Slashdot Mirror
Clean System to Zombie Bot in Four Minutes
Amadaeus writes "According to the latest study by USA Today and Avantgarde, it takes less than 4 minutes for an unpatched Windows XP SP1 system to become part of a botnet. Avantgarde has the statistics in their abstract. Stats of note: Although Macs and PC's got hit with equal opportunity, the XP SP1 machine was hit with 5 LSASS and 4 DCOM exploits while the Mac remained clean. The Linux desktop also was impenetrable, but only was only targeted by 0.26% of all attacks." See also our story on the survival time for unpatched systems.
I wasn't expecting this to get Slashdotted. Kevin and I set up the honeypot machines and monitored the network during the test. If anyone has any questions, I'm happy to answer.
...statistics for all the other versions of windows in common use, particularly Windows 2000, as well as XP SP2. Last time I looked XP machines could only account for a maximum of ~50% of all the potential zombie bots in the world.
Moderation Total: -1 Troll, +3 Goat
Although Macs and PC's got hit with equal opportunity, the XP SP1 machine was hit with 5 LSASS and 4 DCOM exploits while the Mac remained clean
Yes, yes, we know this is not surprising, since the exploits in question target Windows specifically, and therefore obviously will not affect Macs.
But the larger points you should take away from this is twofold:
1. The simple fact of the matter is that, for whatever reason, Macs are clearly affected far less than PCs by all types of exploits. This is not because of just marketshare. But whatever the reason, it is true nonetheless. But this brings be to:
2. Even a completely unpatched Mac OS X 10.0.0 machine would not be vulnerable to any kind of remote attack, because no ports whatsoever are open to the outside world, and on most consumer Mac OS X systems, never will be. The fundamental and intrinsic security design and considerations of Mac OS X are just better, period. Even local exploits, such as might travel freely and easily on Windows via email, aren't as possible or practical on Mac OS X (e.g., a potential Mac exploit of this nature that spread via email would have to have its own MTA or a lot more complexity than a simple script on Windows where Outlook and the OS does all the work for you). Yes, marketshare, i.e., the chances of the next host encountered being a Mac, certainly doesn't hurt, but that is not the sole or primary reason Macs aren't vulnerable. No effective automatic vectors of infection or spread, either local or remote, exist, period. When external ports are opened, they usually represent open source services such as apache and OpenSSH, which as a matter of course are usually updated long before theoretical exploits become reality because of the intense scrutiny and peer review such products receive by the community.
When will people learn, that after three and a half years of Mac OS X, with the market growing, it's not just because of "marketshare" that Macs are rarely affected by these types of issues? Can people admit that it's possible that security decisions that were simply and fundamentally better than those of Microsoft were made? I get a kick out of articles that trumpet "MACS JUST AS INSECURE AS WINDOWS" when a text shell script is "discovered", one that must be run by someone with root or physical access no less, with no worthwhile vector or method of automated propagation of any kind![1] This is in the face of completely remote and automated exploits that can hit a Windows machine in minutes of being on the network, or exploits that own your machine by simply visiting a web page, or viewing an email message in Outlook (yes, these have continued to exist, some even very recently).
[1] For the nit-pickers out there, copying itself to other remote Mac OS X system volumes to which the local user has root-equivalent access and has manually connected to doesn't exactly rise to the level of the unprivileged, automatic propagation we see in the Windows world.
Our experience with operating system maintenance costs has been that Windows systems typically are the most expensive in terms of total required hours. Linux boxes initially are difficult to set up, but are more difficult for novice users necessitating frequent support, Windows boxes are easy for novices to use and recently have become much more stable, but have malware issues. Solaris and IRIX boxes are somewhere inbetween in terms of ease of use but require "privileged" knowledge in how to deal with certain issues, leaving us with OS X.......
OS X/Macintosh has proven to be the absolute most productive environment for us to date, least susceptible to malware/hacking has the lowest support costs and is why we have been in the process of replacing most machines with OS X boxes.
Visit Jonesblog and say hello.
