Slashdot Mirror
The 12-minute Windows Heist
An anonymous reader writes "Sophos has come up with some pretty interesting research: apparently, there's a 50 percent chance unprotected Windows PCs will be compromised within 12 minutes of going online. Sophos came to that conclusion based on research covering the last six months of virus activity. The company said
authors of malware such as spam, viruses, phishing scams and spyware have increased both the volume and sophistication of their assaults, releasing almost 8,000 new viruses in the first half of 2005 and increasingly teaming up in joint ventures to make money. The new-virus figure is up 59 percent on the same period last year."
It takes slightly more time to get pwn3d now.
After all, I am strangely colored.
From 11/29/2004: Unprotected PCs can be hijacked in minutes
...the built in Windows XP firewall (enabled by default on SP2 and assuming you don't have any other services enabled or open) and/or have a $30 personal firewall/router, there is a 100% chance you won't get compromised.
But wait, they're talking about spyware, viruses, and phishing. So, those things can install themselves now?
Don't get me wrong...viewed by itself, Windows has historically a dismally horrible track record. But a patched Windows XP SP2 machine behind a personal firewall/router with current anti-virus/anti-malware protection can be a secure system. Granted, it's been a long time coming, and it's easy for many users to fall into traps, but this seems like nothing more than a typical scare tactic by an AV vendor.
Never trust an AV vendor saying the sky is falling.
You know, on second thought, the better idea is just get a Mac. The average PC user will find it safer and they can do 99% of what they were going to do anyways.
Strange women lying in ponds distributing swords is no basis for a system of government.
8,000 new viruses? Say what?
How many of those are just viruses edited by some script kiddy to say "0wn3d by Fr0g3r" or some such shit?
Like sobig.a, sobig.b, sobig.c, sobig.d, sobig.e, etc...
What I'd like to know is how many unique types of attacks are exploited by new viruses, that would be a useful statistic...
And the next time it will be 23 minutes. And so on.
You could not pay me to put a Windows or Linux machine on my DMZ. They're all behind my $30 NAT router and they can be patched to my heart's content without having to worry about them getting p0wn3d. Oh, and to all you Linux fanboys who are going to be insulted by this - try putting a fresh RH9 (off ISOs) on your DMZ, and let's see how long it lasts.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
I love telling this story to people that ask why they should run Windows Update / run a firewall / get antitivirus, etc.:
I was at a client's site, and needed to do some testing on their backup DSL line. Since it was a backup meant to plug into the main firewall in case of an outage, the line had no firewall - It was wide open.
I had a laptop I had just rebuilt for an employee. Win2K, SP4. Unpatched, no antivirus. I planned on jumping on the line for all of five minutes to do some quick IP testing, and I just didn't think about it being vulnerable.
So, I change the IP and plug into the DSL line. I'm plugged in no more than two minutes, and I get the damn "Windows is shutting down" dialog box. It reboots, and all hell breaks loose. Within those two minutes the damn machine had contracted the Blaster worm. I formatted and reloaded it to be safe, and learned a fun lesson that day. Good thing the laptop didn't have any important data on it.
They're probably looking at a normal distribution of times. If the mean is 12 minutes, then 50% are infected before then. If this is the case, the standard deviation must be pretty high. I hope.
After all, I am strangely colored.
There are attacks which don't require your help; Sasser in particular goes through an open port rather than through Outlook or IE. There are a few others.
But that's pretty unlikely with a new PC, which presumably comes with the latest service packs. The article is incredibly short on actual data. There's nothing to support their 12-minute average. I get the impression that they chose the scariest headline to support an article which is mostly about phishing attacks, trojans, etc: attacks that require your help.
So for all I know they're talking about the fact that there are enough attackers that if you throw a Windows ME (or even unpatched XP) box on the Internet, yeah, you're hacked. That says a lot, but not about how insecure Windows is. It says that there are still plenty of computers running hacks like Sasser; if you're not protected against it, you're screwed.
