Forgot your password?
typodupeerror
Worms Operating Systems Security Software Windows

Clean System to Zombie Bot in Four Minutes 608

Posted by michael
from the takes-five-minutes-to-download-patches dept.
Amadaeus writes "According to the latest study by USA Today and Avantgarde, it takes less than 4 minutes for an unpatched Windows XP SP1 system to become part of a botnet. Avantgarde has the statistics in their abstract. Stats of note: Although Macs and PC's got hit with equal opportunity, the XP SP1 machine was hit with 5 LSASS and 4 DCOM exploits while the Mac remained clean. The Linux desktop also was impenetrable, but only was only targeted by 0.26% of all attacks." See also our story on the survival time for unpatched systems.
This discussion has been archived. No new comments can be posted.

Clean System to Zombie Bot in Four Minutes

Comments Filter:
  • by Anonymous Coward on Tuesday November 30, 2004 @04:07PM (#10955843)
    So this is why my new Dell tried to eat my brain this morning!
  • by Anonymous Coward
    First Post from a Bot!
  • NAT (Score:5, Insightful)

    by The Snowman (116231) * on Tuesday November 30, 2004 @04:07PM (#10955850) Homepage
    I am curious how effective NAT (e.g. a cable modem router) is at slowing or stopping these attacks for the the typical user.

    I know it works well enough for me, but I am not a typical user -- even my Windows box is locked down tight.
    • Re:NAT (Score:4, Informative)

      by hal9000(jr) (316943) on Tuesday November 30, 2004 @04:10PM (#10955898)
      As long as you don't download crap off the internet or don't do port forwarding to an internal server, your NAPT router is a good defense.
      • Re:NAT (Score:5, Funny)

        by The Snowman (116231) * on Tuesday November 30, 2004 @04:24PM (#10956066) Homepage
        "As long as you don't download crap off the internet or don't do port forwarding to an internal server, your NAPT router is a good defense."

        Which is why I was curious about its effectiveness for the typical user. I use Firefox, lock down the machine, don't install crap, and that machine is perfectly clean a year after its OS install.

        My wife's machine, however, is the opposite. AdAware choked because there were thousands of items (of course each piece of spyware has hundreds of items, so AdAware's list is misleading) and some that tried to prevent AdAware from running. I gave her a good talking to about installing crap from msn.com and visiting porn sites using IE. So I wound up sacrificing sex for a week so I would get a break from cleaning her computer. Sigh. Women.

        Anyway, my point is that I am not the typical user. NAT is an effective tool, but like any tool, it is only as good as the person wielding it.
        • Re:NAT (Score:4, Funny)

          by jav1231 (539129) on Tuesday November 30, 2004 @04:30PM (#10956132)
          Yeah, I don't know how many times I've said it, "Honey, if you MUST cruise sublimedirectory.com do it with Firefox!"
          Okay, ZERO!
          But how I wish she would....(sigh)
          • Re:NAT (Score:3, Interesting)

            by The Snowman (116231) *
            "Yeah, I don't know how many times I've said it, "Honey, if you MUST cruise sublimedirectory.com do it with Firefox!"
            Okay, ZERO!
            But how I wish she would....(sigh)"

            I know what my wife does when I am at work. I've caught her a few times when I stopped at home during the day (not that I mind). Anyway, I finally broke her of using IE. She got tired of error boxes saying "hey, I can't dial this number in Europe because there is no modem installed," spyware, and the inevitable slowdown caused by those programs.
            • by pVoid (607584)
              Some of the problems are caused by user error, but certainly the OS is to blame as well. For example, IE has the crappiest default security settings. Changing them breaks a lot of sites. Finally, IE is integrated into Windows, so security issues suddenly are ten times worse.

              In other words:

              1) IE: bad security

              2) IE: good security => breaks sites

              3) IE is Windows (let's assume)

              4) Windows breaks sites/Windows has security issues

              Oh sigh... man, I'm not even going to look for an analog syllogism because

            • Re:NAT (Score:5, Interesting)

              by Daedala (819156) on Tuesday November 30, 2004 @06:51PM (#10957754)

              Talk her into a Mac, if you can.

              I'm serious. As a child, I was an "Apple II for all" kid. Then I became one of those "Macs are too easy and wimpy" teens. In college, however, I became a "Hey, I can do work, I'm an addict!" person. Then I became a security wonk, and I'm a "Gee, why can't I find hardly any information on hardening OS X? [net-security.org] It's not perfect" kind of person.

              I don't believe it's possible for the average user to run Windows cleanly. You have to know too much. I've heard my security-wonk coworkers joke about how much spyware they had after a scan (and yeah, they're not great security wonks, but they were well above me on the food chain). If yer average security wonk can't keep his stupid box clean, then there's a problem with both the box and the user, not just the user.