Our gateway box is a Win2k machine. It hasn't been patched in months upon months because it would tie up the connection for a long time. (Downloading patches over 28.8 is slow and we have eight computers in the house sharing that connection.) That gateway machine is totally clean. No spyware, no worms, etc. This is confirmed by proper antivirus and anti spyware software.
I'm just posting this an in interesting observation. This makes sense because a zombie on a dialup line is pretty damn worthles anyway.
This kind of news kind of makes me wish for white knight virus's that run out there and plug the wholes (carefully) before the bot net virus's attack. Possibly even faking a Microsoft message requesting the use download all the newest patches from windowsupdate.com
With the recent news that lycos has publicaly released a DDOS (mince words if you want to, that's what it is) tool to use on spammers, I wonder if a corporate sponsored virus of this type is far off.
paul reinheimer
When I started, the USENET application would inform me that my message would be spread across tens of thousands of computers at immeasurable cost as a subtle hint to keep things interesting, and Internet Chat required some basic knowledge of Makefiles and attention to documentation before you could run a client. Frankly, things became unmanageable at the point the Internet was made accessible to anybody with a web browser; anybody who's been around this long knows what I'm talking about.
It's a short hop to realizing that the problems we're experiencing with virii and worms are the same problem. Intimate knowledge of x86 assembly used to be a requirement -- along with a malcontent-type disposition -- in order to wreak the sort of havoc that today requires fifteen minutes and an Effective VBScript In Fifteen Minutes manual. Every document is now a program, and e-mail doubles as FTP.
Many experts believe we should raise the barrier of entry by requiring programmers to undergo education, certification, and maybe even an oath to do no harm as part of the certification process if going into a security field. It used to take years to do what kids today can do in months; additionally, a would-be programmer who spends a few months picking up Visual Basic or whatever has hardly learned the fundamentals of programming any more than someone who reads a manual about his DVD player has become a laser engineer. I suggest that the field and the general user experience would be greatly enhanced by limiting access to compilers/assemblers (by means of pricing and with the cooperation of the open source community) and by separating macros or other executable content from documents.
It makes more sense than trying to go out and educate every user. Think about it; in what other field do we "educate" "users"? We don't try to educate people with electrical outlets and let any curious individual perform as a licensed electrician. We don't "educate" passengers and let anyone who cares be a bus driver give it a try. Why are things always so difficult when it comes to computers?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Last night I installed Windows 2000 SP4 onto a machine (not mine) connected to an NTL (British ISP) Cable set-top-box by ethernet.
Windows came up, I chose a username, and it froze due to gaobot infection.
I hasten to add that normally I unplug modems but I was under the impression that Set top box Cable access uses NAT and is thus secured against this sort of thing... I'll be recommending a Motorola Surfboard and router to my friend !
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
"The Linux desktop also was impenetrable, but only was only targeted by 0.26% of all attacks."
They act like how often it's attacked is a detractor from how secure it is ("it's not exploited because no one ever attacks it!") In fact, I'd say the systems that are attacked the least is *because* they are so difficult to exploit. Well, that and they only are about 2 or 3 out of every 100 systems you'll ping.
If you've installed any programs from Download.com, Cnet.com or ZDnet.com, beware.
I started getting reports of malware being attached to a program I work on and discovered the affected parties had obtained their copies of the program from Download.com. I had never submitted the program to them, but someone else had -- and they'd contaminated it with malware while they were at it. I complained, and the program was removed. (Actually, they first switched the links to the official server, but removed it when I complained further that they needed to tighten up their submission procedures.)
While Download.com is no longer distributing my program, they are still distributing malware attached to other programs (just went to their site to confirm it) via xeol.net and probably others. They don't seem too interested in fixing the problem. I also sent a complaint to the FBI's cybercrime division, and they apparently weren't interested, either.
For the average user, what tools are available to let them know what their computer is doing (spamming etc). By the same token, what can they use to find out what their firewall is stopping?
Task Manager seems pretty useless for that, since any system is going to be running a bunch of cryptically-named tasks about whose purpose the user is largely unaware.
What does netstat tell me? What does it mean?
The tools available for the average user to figure out what might be going on aren't well-known.
I have a few questions.
