Slashdot Mirror
Clean System to Zombie Bot in Four Minutes
Amadaeus writes "According to the latest study by USA Today and Avantgarde, it takes less than 4 minutes for an unpatched Windows XP SP1 system to become part of a botnet. Avantgarde has the statistics in their abstract. Stats of note: Although Macs and PC's got hit with equal opportunity, the XP SP1 machine was hit with 5 LSASS and 4 DCOM exploits while the Mac remained clean. The Linux desktop also was impenetrable, but only was only targeted by 0.26% of all attacks." See also our story on the survival time for unpatched systems.
So this is why my new Dell tried to eat my brain this morning!
I am curious how effective NAT (e.g. a cable modem router) is at slowing or stopping these attacks for the the typical user.
I know it works well enough for me, but I am not a typical user -- even my Windows box is locked down tight.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
this is news?
...
Next up: People who see a dollar bill on the sidewalk will pick it up and put it in their pocket. See our analysis
I wasn't expecting this to get Slashdotted. Kevin and I set up the honeypot machines and monitored the network during the test. If anyone has any questions, I'm happy to answer.
Does that mean I have to install XP, download SP2. Burn the SP2 archive onto a CDROM, reinstall XP with the network cable disconnected, and then patch? Geez that'll get old fast
...statistics for all the other versions of windows in common use, particularly Windows 2000, as well as XP SP2. Last time I looked XP machines could only account for a maximum of ~50% of all the potential zombie bots in the world.
Moderation Total: -1 Troll, +3 Goat
Although Macs and PC's got hit with equal opportunity, the XP SP1 machine was hit with 5 LSASS and 4 DCOM exploits while the Mac remained clean
Yes, yes, we know this is not surprising, since the exploits in question target Windows specifically, and therefore obviously will not affect Macs.
But the larger points you should take away from this is twofold:
1. The simple fact of the matter is that, for whatever reason, Macs are clearly affected far less than PCs by all types of exploits. This is not because of just marketshare. But whatever the reason, it is true nonetheless. But this brings be to:
2. Even a completely unpatched Mac OS X 10.0.0 machine would not be vulnerable to any kind of remote attack, because no ports whatsoever are open to the outside world, and on most consumer Mac OS X systems, never will be. The fundamental and intrinsic security design and considerations of Mac OS X are just better, period. Even local exploits, such as might travel freely and easily on Windows via email, aren't as possible or practical on Mac OS X (e.g., a potential Mac exploit of this nature that spread via email would have to have its own MTA or a lot more complexity than a simple script on Windows where Outlook and the OS does all the work for you). Yes, marketshare, i.e., the chances of the next host encountered being a Mac, certainly doesn't hurt, but that is not the sole or primary reason Macs aren't vulnerable. No effective automatic vectors of infection or spread, either local or remote, exist, period. When external ports are opened, they usually represent open source services such as apache and OpenSSH, which as a matter of course are usually updated long before theoretical exploits become reality because of the intense scrutiny and peer review such products receive by the community.
When will people learn, that after three and a half years of Mac OS X, with the market growing, it's not just because of "marketshare" that Macs are rarely affected by these types of issues? Can people admit that it's possible that security decisions that were simply and fundamentally better than those of Microsoft were made? I get a kick out of articles that trumpet "MACS JUST AS INSECURE AS WINDOWS" when a text shell script is "discovered", one that must be run by someone with root or physical access no less, with no worthwhile vector or method of automated propagation of any kind![1] This is in the face of completely remote and automated exploits that can hit a Windows machine in minutes of being on the network, or exploits that own your machine by simply visiting a web page, or viewing an email message in Outlook (yes, these have continued to exist, some even very recently).
[1] For the nit-pickers out there, copying itself to other remote Mac OS X system volumes to which the local user has root-equivalent access and has manually connected to doesn't exactly rise to the level of the unprivileged, automatic propagation we see in the Windows world.
Our experience with operating system maintenance costs has been that Windows systems typically are the most expensive in terms of total required hours. Linux boxes initially are difficult to set up, but are more difficult for novice users necessitating frequent support, Windows boxes are easy for novices to use and recently have become much more stable, but have malware issues. Solaris and IRIX boxes are somewhere inbetween in terms of ease of use but require "privileged" knowledge in how to deal with certain issues, leaving us with OS X.......
