to a network. Enable IP sec. And enable the built-in firewall (it was there all along, SP2 tried to improve on it). Or buy a damn $50 NAT'ing router (some of them evern support dialup). THEN, connect to Windows Update. Patch, etc...