1. How do you count attacks? The number of attempted attacks differs between the various systems. Does that mean some machines actually were attacked more often than others, or do you simply not count certain attempts? (E.g. malicious packets sent to closed ports)
2. Wouldn't it be fairer to run every machine with the firewall off (including those that have it on by default)? Obviously, if no traffic gets through to a machine, it can't be compromised no matter how insecure the software.
Please correct me if I got my facts wrong.
"Yeah, I don't know how many times I've said it, "Honey, if you MUST cruise sublimedirectory.com do it with Firefox!"
Okay, ZERO!
But how I wish she would....(sigh)"
I know what my wife does when I am at work. I've caught her a few times when I stopped at home during the day (not that I mind). Anyway, I finally broke her of using IE. She got tired of error boxes saying "hey, I can't dial this number in Europe because there is no modem installed," spyware, and the inevitable slowdown caused by those programs.
Some of the problems are caused by user error, but certainly the OS is to blame as well. For example, IE has the crappiest default security settings. Changing them breaks a lot of sites. Finally, IE is integrated into Windows, so security issues suddenly are ten times worse.
Now if only I could get her to use Linux...
24 beers in a case, 24 hours in a day. Coincidence? I think not!
I'm suprised that ISP's don't provide some kind of firewall on their side, and charge people for it.
Like imagine when you sign up for compnay's X DSL
they offer a firewalled connection, or a non firewalled.
For the simple users ( my mom ) you could have a default firewall that just blocks windows ports that have know exploits. Does 445 really need to come in from the outside world
For the more advanced user you could have an interface that allows them to choose which ports.
How hard would it be to setup a dynamic firewall solution like this? People would pay 5 to 10 bucks a month extra for it. Even someone like me so I don't have to use a router. I just don't trust a desktop firewall.
I do desktop support for a site with 800+ desktops. I was hired as a mac admin, but since I know more than most of the pc desktop support staff, my workload has become about 60/40 pc/mac. Our company has been reluctant to set a policy to control this C*R*A*P, and I spend at least 8 hours a week cleaning crap from windows systems, including spyware, adware and viruses. Quite often the installation is so borked I just reimage as it is faster than trying to cleanse one of these boxes. Only recently have we begun things like rogue process management (novell zen thingy that kills apps like kazaa.exe and bargain.exe). All XP desktops still have full administrator access still, and you know people still think a free screen saver is just a free screen saver..... I am even thinking of quitting because I didn't envision half my time as a senior staff person spent cleaning dirty windows machines, and failure of higher ups to set policy on this thing has caused it to snowball. The costs and loss of productivity are incredible, with a virus even shutting down the whole network for a day (one of those scanning viruses, killed our core router with all the traffic it generated). These things could be aggressively controled with policy (only browse with firefox, no browsing bullshit sites, better email and web filtering, no admin access for anyone but administrators, and the thing that everyone is afraid of: diciplinary action) Why shouldn't someone be written up for costing the company $500+ in support costs and opening them to a potential lawsuit by installing kazaa, bearshare, winmx AND limewire, and NOT for 'business purposes'. Yes, this was an actual support call. We watched on the sniffer as he shut down the apps and connections closed - as he was telling us he had no P2P software installed at all. They day I no longer support windows desktops will be a good day. Contrast this to my mac issues: AFP going wonky once in a while and having to reset appletalk IDs, CUPS going south every once in a while, minor font cache issues that surface everty 6 or 7 months or so.
on my college network, you aren't allowed to use the outside internet untill you have the most recent patches installed, which are mirror on internal servers.If you computer is caught sending spam or DOS attacks, you are kicked of the network completly untill you get it fixed
I'm not sure how effective this is, knowing the kind of shit people download, but its a start.
sorry 'bout the mess...
If you look at the statistics compiled by the investigators, you'll see that the Window XP SP1 box and the Mac OS X 10.3.5 box both logged the overwhelming majority of attacks (45% each), and equal to within less than 1%.
The Windows box was compromised multiple times. The Mac OS X box was never compromised. The Linux box was never compromised, but it only was hit a tiny fraction of the times the Mac OS X and Win XP SP1 boxes were.
Oddly, the authors conclude that the best systems are Linux, and Win XP SP2. WTF?
