The 12-minute Windows Heist

An anonymous reader writes "Sophos has come up with some pretty interesting research: apparently, there's a 50 percent chance unprotected Windows PCs will be compromised within 12 minutes of going online. Sophos came to that conclusion based on research covering the last six months of virus activity. The company said authors of malware such as spam, viruses, phishing scams and spyware have increased both the volume and sophistication of their assaults, releasing almost 8,000 new viruses in the first half of 2005 and increasingly teaming up in joint ventures to make money. The new-virus figure is up 59 percent on the same period last year."

Old news

[Cromac]

This isn't news. There have been reports out for months showing unprotected Windows machines being compromised within a few minutes on cable or dsl connections.

From 11/29/2004: Unprotected PCs can be hijacked in minutes

Took my machine exactly two minutes

[jerkychew]

I love telling this story to people that ask why they should run Windows Update / run a firewall / get antitivirus, etc.:

I was at a client's site, and needed to do some testing on their backup DSL line. Since it was a backup meant to plug into the main firewall in case of an outage, the line had no firewall - It was wide open.

I had a laptop I had just rebuilt for an employee. Win2K, SP4. Unpatched, no antivirus. I planned on jumping on the line for all of five minutes to do some quick IP testing, and I just didn't think about it being vulnerable.

So, I change the IP and plug into the DSL line. I'm plugged in no more than two minutes, and I get the damn "Windows is shutting down" dialog box. It reboots, and all hell breaks loose. Within those two minutes the damn machine had contracted the Blaster worm. I formatted and reloaded it to be safe, and learned a fun lesson that day. Good thing the laptop didn't have any important data on it.

Re:50% chance?

[poopdeville]

They're probably looking at a normal distribution of times. If the mean is 12 minutes, then 50% are infected before then. If this is the case, the standard deviation must be pretty high. I hope.

Re:And if you enable...

[daveschroeder]

This has only been an issue historically because:

- Pre-SP2, most Windows users didn't know to enable the firewall

- Router/firewall devices were much less prevalent

Now, all new machines ship with SP2, and it's much more common for cable and DSL operators to provide firewall/router type functionality with the customer hardware, as opposed to just giving you a raw modem. In addition, more people in general are purchasing said devices (when not provided by their internet provider). The point is that Sophos is trying to pimp their antivirus software, and using somewhat unrelated and dubious methods to do it. Sure, you should have current AV software. But if you want to protect from the "remote" attacks they're talking about, the best protection is simply a hardware or host-based software firewall, both of which are loads more prevalent than they were even a year ago (the software firewall mostly because of SP2). Anyone can take an unpatched Windows host and put it on the network with no firewall and say "Look! It got owned in X minutes!" The point is, they're saying this with the implicit purpose of saying "Buy our software", when the "solution" to the problem they're pimping is to, first and foremost, keep your machine patched and either enable the software firewall if you're pre-SP (or ensure it's still enabled on SP2) and/or get a little personal firewall/router - *in addition* to having AV software.

Re:Scaremongering

[snuf23]

"So I brought it up again, pulled the network cable from it, setup the firewall and happily patched the box."

I always make sure to be behind a firewall before bringing a Windows computer online. I use a hardware firewall in addtion to setting up a software one.
Install Windows.
Install latest service pack off CD.
Instal anti-virus.
Setup firewall.
Plus into local router with firewall.
Connect to net.
Patch.