              I don't believe that OS X is perfect. There are exploits that work. Safari has some of the same problems IE does [slashdot.org] (minus the whole hooked-into-the-OS-issue). You have to look really hard to find the issues, though. And for getting actual work done, they're a wonder. The built-in software does much of what regular users need. The interface is pretty and clean. And with BSD underneath, I've found that they a lot easier for linux-geek techie friends to suss out.

              I've come to the conclusion that Macs really are the best computers for most of the population. You don't get owned out of the box. You can download your security patches on modem--they come separate from the OS updates. You can safely read The Register. [slashdot.org] Even my Classic-emulated Office doesn't crash on OS X.

              Hardware costs are pretty much at parity for brand-name devices. The cost problem tends to be with replacing software. But there is a useful shareware community for Macs, Fink is pretty well-regarded, and commercial software can be found. Consider how much a password-sniffing Trojan might cost and cough it up.

              Thus endeth annoying advice.

        • Re:NAT (Score:3, Funny)

          by jawtheshark (198669) *
          I gave her a good talking to about installing crap from msn.com and visiting porn sites using IE

          a) I don't know many women that visit porn sites on the internet. I know women that love vibrators and stuff like that, but porn usually isn't their thing.
          b) Make it clear to your wife that you're the one managing the machines and that she has to submit to your will on the issue (she probably will even say "I don't understand much of computers"). It's very simple in my household: you use Firefox, don't

    • Only on broadband (Score:5, Interesting)

      by Jucius Maximus (229128) <zyrbmf5j4xNO@SPAMsnkmail.com> on Tuesday November 30, 2004 @04:12PM (#10955910) Homepage Journal
      Let me preface this by saying that in my area you can only get 28.8 dialup. There is nothing better available. Not even 56K. (And yes, I know there are some here stuck on 19.2 and 21.6 ... I feel for you all.)

      Our gateway box is a Win2k machine. It hasn't been patched in months upon months because it would tie up the connection for a long time. (Downloading patches over 28.8 is slow and we have eight computers in the house sharing that connection.) That gateway machine is totally clean. No spyware, no worms, etc. This is confirmed by proper antivirus and anti spyware software.

      I'm just posting this an in interesting observation. This makes sense because a zombie on a dialup line is pretty damn worthles anyway.

      • by Jeff DeMaagd (2015) on Tuesday November 30, 2004 @04:15PM (#10955957) Homepage Journal
        I was on a modem as recently as last year.

        What I did was went through the list of patches and manually downloading them through Microsoft's download site. Some of them weren't available or had odd restrictions of installation, but whenever I set up a computer, I just got the list of patches it needed through Windows Update and installed the local copies.

        I also had the luck of staying at a hotel the next city over, it had free wireless Internet service, so I downloaded as much of everything I could.
      • Re:Only on broadband (Score:4, Informative)

        by dasunt (249686) on Tuesday November 30, 2004 @05:07PM (#10956586)

        Let me preface this by saying that in my area you can only get 28.8 dialup. There is nothing better available. Not even 56K. (And yes, I know there are some here stuck on 19.2 and 21.6 ... I feel for you all.)

        Our gateway box is a Win2k machine. It hasn't been patched in months upon months because it would tie up the connection for a long time. (Downloading patches over 28.8 is slow and we have eight computers in the house sharing that connection.) That gateway machine is totally clean. No spyware, no worms, etc. This is confirmed by proper antivirus and anti spyware software.

        Why not either start a download going each night after you go to bed?

        If you want a local copy, use wget to retrieve files.

        If you don't care, use windows update.

        In an 8 hour night, you can pull down about 100mb.

        If you want to apply patches to several computers while using windows update, try downloading rather than installing [pcmag.com] the patches.

        I'm just posting this an in interesting observation. This makes sense because a zombie on a dialup line is pretty damn worthles anyway.

        Dangerous assumption. The worms don't care what sort of line you are on. In addition, due to asynchronous connections, the upload speed of a dozen or so zombie dialup PC's can match the upload speed of one broadband connection -- rather useful for spamming or DDOSing.

      • Zombie bots generally don't know the difference between dialup and broadband.

        Perhaps you don't "have" any spyware or viruses is because your line is too slow to update your scanners?

        Seriously, install a squid proxy so you can download the patches on one machine and all the other machines can just use the cache.

        I bet if you let it go overnight it would be done in the morning.
    • by CdBee (742846)
      On my experience last night - my other post in this topic [slashdot.org] - it isn't always enabled when you'd think it would be....
    • Re:NAT (Score:4, Informative)

      by ryanr (30917) * <ryan@thievco.com> on Tuesday November 30, 2004 @04:34PM (#10956184) Homepage Journal
      Typical many-to-one NAT will act like a simple firewall. Highly recommended for purposes of downloading all your patches. There's basically zero chance you'd be able to patch a stock Win2K/XP SP1 machine before you got nailed on an open Internet connection.