OS X/Macintosh has proven to be the absolute most productive environment for us to date, least susceptible to malware/hacking has the lowest support costs and is why we have been in the process of replacing most machines with OS X boxes.
Visit Jonesblog and say hello.
I'm using my new unpatched XP system right now and it works gre45h3@#$!dd11f
NO CARRIER
Our gateway box is a Win2k machine. It hasn't been patched in months upon months because it would tie up the connection for a long time. (Downloading patches over 28.8 is slow and we have eight computers in the house sharing that connection.) That gateway machine is totally clean. No spyware, no worms, etc. This is confirmed by proper antivirus and anti spyware software.
I'm just posting this an in interesting observation. This makes sense because a zombie on a dialup line is pretty damn worthles anyway.
Many IT-people brand the persons that get these bots / infections as clueless lusers who get their comeuppance. I don't.
A machine isn't supposed to act this way. It is very simple, but we forget that proper behaviour for the machine is to NOT get infected in seconds. I have abandoned windows some time ago, but still help friends with their machines. But it is a battle they're losing. Nothing seems to help, mostly due to the extremely bad security paradigms. They now think its normal having to run 2 - 3 different anti-adware programs, virusscanner, be on eternal vigilance at every corner of the internet.
It is not supposed to be like this. Don't forget that.
My advice to anyone with Windows XP SP1 planning a clean install - get the SP2 CD (free from Microsoft) and install it before connecting to the internet.
When I started, the USENET application would inform me that my message would be spread across tens of thousands of computers at immeasurable cost as a subtle hint to keep things interesting, and Internet Chat required some basic knowledge of Makefiles and attention to documentation before you could run a client. Frankly, things became unmanageable at the point the Internet was made accessible to anybody with a web browser; anybody who's been around this long knows what I'm talking about.
It's a short hop to realizing that the problems we're experiencing with virii and worms are the same problem. Intimate knowledge of x86 assembly used to be a requirement -- along with a malcontent-type disposition -- in order to wreak the sort of havoc that today requires fifteen minutes and an Effective VBScript In Fifteen Minutes manual. Every document is now a program, and e-mail doubles as FTP.
Many experts believe we should raise the barrier of entry by requiring programmers to undergo education, certification, and maybe even an oath to do no harm as part of the certification process if going into a security field. It used to take years to do what kids today can do in months; additionally, a would-be programmer who spends a few months picking up Visual Basic or whatever has hardly learned the fundamentals of programming any more than someone who reads a manual about his DVD player has become a laser engineer. I suggest that the field and the general user experience would be greatly enhanced by limiting access to compilers/assemblers (by means of pricing and with the cooperation of the open source community) and by separating macros or other executable content from documents.
It makes more sense than trying to go out and educate every user. Think about it; in what other field do we "educate" "users"? We don't try to educate people with electrical outlets and let any curious individual perform as a licensed electrician. We don't "educate" passengers and let anyone who cares be a bus driver give it a try. Why are things always so difficult when it comes to computers?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
ARG! The patches! They do nothing!
Erm, if you look at the article summary and the article itself, it says that Attackers successfully compromised the Dell Windows XP computer using Service Pack 1 nine times, and the Dell Windows 2003 Small Business server once. Windows XP SP2 is what many would consider a collection of patches, so yes, it seems to have done something.
Zone Alarm and Firefox get on the system from a flash drive before ethernet cable is ever pluged in.
Only in a Slashdot fantasy can a Slackware install turn into several hours of sex . . . . .
Bah, that's a load -BUYVIAGRANOW2FOR1!- of BS. I haven't patched my PC since I bought it -FREEMORTGAGEQUOTES!- and it's running just -TIREDOFCONSOLIDATEDDEBT?- fine. No viruses, no trojans, -TIREDOFSPAM?BUYTHISCRAP!- nothing.
"The Linux desktop also was impenetrable, but only was only targeted by 0.26% of all attacks."
They act like how often it's attacked is a detractor from how secure it is ("it's not exploited because no one ever attacks it!") In fact, I'd say the systems that are attacked the least is *because* they are so difficult to exploit. Well, that and they only are about 2 or 3 out of every 100 systems you'll ping.