The obvious winner is the platform that sustained the highest number of attacks with the fewest number of compromises. That would be Mac OS X, with essentially half of all the attacks (just like Win XP SP1) but ZERO successful compromises.
The authors seem to be bending over backwards to come up with a "winner" that runs on intel compatible hardware (Linux and Win XP SP2) but the obvious choice is Mac OS X.
Why the biased interpretations?
Talk her into a Mac, if you can.
I'm serious. As a child, I was an "Apple II for all" kid. Then I became one of those "Macs are too easy and wimpy" teens. In college, however, I became a "Hey, I can do work, I'm an addict!" person. Then I became a security wonk, and I'm a "Gee, why can't I find hardly any information on hardening OS X? It's not perfect" kind of person.
I don't believe it's possible for the average user to run Windows cleanly. You have to know too much. I've heard my security-wonk coworkers joke about how much spyware they had after a scan (and yeah, they're not great security wonks, but they were well above me on the food chain). If yer average security wonk can't keep his stupid box clean, then there's a problem with both the box and the user, not just the user.
I don't believe that OS X is perfect. There are exploits that work. Safari has some of the same problems IE does (minus the whole hooked-into-the-OS-issue). You have to look really hard to find the issues, though. And for getting actual work done, they're a wonder. The built-in software does much of what regular users need. The interface is pretty and clean. And with BSD underneath, I've found that they a lot easier for linux-geek techie friends to suss out.
I've come to the conclusion that Macs really are the best computers for most of the population. You don't get owned out of the box. You can download your security patches on modem--they come separate from the OS updates. You can safely read The Register. Even my Classic-emulated Office doesn't crash on OS X.
Hardware costs are pretty much at parity for brand-name devices. The cost problem tends to be with replacing software. But there is a useful shareware community for Macs, Fink is pretty well-regarded, and commercial software can be found. Consider how much a password-sniffing Trojan might cost and cough it up.
Thus endeth annoying advice.
What I say does not represent the views of my employers, my friends, my cats, or myself.
Simply put, Linux does have a better security model than Windows does.
Even Firefox has a better security model than IE. Firefox starts with the deny everything that is not specifically allowed by the user.
IE starts with the allow everything that isn't specifically denied by the user.
Now, a very knowledgable person can achieve the same level of protection with both of these systems. But that does not mean that both models are equally secure.
Linux vs Windows is the same. Particularly since IE is "integrated" with the OS.
Read the other responses. The Mac was targetted so often because it was running Samba and the attacking machines' scans saw that port and tried to exploit the vulnerabilities associated with Windows.
On the Internet, it doesn't matter if you only have 1 million boxes to Microsoft's 100 million. A scanner can find them. If they are vulnerable, they will be cracked. Maybe not in 4 minutes
But the Linux box in the article was being attacked a couple of times an hour.
If you're vulnerable, one attack will crack you.
If you are not vulnerable, a million attempts won't crack you.
It's Security. Not Marketshare.
We've got 1536/256 ADSL at my hosue (Whoever thought of making connections asynchronous should be made to suffer, along with the "let's change IP's for no reason" guy). It's connected straight to my gateway box, which is a psycho-paranoid IP-masquerade for our LAN as well as a limited internet server (http/ftp/ssh/bzflag).
And oh, does a lot of crap ever go *plink* against that firewall. This is an IP that is not on Google, and does not advertize it's presence to the 'Net. There are probably 10 to 20 attempts to exploit Apache every day (Including some damn attempt to overflow it with a huge garbage query that makes my logs very ugly), along with a litany of thing requesting stuff from a windows directory. Probably as many attacks against proftpd, usually erroneous login attempts. Loads of garbage attempts to log in to sshd as root, test, and admin along with a few null passwords. On the packet filter level, I get probably 500 incoming connections from p2p programs (both because I use them and from the previous guy) a day. And believe it or not, Sasser, Slammer, Bagel, and Satan's Backdoor still come knocking. So, yeah... If all that crap got relayed to my dad's win2K box, it'd be pwn3d 20 times a day.
Now, let's not talk about my relatives who use Windows 98, even on dialup.