Clean System to Zombie Bot in Four Minutes

Amadaeus writes "According to the latest study by USA Today and Avantgarde, it takes less than 4 minutes for an unpatched Windows XP SP1 system to become part of a botnet. Avantgarde has the statistics in their abstract. Stats of note: Although Macs and PC's got hit with equal opportunity, the XP SP1 machine was hit with 5 LSASS and 4 DCOM exploits while the Mac remained clean. The Linux desktop also was impenetrable, but only was only targeted by 0.26% of all attacks." See also our story on the survival time for unpatched systems.

How do you patch a system?

[ajiva]

Does that mean I have to install XP, download SP2. Burn the SP2 archive onto a CDROM, reinstall XP with the network cable disconnected, and then patch? Geez that'll get old fast

Re:How do you patch a system?

[omicronish]

Does that mean I have to install XP, download SP2. Burn the SP2 archive onto a CDROM, reinstall XP with the network cable disconnected, and then patch? Geez that'll get old fast

You can slipstream the SP2 patch into SP1 or a plain Windows XP CD. This will allow straight installation of Windows XP + SP2 already integrated. This basically involves running the SP2 installer on a copy of CD files, and then burning the resulting files to another CD. This page has more information on slipstreaming SP2. This comment has reached its end.

Re:How do you patch a system?

[ChatHuant]

You shouldn't need to reinstall. Do first installation offline; manually turn off unwanted services and turn on the Windows firewall (it's simple, but good enough for the time being). Connect to the internet (it's even better if you use a cheap NAT box), download and install SP2.

Re:NAT

[hal9000(jr)]

As long as you don't download crap off the internet or don't do port forwarding to an internal server, your NAPT router is a good defense.

2:30

[Nuskrad]

I recently tested this on a clean install of Windows XP SP1, and it took just 2 minutes 30 seconds(give or take a few) after connecting to the internet for me to notice the system to be compromised, and that was with the Windows Firewall on.

My advice to anyone with Windows XP SP1 planning a clean install - get the SP2 CD (free from Microsoft) and install it before connecting to the internet.

Re:Hey, cool.

[ryanr]

There was an SP2 machine included in the same test. It went unmolested, due largerly to the new firewall enabled by default. This particular test environment included no user activity, i.e. no email reading, no web browsing.

Generally speaking, I'm pleased with SP2. As long as you're running XP, and it won't affect your critical functionality adversely, install it. It won't be exploit proof moving forward, but it's the easiest way to patch the current set of problems.

Re:Too late, maybe

[dshaw858]

You think because AV finds nothing, your box is clean? Not necessarily. If you're rooted, you're rooted, and you'll never know unless you boot from trusted media. Once your box is not your own, the OS will never tell you the truth again.

Using a router to check bandwidth usage or even a firewall or rrdtools-type system of graph would show if an external user is using your box.

- dshaw

Re:Questions

[ryanr]

Good questions. I kinda expected more people to ask that, and I wish the article had covered those aspects better. Of course, reporters will report what they like, and the USAToday guys kept pointing out that they were targeting a less techical audience.

Anyway...

Attacks were counted by Snort with a default ruleset, as of early September when I set it up. I.e. For the most part, I could only count attempts that could be delivered. That means that any of the hundreds of thousands of TCP connection attempts to the firewalled machine couldn't be completed, and so no TCP payload, and no attack signature matching. Hence, the attempts recorded on the firewalled machines represented mostly UDP and ICMP traffic. For UDP, think SQL Slammer. Yes, this included things that many people would consider fairly innocuous, like ICMP information leak-class packets.

As for the firewalling... The "base" test case was Windows XP. Overall, they were going for SOHO-class machines, as you might get them out of the box. In the XP case, there's relatively little point in having the same config multiple times. Instead, we compare XP SP1 (no firewall) with XP SP1 (w/Zonealarm) and XP SP2. Because there would obviously be questions about the other OSes, the Mac, Linspire, and Win2K3 SBE were included. Linspir has a firewall by default, Win2K3 and OS X don't.

The OS X machine registered so many attempts because it was running Samba, and all the Windows attacks could deliver a payload (and have the attack registered.)

It would have been better described as "number of succesfully delivered attack attempts", but I guess that isn't good copy. :)

Re:Hey, cool.

[ryanr]

It's not on by default. The Mac was, in fact, given an extra handicap of having some additional services turned on. The Mac zealot in the group felt that might be representative of typical usage. IIRC, during the install procedure, it prompts you with which services to enable, and users can check them on and off with a single checkbox each.

Re:2:30 (**cough**) BS

[archen]

Windows firewall was one of the "New features" of windows xp, but you have to turn it on first - no need for service pack 1.

You can get an unpatched windows 2000 machine to connect to the internet [without being comprimised] to download updates just fine, (from my experience, your milage may vary) Just enable TCP/IP filtering in advanced networking and set TCP to permit only (nothing). Can do this on XP as well.