If you've installed any programs from Download.com, Cnet.com or ZDnet.com, beware.
I started getting reports of malware being attached to a program I work on and discovered the affected parties had obtained their copies of the program from Download.com. I had never submitted the program to them, but someone else had -- and they'd contaminated it with malware while they were at it. I complained, and the program was removed. (Actually, they first switched the links to the official server, but removed it when I complained further that they needed to tighten up their submission procedures.)
While Download.com is no longer distributing my program, they are still distributing malware attached to other programs (just went to their site to confirm it) via xeol.net and probably others. They don't seem too interested in fixing the problem. I also sent a complaint to the FBI's cybercrime division, and they apparently weren't interested, either.
That's just the sort of thing a Zombie Bot would say!
This is why operating systems should use delta compression for distributing security patches. You're never going to have a perfectly secure operating system; you can, however, make sure that you can fix the security flaws before they are exploited. Put another way: Size matters!
For the record, using FreeBSD Update and my binary diff tool, downloading all existing security patches for FreeBSD 4.8 (released April 2003) only requires 568kB of files to be downloaded -- which takes under 3 minutes even with a 28.8kbps modem.
Tarsnap: Online backups for the truly paranoid
Guess what, there's millions of Windows users out there who don't know what an "SP2" is, or why they should care about it, or have a clue how to download such a behemoth over their 28.8 AOL dialup.
Come to the University of Mars! Classes starting soon!
I'm suprised that ISP's don't provide some kind of firewall on their side, and charge people for it.
Like imagine when you sign up for compnay's X DSL
they offer a firewalled connection, or a non firewalled.
For the simple users ( my mom ) you could have a default firewall that just blocks windows ports that have know exploits. Does 445 really need to come in from the outside world
For the more advanced user you could have an interface that allows them to choose which ports.
How hard would it be to setup a dynamic firewall solution like this? People would pay 5 to 10 bucks a month extra for it. Even someone like me so I don't have to use a router. I just don't trust a desktop firewall.
You think because AV finds nothing, your box is clean? Not necessarily. If you're rooted, you're rooted, and you'll never know unless you boot from trusted media. Once your box is not your own, the OS will never tell you the truth again.
Using a router to check bandwidth usage or even a firewall or rrdtools-type system of graph would show if an external user is using your box.
- dshaw
Good questions. I kinda expected more people to ask that, and I wish the article had covered those aspects better. Of course, reporters will report what they like, and the USAToday guys kept pointing out that they were targeting a less techical audience.
:)
Anyway...
Attacks were counted by Snort with a default ruleset, as of early September when I set it up. I.e. For the most part, I could only count attempts that could be delivered. That means that any of the hundreds of thousands of TCP connection attempts to the firewalled machine couldn't be completed, and so no TCP payload, and no attack signature matching. Hence, the attempts recorded on the firewalled machines represented mostly UDP and ICMP traffic. For UDP, think SQL Slammer. Yes, this included things that many people would consider fairly innocuous, like ICMP information leak-class packets.
As for the firewalling... The "base" test case was Windows XP. Overall, they were going for SOHO-class machines, as you might get them out of the box. In the XP case, there's relatively little point in having the same config multiple times. Instead, we compare XP SP1 (no firewall) with XP SP1 (w/Zonealarm) and XP SP2. Because there would obviously be questions about the other OSes, the Mac, Linspire, and Win2K3 SBE were included. Linspir has a firewall by default, Win2K3 and OS X don't.
The OS X machine registered so many attempts because it was running Samba, and all the Windows attacks could deliver a payload (and have the attack registered.)
It would have been better described as "number of succesfully delivered attack attempts", but I guess that isn't good copy.
This is a flame for everybody who keeps making these assnine comparisons and believes that they're OS integrity is somehow extra special or that Windows M$ is extra bad.
Well, I hate to break it to you, but Windows security is extra bad. Popularity aside, Windows does some really dumb things from a security perspective, both historically and currently, and and security professional will tell you that Windows needs some serious changes to their underlying system if they ever want to make it reasonably secure.
