Slashdot Mirror
Clean System to Zombie Bot in Four Minutes
Amadaeus writes "According to the latest study by USA Today and Avantgarde, it takes less than 4 minutes for an unpatched Windows XP SP1 system to become part of a botnet. Avantgarde has the statistics in their abstract. Stats of note: Although Macs and PC's got hit with equal opportunity, the XP SP1 machine was hit with 5 LSASS and 4 DCOM exploits while the Mac remained clean. The Linux desktop also was impenetrable, but only was only targeted by 0.26% of all attacks." See also our story on the survival time for unpatched systems.
Does that mean I have to install XP, download SP2. Burn the SP2 archive onto a CDROM, reinstall XP with the network cable disconnected, and then patch? Geez that'll get old fast
As long as you don't download crap off the internet or don't do port forwarding to an internal server, your NAPT router is a good defense.
My advice to anyone with Windows XP SP1 planning a clean install - get the SP2 CD (free from Microsoft) and install it before connecting to the internet.
There was an SP2 machine included in the same test. It went unmolested, due largerly to the new firewall enabled by default. This particular test environment included no user activity, i.e. no email reading, no web browsing.
Generally speaking, I'm pleased with SP2. As long as you're running XP, and it won't affect your critical functionality adversely, install it. It won't be exploit proof moving forward, but it's the easiest way to patch the current set of problems.
Oh yes, I'll include other UNIXes, Linux, BSDs, etc.
However, the article summary only mentioned Macs (which is why I did), and also, many of these other systems are used as servers, and do in fact have many more open ports than a typical Mac OS X system, which often has none. This isn't to say they're "insecure" because of it; just that there are channels of potential access.
Now, a Mac OS X (or Mac OS X Server) machine used in a "server" role is likely to share a similar level of exposure.
But my reference is to a typical consumer or desktop machine, which represents by far the largest proportion of machines out there, and which is primarily what this article is referring to. And in the cases of these machines, Windows has remote avenues of attack, and Mac OS X does not - at all.
This is why operating systems should use delta compression for distributing security patches. You're never going to have a perfectly secure operating system; you can, however, make sure that you can fix the security flaws before they are exploited. Put another way: Size matters!
For the record, using FreeBSD Update and my binary diff tool, downloading all existing security patches for FreeBSD 4.8 (released April 2003) only requires 568kB of files to be downloaded -- which takes under 3 minutes even with a 28.8kbps modem.
Tarsnap: Online backups for the truly paranoid
Which? It's in the USA Today story. You mean the Slashdot synopsis?
Yes, the SP2 machine, SP1 w/Zonealarm, and Linspire machines all had software firewalls, which appear to do their jobs just fine. One of the reasons the Max registered so many attacks is because one of the enabled services was Samba. Rather funny to watch all the Windows worms try their exploits on Samba, actually.
Typical many-to-one NAT will act like a simple firewall. Highly recommended for purposes of downloading all your patches. There's basically zero chance you'd be able to patch a stock Win2K/XP SP1 machine before you got nailed on an open Internet connection.
The NAT won't help much with the client-side holes.
Cars. Getting a driver's license requires months of education, plus passing two tests (one written, one actually driving). This doesn't teach you how to build or maintain a car, just how to drive it safely.
Guns. In at least some states, you have to take safety classes to teach you how to use (and store!) a gun safely and responsibly.
There may be others, but those are the two that came to mind immediately...
You think because AV finds nothing, your box is clean? Not necessarily. If you're rooted, you're rooted, and you'll never know unless you boot from trusted media. Once your box is not your own, the OS will never tell you the truth again.
Using a router to check bandwidth usage or even a firewall or rrdtools-type system of graph would show if an external user is using your box.
- dshaw
Good questions. I kinda expected more people to ask that, and I wish the article had covered those aspects better. Of course, reporters will report what they like, and the USAToday guys kept pointing out that they were targeting a less techical audience.
:)
Anyway...
Attacks were counted by Snort with a default ruleset, as of early September when I set it up. I.e. For the most part, I could only count attempts that could be delivered. That means that any of the hundreds of thousands of TCP connection attempts to the firewalled machine couldn't be completed, and so no TCP payload, and no attack signature matching. Hence, the attempts recorded on the firewalled machines represented mostly UDP and ICMP traffic. For UDP, think SQL Slammer. Yes, this included things that many people would consider fairly innocuous, like ICMP information leak-class packets.
As for the firewalling... The "base" test case was Windows XP. Overall, they were going for SOHO-class machines, as you might get them out of the box. In the XP case, there's relatively little point in having the same config multiple times. Instead, we compare XP SP1 (no firewall) with XP SP1 (w/Zonealarm) and XP SP2. Because there would obviously be questions about the other OSes, the Mac, Linspire, and Win2K3 SBE were included. Linspir has a firewall by default, Win2K3 and OS X don't.
The OS X machine registered so many attempts because it was running Samba, and all the Windows attacks could deliver a payload (and have the attack registered.)
It would have been better described as "number of succesfully delivered attack attempts", but I guess that isn't good copy.
Let me preface this by saying that in my area you can only get 28.8 dialup. There is nothing better available. Not even 56K. (And yes, I know there are some here stuck on 19.2 and 21.6 ... I feel for you all.)
Our gateway box is a Win2k machine. It hasn't been patched in months upon months because it would tie up the connection for a long time. (Downloading patches over 28.8 is slow and we have eight computers in the house sharing that connection.) That gateway machine is totally clean. No spyware, no worms, etc. This is confirmed by proper antivirus and anti spyware software.
Why not either start a download going each night after you go to bed?
If you want a local copy, use wget to retrieve files.
If you don't care, use windows update.
In an 8 hour night, you can pull down about 100mb.
If you want to apply patches to several computers while using windows update, try downloading rather than installing the patches.
I'm just posting this an in interesting observation. This makes sense because a zombie on a dialup line is pretty damn worthles anyway.
Dangerous assumption. The worms don't care what sort of line you are on. In addition, due to asynchronous connections, the upload speed of a dozen or so zombie dialup PC's can match the upload speed of one broadband connection -- rather useful for spamming or DDOSing.
It's not on by default. The Mac was, in fact, given an extra handicap of having some additional services turned on. The Mac zealot in the group felt that might be representative of typical usage. IIRC, during the install procedure, it prompts you with which services to enable, and users can check them on and off with a single checkbox each.
Windows firewall was one of the "New features" of windows xp, but you have to turn it on first - no need for service pack 1.
You can get an unpatched windows 2000 machine to connect to the internet [without being comprimised] to download updates just fine, (from my experience, your milage may vary) Just enable TCP/IP filtering in advanced networking and set TCP to permit only (nothing). Can do this on XP as well.
They were, actually. The firewall (on by default, we weren't asked during setup) blocked everything.