Slashdot Mirror
The 12-minute Windows Heist
An anonymous reader writes "Sophos has come up with some pretty interesting research: apparently, there's a 50 percent chance unprotected Windows PCs will be compromised within 12 minutes of going online. Sophos came to that conclusion based on research covering the last six months of virus activity. The company said
authors of malware such as spam, viruses, phishing scams and spyware have increased both the volume and sophistication of their assaults, releasing almost 8,000 new viruses in the first half of 2005 and increasingly teaming up in joint ventures to make money. The new-virus figure is up 59 percent on the same period last year."
...the built in Windows XP firewall (enabled by default on SP2 and assuming you don't have any other services enabled or open) and/or have a $30 personal firewall/router, there is a 100% chance you won't get compromised.
But wait, they're talking about spyware, viruses, and phishing. So, those things can install themselves now?
Don't get me wrong...viewed by itself, Windows has historically a dismally horrible track record. But a patched Windows XP SP2 machine behind a personal firewall/router with current anti-virus/anti-malware protection can be a secure system. Granted, it's been a long time coming, and it's easy for many users to fall into traps, but this seems like nothing more than a typical scare tactic by an AV vendor.
Never trust an AV vendor saying the sky is falling.
8,000 new viruses? Say what?
How many of those are just viruses edited by some script kiddy to say "0wn3d by Fr0g3r" or some such shit?
Like sobig.a, sobig.b, sobig.c, sobig.d, sobig.e, etc...
What I'd like to know is how many unique types of attacks are exploited by new viruses, that would be a useful statistic...
And the next time it will be 23 minutes. And so on.
You could not pay me to put a Windows or Linux machine on my DMZ. They're all behind my $30 NAT router and they can be patched to my heart's content without having to worry about them getting p0wn3d. Oh, and to all you Linux fanboys who are going to be insulted by this - try putting a fresh RH9 (off ISOs) on your DMZ, and let's see how long it lasts.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Despite being repeatedly asked about them, the Internet Exploder team refuse to answer a simple question: Why have they not fixed their critical security vulnerabilities for over 90 days?
This is what brought me to Linux in the first place. The story takes place in February 2004. After an old hard drive failed on my PC and I bought a replacement, I re-installed Windows XP Pro and proceeded about my business, but within half an hour of getting online I got a typical windows error message pop-up about so-and-so process unexpectadly terminating, then Windows said it had to restart and gave me a 60-second countdown to save my work. I was like WTF!?!? So after several reboots and having the same virus compromise my system, I reformat, re-install XP, and then the second I get online I start downloading Windows updates....but the virus is too fast! It sees the Windows update process and goes "Woops, you don't want to do that now do you?" and kills the critical updates, along with my system again. Then I go to plan C, which is installing Norton Antivirus BEFORE updating Windows. Only problem is, the antivirus software has to be downloaded from my campus nextwork. So I re-format, re-install, and literally browse-and-click as fast as my hand could move the mouse to install that antivirus software. And it worked. Or so I thought. The virus then started automatically deactivating the AV software while I was using the computer, and I would continually re-activate it. But I couldn't keep this up forever. I mean, isn't the point of having a computer to be able to do something PRODUCTIVE with it instead of fighting viruses? Well, after the AV had been deactivated for more than 2 minutes the virus would kill that Windows process again and force yet another shutdown. I went battling this virus/these viruses for 2 damn weeks trying everything I could. God forbid, I even went to the DOS command-line to try some things, but to no avail.
And that frustration, my nerds, is what brought me out of the shadows and into the light that is GNU/Linux/OSS. It was the second best thing that happened to me in my life. I thank yee, virus writers, who allowed me to cast off the shackles of M$ and come to know the true meaning of computing and hacking. *salutes*
Hero of Allacrost, a FOSS RPG for *NIX/*BSD/OS X/Win
I can believe it. Ive spent the past 2 years of my life doing support for Verizon..DSL/FIOS seriously I cant even keep track of the amount of times i helped a customer get connected and by the end of the call their pc would be shutting down... Most of the time its thier fault..I laughed my butt of when transfering someone to a billing office and thier pc already had a virus when i just told the to do thier updates before doing anything else..... besides this is just another reason to use linux
If you want a shocker, sniff your internet connection. Go download ethereal from www.ethereal.com, and open your internet connection with your firewall turned off (make sure your patches are up to date please :). Don't browse, don't do anything. Start a capture, select your PPP interface for a modem or ethernet for a broadband connection, turn on "Update list of packets in real time," and "Automatic scrolling in live capture," and turn off all the name resolution options. Click OK.