      The NAT won't help much with the client-side holes.
      • Re:NAT (Score:5, Interesting)

        by Suburbanpride (755823) on Tuesday November 30, 2004 @04:59PM (#10956494)
        There's basically zero chance you'd be able to patch a stock Win2K/XP SP1 machine before you got nailed on an open Internet connection

        on my college network, you aren't allowed to use the outside internet untill you have the most recent patches installed, which are mirror on internal servers.If you computer is caught sending spam or DOS attacks, you are kicked of the network completly untill you get it fixed

        I'm not sure how effective this is, knowing the kind of shit people download, but its a start.

  • no kidding (Score:4, Funny)

    by hal9000(jr) (316943) on Tuesday November 30, 2004 @04:08PM (#10955856)
    this is news?

    Next up: People who see a dollar bill on the sidewalk will pick it up and put it in their pocket. See our analysis ...
    • by Raffaello (230287) on Tuesday November 30, 2004 @06:23PM (#10957473)
      If you look at the statistics compiled by the investigators, you'll see that the Window XP SP1 box and the Mac OS X 10.3.5 box both logged the overwhelming majority of attacks (45% each), and equal to within less than 1%.

      The Windows box was compromised multiple times. The Mac OS X box was never compromised. The Linux box was never compromised, but it only was hit a tiny fraction of the times the Mac OS X and Win XP SP1 boxes were.

      Oddly, the authors conclude that the best systems are Linux, and Win XP SP2. WTF?

      The obvious winner is the platform that sustained the highest number of attacks with the fewest number of compromises. That would be Mac OS X, with essentially half of all the attacks (just like Win XP SP1) but ZERO successful compromises.

      The authors seem to be bending over backwards to come up with a "winner" that runs on intel compatible hardware (Linux and Win XP SP2) but the obvious choice is Mac OS X.

      Why the biased interpretations?
  • Hey, cool. (Score:5, Interesting)

    by ryanr (30917) * <ryan@thievco.com> on Tuesday November 30, 2004 @04:08PM (#10955860) Homepage Journal
    I wasn't expecting this to get Slashdotted. Kevin and I set up the honeypot machines and monitored the network during the test. If anyone has any questions, I'm happy to answer.
    • Re:Hey, cool. (Score:5, Interesting)

      by diamondsw (685967) on Tuesday November 30, 2004 @04:13PM (#10955924)
      Any chance of a repeat with XP SP2, to get a feel for whether or not the security fixes make a difference in the "real world"?
      • Re:Hey, cool. (Score:5, Informative)

        by ryanr (30917) * <ryan@thievco.com> on Tuesday November 30, 2004 @04:21PM (#10956034) Homepage Journal
        There was an SP2 machine included in the same test. It went unmolested, due largerly to the new firewall enabled by default. This particular test environment included no user activity, i.e. no email reading, no web browsing.

        Generally speaking, I'm pleased with SP2. As long as you're running XP, and it won't affect your critical functionality adversely, install it. It won't be exploit proof moving forward, but it's the easiest way to patch the current set of problems.
        • Re:Hey, cool. (Score:3, Interesting)

          by Barlo_Mung_42 (411228)
          "There was an SP2 machine included in the same test. It went unmolested"

          Funny how that tidbit didn't make it into the synopsis.
          • Re:Hey, cool. (Score:4, Informative)

            by ryanr (30917) * <ryan@thievco.com> on Tuesday November 30, 2004 @04:29PM (#10956124) Homepage Journal
            Which? It's in the USA Today story. You mean the Slashdot synopsis?

            Yes, the SP2 machine, SP1 w/Zonealarm, and Linspire machines all had software firewalls, which appear to do their jobs just fine. One of the reasons the Max registered so many attacks is because one of the enabled services was Samba. Rather funny to watch all the Windows worms try their exploits on Samba, actually.
    • Re:Hey, cool. (Score:3, Interesting)

      Hey Ryan -- congrats on the story. I'm curious if you saw (or allowed) any behaviour on the compromised machines besides joining IRC or scanning for other machines; TFA didn't seem to mention this, and as you said the article itself is slashdotted.
      • Re:Hey, cool. (Score:3, Informative)

        by ryanr (30917) *
        Nothing beyond that. However, I should point out that, for the most part, we didn't let the machine continue long after compromise. After an intrusion was detected, we restored it, patched that particular hole, and put it back. We also made no particular effort to analyze what happened on disk and in memory, the bulk of the analysis being done from the wire.

        At least a couple of times, a minimal rootkit was installed. It's highly likely that if we had left them, the 0wners in the IRC channel would have
    • Questions (Score:3, Interesting)

      by RAMMS+EIN (578166)
      I have a few questions.