No system is bulletproof, but some of them at least put the bulletproof vest on their chest and the helmet on their head. Windows puts them both on it's ass.
Just because Windows is popular, you should not excuse the designers their crappy security decisions.
P.S. Get a spellchecker.
But seriously. If Linux ever becomes as popular as windows, I guarantee malcontents will find any and every way to comprimise your system in under 4 minutes.
This is like the New Pig Times reporting that if brick ever becomes as popular as straw then wolves would just start blowing them down as easily. In other words you are arguing under the Fallacy of the General Rule; namely that all platforms have exactly the same vulnerabilities, if only someone would bother to look for them.
Windows has large, exploitable holes that other platforms don't. Period. End of sentence. It is the height of tunnel sighted arrogance to think today's hackers wouldn't each love to be the one that finally writes the mighty virus that gets through OS X or Linux.
Yes, a large percentage of problems are from copy cats. But you will not convince me there aren't those who take pride in their hacking that wouldn't love to be the one to break the OS X/Linux barrier and aren't working at doing so just to show it can be done.
R: That voice. Where have I heard that voice before? B: In about 365 other episodes. But I don't know who it is either.
Windows firewall was one of the "New features" of windows xp, but you have to turn it on first - no need for service pack 1.
You can get an unpatched windows 2000 machine to connect to the internet [without being comprimised] to download updates just fine, (from my experience, your milage may vary) Just enable TCP/IP filtering in advanced networking and set TCP to permit only (nothing). Can do this on XP as well.
If you look at the statistics compiled by the investigators, you'll see that the Window XP SP1 box and the Mac OS X 10.3.5 box both logged the overwhelming majority of attacks (45% each), and equal to within less than 1%.
The Windows box was compromised multiple times. The Mac OS X box was never compromised. The Linux box was never compromised, but it only was hit a tiny fraction of the times the Mac OS X and Win XP SP1 boxes were.
Oddly, the authors conclude that the best systems are Linux, and Win XP SP2. WTF?
The obvious winner is the platform that sustained the highest number of attacks with the fewest number of compromises. That would be Mac OS X, with essentially half of all the attacks (just like Win XP SP1) but ZERO successful compromises.
The authors seem to be bending over backwards to come up with a "winner" that runs on intel compatible hardware (Linux and Win XP SP2) but the obvious choice is Mac OS X.
Why the biased interpretations?
"Because this system responded to ICMP ping requests, there was a low number of attempts to compromise the system--795 attacks." Makes sense?
Also, from their methodology I really don't quite understand how they count attack attempts. Especially for MacOS X they say that ~44% of total attacks observed in experiment were targeting MacOSX machine, but later they honestly say that almost all of attacks were some kind of Microsoft exploits. Does this means that they counted microsoft exploits attempting to compromise MacOS X as a mac attacks?
And, finally, I really like their babbling about most secure platforms being THREE (linspire, SP1 + zoneAlarm, windows SP2) and mentions the fact that mac were not compromised just in one table.
If you would like to see conspiracy, I would say that this is a Microsoft PR with goal to:
a) SP2 is good.
b) Don't fucking use our products without additional security software (a marvelous reccomendation by the article)
c) the only real operating envorement in this article is irrevelant and we just added it at the latest moment to gain some credibility.
Simply put, Linux does have a better security model than Windows does.
Even Firefox has a better security model than IE. Firefox starts with the deny everything that is not specifically allowed by the user.
IE starts with the allow everything that isn't specifically denied by the user.
Now, a very knowledgable person can achieve the same level of protection with both of these systems. But that does not mean that both models are equally secure.
Linux vs Windows is the same. Particularly since IE is "integrated" with the OS.
Read the other responses. The Mac was targetted so often because it was running Samba and the attacking machines' scans saw that port and tried to exploit the vulnerabilities associated with Windows.
On the Internet, it doesn't matter if you only have 1 million boxes to Microsoft's 100 million. A scanner can find them. If they are vulnerable, they will be cracked. Maybe not in 4 minutes
But the Linux box in the article was being attacked a couple of times an hour.
If you're vulnerable, one attack will crack you.
If you are not vulnerable, a million attempts won't crack you.
It's Security. Not Marketshare.