Look for TCP SYN packets to port 135 or 445. You may have to wait a few minutes. That is something trying to make a connection to your machine, ports 135 are the main ports for Windows Networking. Heh, I turned did it while I was typing this and already got a connection attempt to 135. That is most likely a virus on some poor sods unpatched machine, running through IP addresses looking for more systems to infect. If you want to know what all that stuff is, search for it on google. And for all you hackers out there, try writing (connection to port 139 scrolling in background, hehehe) a simple TCP listener in your favorite programming language to see more than just a TCP reset.
Bad things are living in the internet nowadays.
When did the "Code Red" worm come out? July 2001? I consulting and setting up an Exchange 2000 server that summer at a client site and asked them what kind of firewall they had right before we started. They said, "Firewall?", and I said, "Oh $h!+". I built it offline and got whatever service pack and patches I had on CD loaded on the box. I plugged it in to WindowsUpdate and it was dead before the page started downloading the first update. I had to download all the patches to my laptop (fully patched of course) and then floppy them to the offline rebuilt Exchange server.
The funniest part is that they still would not take my recommendation about getting a firewall. They thought I was trying to get more consulting for myself.
"Penny wise. Pound foolish." is such an understatement.
Ummm, Jon, aren't you supposed to be dead...? - Otter(3800)
So I decided to start over gain but just being curious I wanted to see what would happen again. Well this time I made it past the windows updates when I got hit again and infected. After That I stuck the WIN box behind my IP Cop box and I was fine after that install.
Yesterday I got a new box to mess with and started to install Win2000K Server. Got it installed and by the time I managed to go and download Outpost firewall I get hit with the some Blaster virus. I managed to delete it but with in minutes IE got hijacked and my CPU prosess's where being eaten up by WINAMP.EXE and other random letter exe files.
Im not sure about you guys but its quite amazing how quickly a windows machine will get infected if its not behind a firewall. Now I'v had people tell me Im stupid and should have gotten the MS Patch CD but WTF is a single computer joe/jane windows user to do?. Wait a week for the patch cd before they can reinstall their OS?
Anyways just an real world example of how quickly it can happen. Yes I do use windows for my daily computer as there is no other alternative that gives me the aps I need with out having to use alternatives or emulators which at the moment lack in features.
I'm a cumputer user I dotn need to know how to spell or punctuate.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
I had Microsoft send me a free WinXP Service Pack 2 CD in anticipation of any future installations. This way I can get some of the patches, updated firewall, etc before going online to get more recent patches.
t es/sp2/cdorder/en_us/default.mspx
http://www.microsoft.com/windowsxp/downloads/upda
12 minutes after leaving the lot, 50% of new cars would be violently car-jacked, their owners left by the side of the road wondering why some zitty-faced kid just drove the shiny new car into a tree. And so car dealerships would stop selling cars without armour, bullet-proof glass and tires, and so on.
In order to test the malware-busting skills of new employees, I would routinely infect a test machine with adware and spyware. I had two methods, based on the two most common scenarios we've encountered:
I would use a stopwatch and time myself, stopping at 15 minutes. For Case 1, I'd search Google for "casino" or "sex" and hit those sites. For Case 2, I'd search for "lyrics" or "buddy icons" and hit the top ten or fifteen sites listed.
At no time did I ever click "yes" when prompted to install software. The point was to attract the "drive-by" malware, the ones that didn't put an entry in "Add/Remove Programs", the ones that were the hardest to remove (e.g., randomly named polymorphs, malware that sees if one tries to terminate the process or remove a registry key and re-installs, malware that prevents anti-spyware programs from running, etc.).
In fifteen minutes, I can infect an XP box with between 400 and 600 objects (by AdAware's count). That's the result of hitting between 10 and 15 sites. Often, that's enough to inflate the number of running processes from 30 or so to about 60. Pop-ups appear even if IE isn't explicitly running. Case 1 infections often leave the computer in an unusable state, and by unusable state I mean "tits and ass all over your screen".
I give a prospective employee two hours to disinfect the computer, though I do cut major slack if it takes longer but they've got the right attitude and methodology. If hired, I show them how to get this down to under an hour (AdAware, Spybot, UBCD, manual cleaning, etc.).
Malware removal is about 30% of our billable hours. Since our contracts with our clients call for a certain amount of hours of service and maintenance each quarter, bug hunting is a distraction from the real work of administration: keeping up to date with patches and software updates, implementing our infrastructure upgrade roadmap, and software support and training. In other words, nearly a third of the time we spend doing productive work for our clients is spent whacking malware that targets Windows PCs.
