Slashdot Mirror
Estimating the Time-To-Own of an Unpatched Windows PC
An anonymous reader notes a recent post on the SANS Institute's Internet Storm Center site estimating the time to infection of an unpatched Windows machine on the Internet — currently about 4 minutes. The researcher stipulated that the sub-5-minute estimate was valid for an unpatched machine in an ISP netblock with no NAT or firewall. The researcher, Lorna Hutcheson, called for others to post data on time-to-infection, and honeypot researchers in Germany did so the same day. They found longer times to infection, an average of 16 hours. Concludes the ISC's Hutchinson: "While the survival time varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas."
Back in '04 the time to live was (claimed to be) around 20 minutes. I wonder what the time is for an unpatched Vista (the figures in the article are for XP). Heh - I bet '98SE survives forever (nobody would want to exploit that).
Andy
That makes a lot of sense - because that is exactly what happens. Tons of bots around trying to get into "known and patched for years" exploits. They jsut scan IP Address ranges for computer to come online. So, really - no browsing required. No user action required. They happily come to you. This is why a simple firewall like the one you have now on Windows (allow only outgoing connections by default) or simple NAT ALREADY raises quite a bar in security - there ARE, HAVE BEEN and WILL BE exploits that do not require any user interaction.
No, this type of infection is sent to random computers all over the Internet.
If one computer on the same IP range as you if infected, it will try to infect all computers on the same IP range and continue to try until someone either turns off the PC or formats the harddrive.
Try installing a firewall, connecting a computer directly to the Internet (don't -do- anything, just connect it) and then Wireshark to look at your Network Interface.
You'll be surprised at the stuff you get without asking.
"I was in love with a beautiful blonde once, dear. She drove me to drink. It's the one thing I am indebted to her for."
I know that last time I put a new install of XP SP2 straight onto the internet without firewall or antivirus (A tiny oversight - plugged in the wrong cable) it was owned in under 5 minutes without any interaction on my part.
You can bundle all the patches & service-packs you want into a slipstream image and install everything at the same time.
Otherwise, there's WSUS (http://en.wikipedia.org/wiki/Windows_Server_Update_Services).
(Not that I disagree XP was horribly insecure when it came out)
throw new NoSignatureException();
You don't even need to turn it on; with SP2 it's on by default. The same with Vista. Yet the compromised machines had the Windows firewall turned off. So it's kind of a bogus test, because XP doesn't ship without SP2 any more, and ships with the firewall on by default.
XP SP2 comes with a firewall on by default. Vista comes with a firewall on by default.
This is only seems interesting if you're installing from your vintage 2001 XP disk.
Business. Numbers. Money. People. Computer World.
I'm going to jump in, because I don't think anyone explained this.
Windows runs lots of services (server programs) by default, some of which have vulnerabilities. Some of which can't be turned off, because of the way MS programmed them. If you wonder why they are there, this is how things like filesharing works: it has a server program which will reply when someone else on the lan broadcasts asking for other shares. If someone creates specially formed packets, they can break into those vulnerable services, and you are rooted.
There could also be vulnerablilities in the kernel (main system), but they are rare. You could also be infected if you opened up a shared folder, and someone / a program uploads a hostile program to it, and you run that program.
This is in addition to getting infected by visiting a hostile site with an insecure browser.
I may not have explained this very well, but hopefully you get the idea.
How do you know you don't have a virus unless you scan your computer? Even then, if you have a rootkit successfully installed it might be possible for the rootkit to avoid the AV software.
While the laptop itself has very little internet presence (just downloading patches, drivers and s/w updates) I've occasionally remote-mounted it's disk to another box that runs Norton. I've never detected any spam, viruses, trojans or other nasties.
My conclusion is that with some basic precautions and common-sense (plus no email and only visiting "well known" websites) it's quite feasible to run a windows box for dedicated applications 24*7 without the overheads of virus protection.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Which is exactly my point. We know those machines get pwned quickly, so why is this news? The /. summary presents it as if it's a current measurement of a current OS and not one that was superseded almost four years ago? (Assuming they are using a pre-SP2 install. Which, since the site doesn't give any actual information, I don't know.)