      1. How do you count attacks? The number of attempted attacks differs between the various systems. Does that mean some machines actually were attacked more often than others, or do you simply not count certain attempts? (E.g. malicious packets sent to closed ports)

      2. Wouldn't it be fairer to run every machine with the firewall off (including those that have it on by default)? Obviously, if no traffic gets through to a machine, it can't be compromised no matter how insecure the softwa
      • Re:Questions (Score:5, Informative)

        by ryanr (30917) * <ryan@thievco.com> on Tuesday November 30, 2004 @05:02PM (#10956524) Homepage Journal
        Good questions. I kinda expected more people to ask that, and I wish the article had covered those aspects better. Of course, reporters will report what they like, and the USAToday guys kept pointing out that they were targeting a less techical audience.

        Anyway...

        Attacks were counted by Snort with a default ruleset, as of early September when I set it up. I.e. For the most part, I could only count attempts that could be delivered. That means that any of the hundreds of thousands of TCP connection attempts to the firewalled machine couldn't be completed, and so no TCP payload, and no attack signature matching. Hence, the attempts recorded on the firewalled machines represented mostly UDP and ICMP traffic. For UDP, think SQL Slammer. Yes, this included things that many people would consider fairly innocuous, like ICMP information leak-class packets.

        As for the firewalling... The "base" test case was Windows XP. Overall, they were going for SOHO-class machines, as you might get them out of the box. In the XP case, there's relatively little point in having the same config multiple times. Instead, we compare XP SP1 (no firewall) with XP SP1 (w/Zonealarm) and XP SP2. Because there would obviously be questions about the other OSes, the Mac, Linspire, and Win2K3 SBE were included. Linspir has a firewall by default, Win2K3 and OS X don't.

        The OS X machine registered so many attempts because it was running Samba, and all the Windows attacks could deliver a payload (and have the attack registered.)

        It would have been better described as "number of succesfully delivered attack attempts", but I guess that isn't good copy. :)
  • by ajiva (156759) on Tuesday November 30, 2004 @04:08PM (#10955861)
    Does that mean I have to install XP, download SP2. Burn the SP2 archive onto a CDROM, reinstall XP with the network cable disconnected, and then patch? Geez that'll get old fast
  • We built an XP box maybe a year ago and forgot to turn on the firewall before we started downloading patches. The machine was infected with Sasser in well under five minutes.

    Fortunately the machine didn't have anything important on it since it was freshly built...
  • I'd love to see... (Score:4, Interesting)

    by MrNemesis (587188) on Tuesday November 30, 2004 @04:09PM (#10955868) Homepage Journal
    ...statistics for all the other versions of windows in common use, particularly Windows 2000, as well as XP SP2. Last time I looked XP machines could only account for a maximum of ~50% of all the potential zombie bots in the world.
    • by rewt66 (738525)
      Well, that's kind of irrelevant, because you don't see very many machines with those OSes getting newly connected to the Internet any more. Some, but not many...
  • by daveschroeder (516195) * on Tuesday November 30, 2004 @04:10PM (#10955886)
    Although Macs and PC's got hit with equal opportunity, the XP SP1 machine was hit with 5 LSASS and 4 DCOM exploits while the Mac remained clean

    Yes, yes, we know this is not surprising, since the exploits in question target Windows specifically, and therefore obviously will not affect Macs.

    But the larger points you should take away from this is twofold:

    1. The simple fact of the matter is that, for whatever reason, Macs are clearly affected far less than PCs by all types of exploits. This is not because of just marketshare. But whatever the reason, it is true nonetheless. But this brings be to:

    2. Even a completely unpatched Mac OS X 10.0.0 machine would not be vulnerable to any kind of remote attack, because no ports whatsoever are open to the outside world, and on most consumer Mac OS X systems, never will be. The fundamental and intrinsic security design and considerations of Mac OS X are just better, period. Even local exploits, such as might travel freely and easily on Windows via email, aren't as possible or practical on Mac OS X (e.g., a potential Mac exploit of this nature that spread via email would have to have its own MTA or a lot more complexity than a simple script on Windows where Outlook and the OS does all the work for you). Yes, marketshare, i.e., the chances of the next host encountered being a Mac, certainly doesn't hurt, but that is not the sole or primary reason Macs aren't vulnerable. No effective automatic vectors of infection or spread, either local or remote, exist, period. When external ports are opened, they usually represent open source services such as apache and OpenSSH, which as a matter of course are usually updated long before theoretical exploits become reality because of the intense scrutiny and peer review such products receive by the community.

    When will people learn, that after three and a half years of Mac OS X, with the market growing, it's not just because of "marketshare" that Macs are rarely affected by these types of issues? Can people admit that it's possible that security decisions that were simply and fundamentally better than those of Microsoft were made? I get a kick out of articles that trumpet "MACS JUST AS INSECURE AS WINDOWS" when a text shell script is "discovered", one that must be run by someone with root or physical access no less, with no worthwhile vector or method of automated propagation of any kind![1] This is in the face of completely remote and automated exploits that can hit a Windows machine in minutes of being on the network, or exploits that own your machine by simply visiting a web page, or viewing an email message in Outlook (yes, these have continued to exist, some even very recently).