Finally, we do try to come to terms with the fact that sometimes this is a human resources problem and not a technological problem. In Case 1, Employee X should not be surfing pr0n or playing Texas Hold-em on the job. As contractors, we try to block certain sites at the firewall, though that's a game of whack-a-mole, and we encourage all workstations to have monitors that face a common area (knowing someone can randomly shoulder-surf you is a big deterrent). Case 2, the residential case, is more problematic, since the sites that install drive-by malware are pretty innocent (lyrics, IM buddy icons). Permissions/ACLs would help, but there are so many applications that need admin rights to run that it's a joke. I've steered a few residential customers towards Apple Mac Minis and iMacs and have had no complaints after the fact.
Bottom line: it's a fucking jungle out there.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
Unpatched Win95 will last about 20 minutes, from what I can see with Snort, IF you have file shares bound to TCP/IP. There's still a lot of Opaserv traffic on cable/DSL ISPs.
:)
(For those that don't remember/didn't know, Opaserv was a fun worm that can crack any unpatched Win95/98 box with file sharing turned on, and bound to TCP/IP. How does it get in? Easy. Until patched towards the end of 1998, Windows 9x shares only authenticated the first character of the password. Opaserv just tried the first 40 or so possibilities. Took Microsoft over 3 years to patch this one
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Recently, when installing a friend's machine with windows, the damn thing got infected before I even had a chance to download and install SP2. :)
Needless to say, both he and I were quite angry by the second attempt. He is now a happy Ubuntu Linux user!
RebateFX.com - Spread rebates for Forex traders
Um, dude?
Here's the thing: I can't tell if you're kidding or not. Because sure, there's something to be said for the "security companies are blowing problems out of proportion" idea.
On the other hand, your nick is Saeed al-Sahaf.
So I can't help but wonder if there's going to be a follow-up about how at this moment you're personally grilling the stomachs of script kiddies in hell or something.
(For Slashdotters with no sense of history: Mohammed Saeed al-Sahaf was the Iraqi press secretary during the Gulf War. He was famous for his surrealistic press conferences which were completely detached from reality, like when he challenged reporters to claim there was even one American in Baghdad, as an M1A1 tank was clearly visible rolling down a street in the background.)
My cable modem isn't a modem at all. Technically, it's a bridge. The computer (or in my case, firewall) on my side of it gets a real, routeable IP address. The cable modem doesn't even appear in a traceroute and only really has an IP address for management purposes. I suspect the same is true for most cable modems.
Similarly, there's a lot of USB DSL routers out there, and many ISPs don't support the ethernet port, if one exists. Guess what? They don't route at all. They're the DSL equivalent of good ol' POTS modems. The computer gets a real routeable IP address.
If you connect a unpatched copy of windows on the microsoft campus network, you have a 95% chance of getting infected within 2 minutes.
... when I was warned not to install a fresh copy on the network ...
I know this, because it happened to me. When I was out there doing some consulting, I used a vmware install to connect to the network. I didn't wanna screaw up my own install by joining the MS network.
I couldn't understand why my install keep getting hosed, until I ask some of the people there
I saw your sig, that's why I figured you should know better. :-) I am a mathematician (with a job), but generally don't flaunt it.
:-)
First, the AC didn't say "large number of samples", he/she said "large number" and wasn't very clear about the exact meaning. Yes of course if you compute a sample mean from a large sample, its sampling distribution converges to a normal distribution. You were also not so clear, because when you said "I was thinking of continuous, you were thinking of discrete," you made it sound like those two things are opposites.
Second, of course this distribution can't be truly normal, because it's truncated at 0 on the left. Although I guess you already know, if you want to talk about sample means of large samples, you can generally ignore that since the variance becomes small enough that the probability in the truncated tail is negligible.
Finally, none of the above really matters anyway, as the proper distribution for the time until infection would be an exponential distribution in this case, since there are a very large number of infected machines out there on the network, each with a very small chance of infecting any given target within a reasonably small time interval, and so this system should be fit extremely well by a Poisson process. An exponential distribution with a mean of 12 has a median of about 8.3. Or, if the first line of the article is written correctly and there really is a 50% chance of getting infected within 12 minutes, it means that the median is 12, in which case the mean time to infection is about 17.3 minutes. And these are theoretical means and medians, which are independent of sample size.
And finally finally, I will point out that, given the above information, if you took a really large sample of PCs and measured the sample mean time to infection in that group, the sampling distribution of mean would be normally distributed around 17.3, not around 12.
OK, your turn.
nc is your friend, in particular nc -lp portnumber .
On a vanilla OBSD install, you can actually set up trivial honeypots like this:
pf will let the packets through to the nc listener, and make the action in ethereal much more exciting!
P.S. Keep Ethereal patched and be careful, there are a few exploits out there for the packet dissectors!