You should be perfectly safe, as a dumb NAT firewall won't be sending your PC any traffic that it didn't originate. The only possible vectors would be: a) if its connection tracking code gets confused and lets in traffic which it thinks is associated with another connection but really isn't, b) bugs in the NAT firewall device (pretty much the same thing), or c) an attacker gets very lucky with spoofing connections that happen to be in the NAT table (tremendously unlikely).
All up, the chances of anything getting through are pretty much negligible.
The caveat is that stuff on your PC may be making connections without your knowing; and in particular, some programs may use UPnP to open a listening port for incoming traffic. This shouldn't be an issue with an out-of-the-box install.
This is of course assuming the common NAT device setup, where you have your modem/router which gets a public IP address and then NATs all outbound traffic. Inbound traffic will hit the router and not go any further unless the user has explicitly set up forwarding rules on it.
Pretty much everyone with broadband in Australia will be behind such a device, as this is the kind of device most every ISP recommends or sells. Not sure what the norm is elsewhere in the world.
I did exactly the same kind of "research" (for a documentation about online threats for our local TV network), here is what I did.
I installed XP SP1 (bear with me, it was the pre-Vista days), the way you got it delivered on a CD. I did nothing else (XP SP1 came without the firewall preinstalled). I turned on a network monitor to document and show what happens. Then I patched in an Ethernet cable to the local network which had unfiltered access to the internet (pretty much what the average cable user, or the average DSL user has after dialup).
Time to infection through the RPC hole was less than 2 minutes.
I did essentially NOTHING to faciliate it (besides, well, not having the machine patched at least to SP2), I just let the machine sit there, connected to the internet.
In a nutshell, if you're using XP and have one of those SP1 install discs, download SP3 before you kick the system in the gutter, put the service pack on a USB stick or external drive and install it before you connect that machine anywhere.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I took about 2 minutes the last time I remember this was *accidentally* tested on our /16 network (XP SP2, way down in mid-2006).
But this is not a Windows problem per-se. Any other OS, in a post-install state, will eventually get compromised. It's just a matter of time.
Solution: build + patch + secure offline, then deploy.
I recall a former boss's computer getting compromised during the installation. It was either NT4 or 2000 server. I'm not sure his disk (most likely an MSDN disk) had any service packs on it. (this was late '03.) It was beyond the firewall, naked on a Bellsouth DSL line.
I also recall a friend (sysadmin) had his linux (redhat 6.2 maybe) machine compromised within a day of installing it. I don't know if it was within 4min or 16hrs; the next day we noticed it was scanning the network. That was a "naked" workstation on an ISP's core network -- no firewall of any kind. That was 7-8 years ago, and we still kid him about it.
The T1 at the office was seeing about 100 probes per minute years ago when I cared enough to log all that shit. The DS3 was seeing just as much crap the instant it was turned on a few months ago. (seeing how the morons setup that router (cisco), I wouldn't be surprised if people have broken into it -- with no logging turned on, how would anyone know?!?)
Absolutely. SP2 firewall is enabled by default.
And from the article "This older guide was written based on Windows XP pre SP2. One of its main feature
was step by step instructions on how to enable the Windows XP firewall."
XP SP2 was released in August of 2004. Why are we talking about 4 year old software? Heck, Firefox 1.0 hadn't even been released yet. And Ubuntu's first release was in October 2004.
Why is an OS older than Ubuntu or Firefox being tested? And I mean 4 years older then Ubuntu - even with SP2 it would still be older then Ubuntu or Firefox.
But it has SP2 (look at picture).
Yes! Iinstall a firewall and just watch the log file. Your machine is probably scanned around once every 20 seconds by some botnet or other.
America, Home of the Brave.
Considering that one of their "security" links is referencing XP SP1,I would say the data was pretty old. I know we used to hook XP SP2 machines straight in my last shop and after patches always did an online scan and I can't remember the scan ever finding anything. If they want to be taken seriously on the subject,they should list specific service pack,PC specs,and connection used. Then their data would be easily replicable if someone disputed their findings.