That's mostly scaremongering, since unless you're installing a very out-of-date Windows, you're protected. You're not protected against new attacks, nor are you protected against many trojans. They're trying to convince you to buy software for that, which is relevant, by using scary but irrelevant numbers.
First Kaspersky, now Sophos... I've lost all respect for AV vendors. Using scare tactics to sell software is just sad.
Here's all it takes to keep your Windows box safe: a router (or SP2) and Firefox. Oh, and enough common sense to not run any executable file sent to you by a stranger.
There, I let the secret out.
smattawichu
After 12 minutes, an unprotected PC running Windows is both compromised and uncompromised until a tech collapses the state vector by producing a hefty bill for checking.
If you want a shocker, sniff your internet connection. Go download ethereal from www.ethereal.com, and open your internet connection with your firewall turned off (make sure your patches are up to date please :). Don't browse, don't do anything. Start a capture, select your PPP interface for a modem or ethernet for a broadband connection, turn on "Update list of packets in real time," and "Automatic scrolling in live capture," and turn off all the name resolution options. Click OK.
Look for TCP SYN packets to port 135 or 445. You may have to wait a few minutes. That is something trying to make a connection to your machine, ports 135 are the main ports for Windows Networking. Heh, I turned did it while I was typing this and already got a connection attempt to 135. That is most likely a virus on some poor sods unpatched machine, running through IP addresses looking for more systems to infect. If you want to know what all that stuff is, search for it on google. And for all you hackers out there, try writing (connection to port 139 scrolling in background, hehehe) a simple TCP listener in your favorite programming language to see more than just a TCP reset.
Bad things are living in the internet nowadays.
In order to test the malware-busting skills of new employees, I would routinely infect a test machine with adware and spyware. I had two methods, based on the two most common scenarios we've encountered:
I would use a stopwatch and time myself, stopping at 15 minutes. For Case 1, I'd search Google for "casino" or "sex" and hit those sites. For Case 2, I'd search for "lyrics" or "buddy icons" and hit the top ten or fifteen sites listed.
At no time did I ever click "yes" when prompted to install software. The point was to attract the "drive-by" malware, the ones that didn't put an entry in "Add/Remove Programs", the ones that were the hardest to remove (e.g., randomly named polymorphs, malware that sees if one tries to terminate the process or remove a registry key and re-installs, malware that prevents anti-spyware programs from running, etc.).
In fifteen minutes, I can infect an XP box with between 400 and 600 objects (by AdAware's count). That's the result of hitting between 10 and 15 sites. Often, that's enough to inflate the number of running processes from 30 or so to about 60. Pop-ups appear even if IE isn't explicitly running. Case 1 infections often leave the computer in an unusable state, and by unusable state I mean "tits and ass all over your screen".
I give a prospective employee two hours to disinfect the computer, though I do cut major slack if it takes longer but they've got the right attitude and methodology. If hired, I show them how to get this down to under an hour (AdAware, Spybot, UBCD, manual cleaning, etc.).
Malware removal is about 30% of our billable hours. Since our contracts with our clients call for a certain amount of hours of service and maintenance each quarter, bug hunting is a distraction from the real work of administration: keeping up to date with patches and software updates, implementing our infrastructure upgrade roadmap, and software support and training. In other words, nearly a third of the time we spend doing productive work for our clients is spent whacking malware that targets Windows PCs.
Finally, we do try to come to terms with the fact that sometimes this is a human resources problem and not a technological problem. In Case 1, Employee X should not be surfing pr0n or playing Texas Hold-em on the job. As contractors, we try to block certain sites at the firewall, though that's a game of whack-a-mole, and we encourage all workstations to have monitors that face a common area (knowing someone can randomly shoulder-surf you is a big deterrent). Case 2, the residential case, is more problematic, since the sites that install drive-by malware are pretty innocent (lyrics, IM buddy icons). Permissions/ACLs would help, but there are so many applications that need admin rights to run that it's a joke. I've steered a few residential customers towards Apple Mac Minis and iMacs and have had no complaints after the fact.