    [1] For the nit-pickers out there, copying itself to other remote Mac OS X system volumes to which the local user has root-equivalent access and has manually connected to doesn't exactly rise to the level of the unprivileged, automatic propagation we see in the Windows world.
    • You don't mention the same about linux neither? Linux and all other unix based systems are built mor e secure in nature.

      I wish marketshare would skyrocket for a unix-based OS so we could prove to the world, togeather, that market share isn't what protects these systems.
    • by MysteriousMystery (708469) on Tuesday November 30, 2004 @04:20PM (#10956021)
      Well, the same situation goes for Linux, BSDs (not including OSX in this statement) and a lot of other operating systems. And it's not just because of their substancially smaller market shares either(though it certainly doesn't hurt either). Windows obviously has a number of design flaws, and deployment of patches to consumers (and for that matter large organizations) is a problem, and until Microsoft can come up with a more complete way to solve this problem, it will always be an issue. From the ground level up there are fundamental problems with the way windows was designed, and as we've all learned, the security through obscurity approach is not an effective one.
      • by daveschroeder (516195) * on Tuesday November 30, 2004 @04:23PM (#10956058)
        Oh yes, I'll include other UNIXes, Linux, BSDs, etc.

        However, the article summary only mentioned Macs (which is why I did), and also, many of these other systems are used as servers, and do in fact have many more open ports than a typical Mac OS X system, which often has none. This isn't to say they're "insecure" because of it; just that there are channels of potential access.

        Now, a Mac OS X (or Mac OS X Server) machine used in a "server" role is likely to share a similar level of exposure.

        But my reference is to a typical consumer or desktop machine, which represents by far the largest proportion of machines out there, and which is primarily what this article is referring to. And in the cases of these machines, Windows has remote avenues of attack, and Mac OS X does not - at all.
    • by Ancil (622971) on Tuesday November 30, 2004 @04:25PM (#10956078)

      Even a completely unpatched Mac OS X 10.0.0 machine would not be vulnerable to any kind of remote attack, because no ports whatsoever are open to the outside world, and on most consumer Mac OS X systems, never will be.
      Yes, and on Windows XP with Service Pack 2 installed, the firewall is also locked down from first boot until such time as you decide to open some ports up.

      This is the version that's been shipping on new machines and sitting on store shelves for half a year now.

      But these facts are a bit inconvenient and don't make for exciting headlines, so we'll run the test with SP1, which everyone knows had some juicy exploits.

      • by daveschroeder (516195) * on Tuesday November 30, 2004 @04:29PM (#10956126)
        This is the version that's been shipping on new machines and sitting on store shelves for half a year now.

        1. And this still doesn't represent a large portion of machines running XP.

        2. There have been some major exploits, albeit not necessarily remote, that have still affected XP post-SP2.

        Microsoft's almost criminally (considering how many billions of dollars and manhours that have been lost due to this) late sudden "awareness" of security does not change the basic premise of this article, nor what I said.
  • What?!? (Score:3, Funny)

    by natron 2.0 (615149) <ndpeters79@gmai[ ]om ['l.c' in gap]> on Tuesday November 30, 2004 @04:10PM (#10955888) Homepage Journal
    from the takes-five-minutes-to-download-patches dept

    Yeah right...

  • At a customer site, an employee recently installed a backup program which included SQL server 2000. It took 10 minutes for it to become infected with Code Red.
  • Our experience (Score:5, Interesting)

    by BWJones (18351) * on Tuesday November 30, 2004 @04:11PM (#10955902) Homepage Journal
    Our experience with operating system maintenance costs has been that Windows systems typically are the most expensive in terms of total required hours. Linux boxes initially are difficult to set up, but are more difficult for novice users necessitating frequent support, Windows boxes are easy for novices to use and recently have become much more stable, but have malware issues. Solaris and IRIX boxes are somewhere inbetween in terms of ease of use but require "privileged" knowledge in how to deal with certain issues, leaving us with OS X.......

    OS X/Macintosh has proven to be the absolute most productive environment for us to date, least susceptible to malware/hacking has the lowest support costs and is why we have been in the process of replacing most machines with OS X boxes.

    • Re:Our experience (Score:4, Insightful)

      by SpooForBrains (771537) on Tuesday November 30, 2004 @04:44PM (#10956310)
      Linux boxes initially are difficult to set up, but are more difficult for novice users necessitating frequent support


      I'm sorry but this is absolute shash. A properly configured current KDE installation is just as easy to use as Windows, and why shouldn't it be? All the requisite components are where you would expect them to be (Applications on a menu in the bottom left corner, close, minimise and maximise buttons where you would expect them, trash on the desktop, equivalents of system tray and quicklaunch bar). Visually they are superficially different but that's as far as it goes.