ACs don't waste your time replying, your posts are never seen by me.
The best thing to do would be to download and burn an offline SP3 updater on a good PC, and install that before connecting to the net.
Sadly this is not very well known especially amongst those who need it the most, and MS doesn't go out their way to make it very clear either. So geeks, do your duty and inform those who you suspect could use it.
Don't know if they still give those out, but I have this (free) SP2-update on CD, which I ordered from the MS-site.
When you shoot a mime, do you use a silencer?
I don't play WoW. I do, however, run Zonealarm. Now, a fresh Zonealarm install will tell you that loads of Windows services are asking to open ports on to the big bad internet. All of these are open by default on the Mickey Mouse Microsoft firewall, because "they're Microsoft services and none of them could possibly be a security risk". As I recall there have been a metric fuckton of patches for many of the default Windows services since SP2. I rest my case.
it's = it is
its = belonging to it
Because the last OS put out previous to Vista was Windows XP. That's why we are talking about such old software. It's only 1 version behind current. The biggest problem, is that there's a lot of people who have XP discs with no service pack incorporated. When you reinstall from these discs, and try to connect to the internet to download SP2, your computer is owned before you can even download the service pack. That's a major problem.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Funny thing is that Zone Alarm has had some serious remote exploit vulnerabilities where if you hadn't installed a 3rd party FW in to your Windows XP computer, you'd be safe. Here's an example of one http://secunia.com/advisories/10921/. Windows XP, Vista, Server 2003 and 2008 Firewall has been rock solid and secure. You're simply talking out of your ass and you're giving the typical knee jerk reaction against Microsoft products. You do not have a single example of where Windows XP SP2 firewall is vulnerable to a remote exploit and there isn't a single example of hackers getting through it if all ports are closed.
Best thing to do is have a $20 router with NAT enabled by default. It allows you to share your Internet connection with NAT, automatically log in to your PPPoE account, give you a DHCP server, and give you a safe environment with all inbound ports blocked by default. Most Broadband services come bundled with a router/modem in a single device anyways and it's been a non-issue at least for AT&T DSL users since NAT is enabled by default. A lot of cable providers are also sending out routers with new service.
I do agree with you that downloading an offline SP3 installer is a good thing though I would suggest that using nLite to slip stream it in to a new ISO and CD is the best way to go.
I know it was pwned because during the installation I got an angry phone call from the Cisco Comms boys, who wanted to know why one of our servers was suddenly flooding the network with traffic matching the signature of the Code Red worm.
Once the installation finished (now with the cable unplugged), sure enough, the box was infected with Code Red. No doubt because IIS installs by default (set to on) and my leaving the cable in allowed it to get infected.
I was then embarrassingly the reason for a new policy stating all installations must be done with the network cable unplugged.
Wasn't measuring recently.
In worst times, I had seen one exploit attempt per 10 seconds on average. Since I have seen this all from pov of Linux router/firewall for sub-C net with 30 IPs, the logs were pretty messy and I had to do special script to clean syslog.
Right now my friend was setting up for himself firewall too and was seeing about 1 exploit attempt per 1-2 minutes.
That's Windows side.
On Linux side this isn't much prettier. In past some botnets from South Korea were dumbly scanning whole net trying to probe well known services (ssh, rsh, telnet, mysql, etc) as root with well knows passwords. I had something like 20-30 "auth failed" per minute in my syslog. Right now still some botnets try to scan *nix systems with weak passwords continuously. It is not as bad as it was with attack from SK, still I'm not leaving SSH running on port 22 anymore (just in case).
All hope abandon ye who enter here.
It'd be behind a NAT, so you'd basically be safe. (Of course you're never completely safe, but you have to pound hard to get through a NAT that doesn't have ports opened administratively.) The fact that it's VMWare providing the NAT doesn't matter; you'd see the same if you were to plug in a cable modem router.