Bottom line: it's a fucking jungle out there.
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
Comment removed based on user account deletion
I really find it quite ironic that there's so many MS apologists in this discussion willing to say that getting infected is the user's fault for being too stupid to have a commercial A/V package installed (at additional expense) and have a hardware firewall (at additional expense) between their system and the internet.
Yes, I know that AVG is free and very good, and Zone Alarm has a free version (I make sure both are on every MS box I have to look after).
But this ignores at least two problems. First, OEM PCs don't come with AVG or ZA, they come with Norton or Symantec or McAfee and a very short period of free support. Two months after you bring your new PC home and the new NetskyBlaster.z hits your hotmailbox, you're SOL. Why, if MS is so focused on improving security, do MS customers need to rely on 3rd party vendors for A/V security software?
Secondly, the firewall in XP SP2 is certainly an improvement over nothing at all (or over nothing useful, a category to which the the pre-SP2 firewall certainly belongs). So then why do I need to buy a $70 hardware firewall if XP has a firewall already?
Why does ZA tell me about so many more applications that want to reach the internet than the XP firewall? Why the hell does rundll need the internet (let alone Nero, or my printer for that matter), and why doesn't the XP firewall tell me about it?
For a commercial software vendor, MS's security record is beyond dismal. For a company that claims security as a priority, MS's poor performance would be laughable if it weren't so damned expensive and time consuming.
Why is it that Linux vendors can provide fully configurable firewalls that block anything and everything (if that's what you want) out of the box, but MS Windows insists on leaving open ports, enabling ActiveX, and phoning home to download updates whether you want it or not?
Why is it that wierdo hippy-commu-nazi Linux developers understand the difference between user and administrator but MS developers insist on every little widget having complete kernel access?
Why is it that MS thinks security is something to tack on to an OS through SPs, weekly downloads (with requisite reboots), patches, and 3rd party products, rather than something that is built into the code?
Lets talk apples to apples here. When we are talking about viruses/worms coming through open ports on a system running Linux, this is not a fault in *Linux*; this is other various open-source software running.
Its not Linux that has your port 25 open; it's sendmail or exim. Its not Linux that has your port 22 open; its openssh. With Windows *IT IS* the operating system that has those ports open.
It really depends on your distro how secure the system will be out of the box. What software is enabled, what configuration settings that system has.
For example, Redhat ships SSH with default settings to downgrade the connection to v1 if v2 fails. This leaves Redhat open to SSH1 attacks. A system like Debian does not allow SSH1 by default.
Some distributions are secure, some are not. You cant lump them all together. And you cant blame the kernel for the shortcomings of some other open source software. Put blame where blame is deserved.
Secondly, with regard to malware - Linux systems are much less vulnerable simply because we dont surf the web or run our systems as the root or Administrator user. Yes, running as a limited account on Windows accomplishes the same thing, but less people actually do it.
My cable modem isn't a modem at all.
Well, since we're on Slashdot, technically, it is a modem. It takes analogue signals and figures out digital data from them. It modulates and demodulates. Your cable modem just don't happen to be NAT'ing. Think of it as one long ethernet cable to your ISP.
In my experience, most cable (as in television land-based cables) modems behave this way, which I find quite pleasant. Any box on your network can be reached from the outside, without funky NAT-routing. In fact, you can probably just keep asking for IP-addresses, and the modem will happily give you true, Internet-routable IP's. Enjoy.
Now, would some people argue, NAT is great for your average Windows user, who probably don't want or need his machine available from the outside. This is the wrong way of solving problems. Any remotely modern operating system should be able to safely stay on the Internet, given a bit of care (read: patching). Furthermore, your average Windows user will often need Internet-routable IP-addresses - think Bittorrent, any P2P, remote desktop and so on.