      I know this from experience. We support offices running 90% linux desktops and we still have a significantly higher support overhead from the Windows machines.
  • by Anonymous Coward on Tuesday November 30, 2004 @04:11PM (#10955906)
    I'm using my new unpatched XP system right now and it works gre45h3@#$!dd11f

    NO CARRIER
  • by nordicfrost (118437) * on Tuesday November 30, 2004 @04:12PM (#10955915)
    Many IT-people brand the persons that get these bots / infections as clueless lusers who get their comeuppance. I don't.

    A machine isn't supposed to act this way. It is very simple, but we forget that proper behaviour for the machine is to NOT get infected in seconds. I have abandoned windows some time ago, but still help friends with their machines. But it is a battle they're losing. Nothing seems to help, mostly due to the extremely bad security paradigms. They now think its normal having to run 2 - 3 different anti-adware programs, virusscanner, be on eternal vigilance at every corner of the internet.

    It is not supposed to be like this. Don't forget that.
    • brand the persons that get these bots / infections as clueless lusers who get their comeuppance

      But they are to an extent. They are using a tool with the insistance that they should not have to learn how to use it properly. This kind of rationale doesn't work in very many places, why should it apply to computers? Everything is learned, granted a lot of things are simpler than computers to use, but you still have to put effort into learning how to take care of your things.

      You need to learn to check the oil
  • White Knight Virus's (Score:3, Interesting)

    by PktLoss (647983) * on Tuesday November 30, 2004 @04:13PM (#10955920) Homepage Journal
    This kind of news kind of makes me wish for white knight virus's that run out there and plug the wholes (carefully) before the bot net virus's attack. Possibly even faking a Microsoft message requesting the use download all the newest patches from windowsupdate.com

    With the recent news that lycos has publicaly released a DDOS (mince words if you want to, that's what it is) tool to use on spammers, I wonder if a corporate sponsored virus of this type is far off.
  • 2:30 (Score:5, Informative)

    by Nuskrad (740518) on Tuesday November 30, 2004 @04:13PM (#10955925)
    I recently tested this on a clean install of Windows XP SP1, and it took just 2 minutes 30 seconds(give or take a few) after connecting to the internet for me to notice the system to be compromised, and that was with the Windows Firewall on.

    My advice to anyone with Windows XP SP1 planning a clean install - get the SP2 CD (free from Microsoft) and install it before connecting to the internet.

  • by Sheetrock (152993) on Tuesday November 30, 2004 @04:13PM (#10955927) Homepage Journal
    I've been around the Internet for a long time -- since the early 90s in fact -- and am thus quite aware of the ruinous activities it has been subjected to by the typical user since then. You know, things like people popping into a random USENET group and treating it like a tech support line, or in the larger picture basically assuming the entire network is there to serve as some form of entertainment. The issues with machines getting infected within minutes is only another sign of the degree to which the abuse of the Internet has been risen up to.

    When I started, the USENET application would inform me that my message would be spread across tens of thousands of computers at immeasurable cost as a subtle hint to keep things interesting, and Internet Chat required some basic knowledge of Makefiles and attention to documentation before you could run a client. Frankly, things became unmanageable at the point the Internet was made accessible to anybody with a web browser; anybody who's been around this long knows what I'm talking about.

    It's a short hop to realizing that the problems we're experiencing with virii and worms are the same problem. Intimate knowledge of x86 assembly used to be a requirement -- along with a malcontent-type disposition -- in order to wreak the sort of havoc that today requires fifteen minutes and an Effective VBScript In Fifteen Minutes manual. Every document is now a program, and e-mail doubles as FTP.

    Many experts believe we should raise the barrier of entry by requiring programmers to undergo education, certification, and maybe even an oath to do no harm as part of the certification process if going into a security field. It used to take years to do what kids today can do in months; additionally, a would-be programmer who spends a few months picking up Visual Basic or whatever has hardly learned the fundamentals of programming any more than someone who reads a manual about his DVD player has become a laser engineer. I suggest that the field and the general user experience would be greatly enhanced by limiting access to compilers/assemblers (by means of pricing and with the cooperation of the open source community) and by separating macros or other executable content from documents.

    It makes more sense than trying to go out and educate every user. Think about it; in what other field do we "educate" "users"? We don't try to educate people with electrical outlets and let any curious individual perform as a licensed electrician. We don't "educate" passengers and let anyone who cares be a bus driver give it a try. Why are things always so difficult when it comes to computers?

    • by rewt66 (738525) on Tuesday November 30, 2004 @04:35PM (#10956200)
      Think about it; in what other field do we "educate" "users"?

      Cars. Getting a driver's license requires months of education, plus passing two tests (one written, one actually driving). This doesn't teach you how to build or maintain a car, just how to drive it safely.