This would be all fine and dandy and all, but who has access to two computers at home? Work computers do not count as most of them probably do not have burners.
Most families I know have more than one computer at home nowadays. This isn't 1995 anymore you know. And if the work computer didn't disable USB, you can usually download it on a USB stick from there. Jeez, this isn't rocket science. You can usually even just download the linked ISO image on a compromized machine, as there are very few virusses in the wild that are actively looking for ISO images on your HDD to patch on the fly.
I don't play WoW. I do, however, run Zonealarm. Now, a fresh Zonealarm install will tell you that loads of Windows services are asking to open ports on to the big bad internet. All of these are open by default on the Mickey Mouse Microsoft firewall, because "they're Microsoft services and none of them could possibly be a security risk".
No, they're not. A default Windows XP SP2 install doesn't even respond to pings.
Yep, I own a very old XP pre-SP2 install CD. I was reformatting an old box of mine and forgot to download SP2 (this was before SP3). No big deal, I'll just get the network install off Microsoft's site. Bad idea, within minutes I was infected with all kinds of stuff. I ended up reformatting and downloading the patches off my linux box. I really need to learn how to slipstream my install disc...
.
I don't think it gets much easier than this:
What Is Service Pack 3?
Read the XP SP3 white paper.
Steps to take before you install SP3
Download SP3 from Windows Update
Order SP3 on CD-ROM
Download and deploy SP3 to multiple computers [Network Installation for the IT Professional]
Free [basic] unlimited installation and compatibility support
---your choice of e-mail, online chat, or toll-free telephone.
TTY/TDO service for the hearing-impaired
There really isnt any "manual" you can learn about this kind of stuff. However, we all have the toolkit to test and investigate with it at our homes.
1. Search fragrouter in google first. All hits on front page are on topic. Get it and compile cleanly. I prefer Debian, but works for all Linux.
2. Go buy a router from any ol box store. I prefer the WRT54G ones that can be modded to run either DD-WRT or OpenWRT.
3. Get some test machines up and running, including a separate machine running DHCP on the "Internet" side of the router. You'll want to fake a internet connection with this, so tell the router to pull DHCP from the "Internet" box. The Internet Box is your attacking machine. You will want to set up NAT if it's not already.
4. Set up fragrouter and proper routing utils on the attacking box ("Internet" machine). You can use your real network as the attacked network, as you wont cause damage. fragrouter has something like 14 options of bad routing. You can use this in conjunction of other routing daemons and others that exploit active services already existing on the el'cheapo router.
5. Since you have inside knowledge about your network, you can easily guess the subnet mask and ip addressing scheme and "hack through" the NAT.
I've done precisely that on many routers, including mid-range ciscos. And as I said before, the only machines that are immune from fragmenting attacks are ones that piece back together packets before they are passed on to the internal network. OpenBSD, FreeBSD, and Linux can do this reliably ONLY with a large amount of ram and fast CPU.
Good Luck.
.
This is what Microsoft's Steve Riley had to say about outbound protection:
There's an important axiom of security that you must understand: protection belongs on the asset you want to protect, not on the thing you're trying to protect against. The correct approach is to run the lean yet effective Windows firewall on every computer in your organization, to protect each one from every other computer in the world. If you try to block outbound connections from a computer that's already compromised, how can you be sure that the computer is really doing what you ask? The answer: you can't. Outbound protection is security theater--it's a gimmick that only gives the impression of improving your security without doing anything that actually does improve your security. This is why outbound protection didn't exist in the Windows XP firewall and why it doesn't exist in the Windows Vista(TM) firewall.
Earlier, I said that the typical form of outbound protection in client firewalls is just security theater. However, one form of outbound control is very useful: administratively controlling certain types of traffic that you know you don't want to permit. The Windows Vista firewall already does this for service restrictions. The firewall allows a service to communicate only on the ports it says it needs and blocks anything else that the service attempts to do. You can build on this by writing additional rules that allow or block specific traffic to match your organization's security policy. Exploring The Windows Firewall
In one page, Riley covers quite a bit of ground.