      Guns. In at least some states, you have to take safety classes to teach you how to use (and store!) a gun safely and responsibly.

      There may be others, but those are the two that came to mind immediately...

    • by frank_adrian314159 (469671) on Tuesday November 30, 2004 @04:41PM (#10956269) Homepage
      I've been around the Internet for a long time -- since the early 90s in fact...

      Well, I've been around the "Internet" since the early 80's and remember when you had to manually route email across the UUCP network. I also know people who have been on the "Internet" ever since it was only the ARPANET. And you know what? I started complaining around the early nineties when this "Mosaic" thing showed up and started to screw up the Internet. And the guys who were on the ARPANET bitched when our machines started routing USENET and email through their network. Bottom line, whenever new people come in and change things, the "old timers" say that it sucks. Old immigrants always dislike new immigrants. Welcome to reality, where things always will suck more next year because kids these days just don't know how to behave.

      But in the end, you know what? I wouldn't have changed a thing. It was what it was, it will be what it will be because people try to make it better and it's still a hundred times better than if it would have been if it had stayed the same. Stop thinking about how great things were in "the good old days" and trying to keep people from doing interesting stuff (and, yes, even worms and viruses are interesting in a malevolent way). Instead, figure out how to improve things without cutting off access and help build "the good new days".

    • http://it.slashdot.org/comments.pl?sid=127203&cid= 10632935

      What the hell, no original material? Liked your old post so much you had to repeat it? couldn't even bother to change a word or two to keep those of us who read it before interested?

  • by Corf (145778)
    According to the latest study by USA Today and Avantgarde, it takes less than 4 minutes for an unpatched Windows XP SP1 system to become part of a botnet.

    ...and about the same time for Avantgarde's server to be reduced to a smouldering pile of rubble. Go Slashdot!

  • by CdBee (742846) on Tuesday November 30, 2004 @04:14PM (#10955935)
    Last night I installed Windows 2000 SP4 onto a machine (not mine) connected to an NTL (British ISP) Cable set-top-box by ethernet.

    Windows came up, I chose a username, and it froze due to gaobot infection.
    I hasten to add that normally I unplug modems but I was under the impression that Set top box Cable access uses NAT and is thus secured against this sort of thing... I'll be recommending a Motorola Surfboard and router to my friend !
  • by theparanoidcynic (705438) on Tuesday November 30, 2004 @04:14PM (#10955937)
    Zone Alarm and Firefox get on the system from a flash drive before ethernet cable is ever pluged in.
  • by Japong (793982) on Tuesday November 30, 2004 @04:15PM (#10955948)
    Bah, that's a load -BUYVIAGRANOW2FOR1!- of BS. I haven't patched my PC since I bought it -FREEMORTGAGEQUOTES!- and it's running just -TIREDOFCONSOLIDATEDDEBT?- fine. No viruses, no trojans, -TIREDOFSPAM?BUYTHISCRAP!- nothing.
  • Of course... (Score:5, Interesting)

    by rpdillon (715137) on Tuesday November 30, 2004 @04:15PM (#10955954) Homepage
    "The Linux desktop also was impenetrable, but only was only targeted by 0.26% of all attacks."

    They act like how often it's attacked is a detractor from how secure it is ("it's not exploited because no one ever attacks it!") In fact, I'd say the systems that are attacked the least is *because* they are so difficult to exploit. Well, that and they only are about 2 or 3 out of every 100 systems you'll ping.
  • not just worms (Score:5, Interesting)

    by TheSHAD0W (258774) on Tuesday November 30, 2004 @04:15PM (#10955956) Homepage
    If you've installed any programs from Download.com, Cnet.com or ZDnet.com, beware.

    I started getting reports of malware being attached to a program I work on [slashdot.org] and discovered the affected parties had obtained their copies of the program from Download.com. I had never submitted the program to them, but someone else had -- and they'd contaminated it with malware while they were at it. I complained, and the program was removed. (Actually, they first switched the links to the official server, but removed it when I complained further that they needed to tighten up their submission procedures.)

    While Download.com is no longer distributing my program, they are still distributing malware attached to other programs (just went to their site to confirm it) via xeol.net and probably others. They don't seem too interested in fixing the problem. I also sent a complaint to the FBI's cybercrime division, and they apparently weren't interested, either.
  • by DogDude (805747) on Tuesday November 30, 2004 @04:21PM (#10956033) Homepage
    My shit-hole apartment would be cleaned out in about 4 minutes if I didn't lock the door, too. So what does this prove? That there are nasty things out there? That shouldn't be news to anybody, especially not the Slashdot crowd. Lock down your computer the same way you'd lock your car doors and you'd lock your house.
  • Delta Compression! (Score:4, Informative)

    by cperciva (102828) on Tuesday November 30, 2004 @04:28PM (#10956116) Homepage
    This is why operating systems should use delta compression [slashdot.org] for distributing security patches. You're never going to have a perfectly secure operating system; you can, however, make sure that you can fix the security flaws before they are exploited. Put another way: Size matters!

    For the record, using FreeBSD Update [daemonology.net] and my binary diff [daemonology.net] tool, downloading all existing security patches for FreeBSD 4.8 (released April 2003) only requires 568kB of files to be downloaded -- which takes under 3 minutes even with a 28.8kbps modem.
  • by Twillerror (536681) on Tuesday November 30, 2004 @04:50PM (#10956371) Homepage Journal
    I'm suprised that ISP's don't provide some kind of firewall on their side, and charge people for it.

    Like imagine when you sign up for compnay's X DSL
    they offer a firewalled connection, or a non firewalled.

    For the simple users ( my mom ) you could have a default firewall that just blocks windows ports that have know exploits. Does 445 really need to come in from the outside world

    For the more advanced user you could have an interface that allows them to choose which ports.

    How hard would it be to setup a dynamic firewall solution like this? People would pay 5 to 10 bucks a month extra for it. Even someone like me so I don't have to use a router. I just don't trust a desktop firewall.
  • A few notes (Score:3, Informative)

    by Gyorg_Lavode (520114) on Tuesday November 30, 2004 @05:27PM (#10956796)
    I would be interested in a list of the passwords attempted by the worms since they managed to compromise the SBS2003 and winXP1 boxes that way.

    Second, the linux box isn't necesarily representative. Mandrake, for example, has open ports and no firewall. I would like to see a fresh mandrake box put on the net rather than the more secure Linspire. Additionally, was it ever figured out what port 7741 was used for? In a digital attack simulation we had, Linspire boxes were hard to characterize for the attackers because of the lack of any ports open on them. 7741 may be a good way to characterize the OS of the box. (Also, I worry more about open ports I don't recognize than ones I do, even if they aren't connected to extremely strong programs.)

    Also, the abstract seems to indicate the OSX box was NOT one of the better ones since it seemed to draw so many attempts. (I think this explained in comments as having to do with samba being turned on. Was samba on by default? And is there any implications of having a cloned service on as it draws more attacks even though these attacks are fundamentally hopeless.)

  • RTFA - it's shit. (Score:4, Insightful)

    by KZigurs (638781) on Tuesday November 30, 2004 @07:14PM (#10958024)
    "Because this system responded to ICMP ping requests, there was a low number of attempts to compromise the system--795 attacks." Makes sense?

    Also, from their methodology I really don't quite understand how they count attack attempts. Especially for MacOS X they say that ~44% of total attacks observed in experiment were targeting MacOSX machine, but later they honestly say that almost all of attacks were some kind of Microsoft exploits. Does this means that they counted microsoft exploits attempting to compromise MacOS X as a mac attacks?

    And, finally, I really like their babbling about most secure platforms being THREE (linspire, SP1 + zoneAlarm, windows SP2) and mentions the fact that mac were not compromised just in one table.

    If you would like to see conspiracy, I would say that this is a Microsoft PR with goal to:
    a) SP2 is good.
    b) Don't fucking use our products without additional security software (a marvelous reccomendation by the article)
    c) the only real operating envorement in this article is irrevelant and we just added it at the latest moment to gain some credibility.
  • We've got 1536/256 ADSL at my hosue (Whoever thought of making connections asynchronous should be made to suffer, along with the "let's change IP's for no reason" guy). It's connected straight to my gateway box, which is a psycho-paranoid IP-masquerade for our LAN as well as a limited internet server (http/ftp/ssh/bzflag).

    And oh, does a lot of crap ever go *plink* against that firewall. This is an IP that is not on Google, and does not advertize it's presence to the 'Net. There are probably 10 to 20 attempts to exploit Apache every day (Including some damn attempt to overflow it with a huge garbage query that makes my logs very ugly), along with a litany of thing requesting stuff from a windows directory. Probably as many attacks against proftpd, usually erroneous login attempts. Loads of garbage attempts to log in to sshd as root, test, and admin along with a few null passwords. On the packet filter level, I get probably 500 incoming connections from p2p programs (both because I use them and from the previous guy) a day. And believe it or not, Sasser, Slammer, Bagel, and Satan's Backdoor still come knocking. So, yeah... If all that crap got relayed to my dad's win2K box, it'd be pwn3d 20 times a day.

    Now, let's not talk about my relatives who use Windows 98, even on dialup.
  • by aristotle-dude (626586) on Tuesday November 30, 2004 @08:20PM (#10958653)
    The intelligence community (NSA,MI5,CIA,CSIS) all use and recommend Mac OS X to any one who asks them.

    I'm sure they use linux too but OS X provides a secure environment and free GUI development tools that are easy to use (X-code (formerly Project builder which came from OpenStep/NextStep) and Interface builder (which started out on NeXTStep).

Your computer account is overdrawn. Please see Big Brother.

Working...