Estimating the Time-To-Own of an Unpatched Windows PC

An anonymous reader notes a recent post on the SANS Institute's Internet Storm Center site estimating the time to infection of an unpatched Windows machine on the Internet — currently about 4 minutes. The researcher stipulated that the sub-5-minute estimate was valid for an unpatched machine in an ISP netblock with no NAT or firewall. The researcher, Lorna Hutcheson, called for others to post data on time-to-infection, and honeypot researchers in Germany did so the same day. They found longer times to infection, an average of 16 hours. Concludes the ISC's Hutchinson: "While the survival time varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas."

Doesn't make sense

[kaos07]

Man this doesn't make sense. So what, are they saying that as soon as you plug in your modem to the PC thousands of different sources are already trying to infect you? Even if you don't browse? Because the point is you can download Windows Updates and you can install and update your AV with only two connections. Not sure how you're going to get infected that way.

Of course it could just be "Windows users can't resist dodgy porn sites for more than 4 minutes". Which makes more sense. I mean, when you've just gotten access to the internet what's the first thing you do? Hot Busty Nurses > Slashdot.

College Network

[Anonymous Coward]

I think the Time to Infection on a college network is like... 45 seconds.

Re:Offline updates

[Anonymous Coward]

For XP/Office/Vista, you owe it to yourself to use the Heise [heise.de] offline updates.

How do I access those without going online?

Burn them on a CD, you say? How do I do that? Connect the CD-burner to the modem, without using the computer?

Imagine that I only have one computer. Imagine it is brand new, and this is not a 5*Re trouble shooting session.

(5*Re: Retry - Reboot - Reinstall - Reformat - Redhat)

Improved odds in XP/2003 SP2 and Vista/2008

[FuegoFuerte]

At risk of sounding like I'm supporting something Microsoft has done, the feature they added with Server 2003 SP2 (and I believe also XP SP2) was quite a good move considering these facts.

When a SP2 system is first brought up, after running through Mini-Setup or the OOBE, it will open a "Post-Setup Security Update" wizard. Until the user clicks the "Finish" button on the wizard, the firewall blocks all incoming traffic. The wizard also has links to Microsoft Update, etc. This gives the user a chance to download all the patches before opening up the firewall.

In Vista/2008, the firewall is on by default and fairly locked down, only allowing certain traffic through. In Server 2008, the firewall rules are also grouped into categories to make it easier to configure so the user doesn't get frustrated and just turn it off completely (and if a user tries this by just stopping the firewall service, they lose their 'net connection completely... one must instead set a firewall policy to allow all traffic, which then shows the firewall status as "off").

Re:I have to call BS

[CrackedButter]

I never patch my Mac unless its a point release and I run just fine... never used antivirus or any other program to shield me from the net... no complaints for the 5 year since I owned Mac's.

another nonsense MS bashing piece

[timmarhy]

right let's install a 5 year old linux distro and see how long it takes to get owned. it's the same thing they are putting forward here with an unpatch winXP system.

unpatch systems with no protection are easy to infect - this is not news.

Re:How is this measured

[Anonymous Coward]

It's simple: install fresh OS, plug in Interweb, wait 4 minutes. No other user action, instant zombie.

It comes from vulnerabilities in default services that shipped in the very first version of the OS. Nothing special about Windows except that there's enough of them to make it worthwhile to use some zombies to constantly probe for new ones.

ha!

[thatskinnyguy]

4 minutes eh? I've seen XP installs (Pre-SP1) get owned during the install process!

Re:How is this measured

[Gumbercules!!]

I recall working at a university, in which every PC had a public IP address. I clearly remember a Windows 2000 server being pwned during installation. As in before the install process even finished.

That was the last time I installed with the CAT/5 still plugged in (and yes, it was my first job)....

Re:another nonsense MS bashing piece

[Opportunist]

Considering that the average Linux distro from 5 (or rather, if you want to make a real comparison since they're obviously using XP SP1 to "prove" their point, 7 years) already came with an iptables/ipchains firewally built in and rather few, if any, remotely accessable services running if you don't want them to run (they ask you if you want to have SSH running and yes, should you enable a 7 year old version of SSH then you're vulnerable), I'd think XP would still lose.

The problem is that even if you KNOW that the RPC is a deadly remote exploit vector in XP, you CANNOT turn it off during install. With Linux, at least I have the option to avoid enabling SSH or other services that I know are no longer safe.

How about a VM on NAT in a firewalled host machine

[naz404]

Will this be pwned the same way?

say run an unpatched Win98, Win2k or WinXP VM (VirtualBox or VirtualPC) inside a host box with its own personal firewall.

Will the firewall protect the VM, or will it be pwned just as fast because it's running on NAT and it's probably just the host VM software that's being monitored by the firewall?

Re:How is this measured

[Stellian]

Oh please. This is why I love Slashdot. I'm as big of a MS hater as the next guy, but those who ignore MS's progress from the Blaster days are just spewing FUD. A default Windows SP2 installation, with non-executable buffers (DEP) left enabled for Core windows services, running on supporting hardware will not get owned by just sitting on an infected network. I challenge any Slashdoter who thinks otherwise to prove it. Of course, when people start browsing porn sites with the default browser things get tricky, but that's no longer a remote, automated attack.
TFA counts *ALL* forms of attack. Even scans for obscure webserver or game vulnerabilities, Blaster type scans and ssh brute force attempts. I fail to see how these "attacks" can have any impact on a computer running a fresh install of a recent version of Windows like XP SP2, SP3 or Vista.
You can argue about security track-record all you like, and talk about why Windows is not secure by design, and how it should not be used for life support systems and ATMs [networkworld.com], and I would agree. But this is getting ridiculous.

Ever tried that with Red Hat 7.3

[Britz]

There are still hosting companies that offer virtual machines and even complete servers with Red Hat 7.3
So I would be interested in the time it takes for that one to be infected.

Do they even give patches for that any more?

I am not trying to say Linux or Windows is safer. I am just trying to say it might not be wise to put an unpatched machine on the net without a firewall to download patches. Regardless of the os.

Re:Honeynet

[tinkerghost]

This actually got me thinking, even Linux has it's vulnerabilities from time to time, but I could argue it's MORE vulnerable because of all those Ubuntu Live CD's people have lying around. I've known a few people that have resorted to one of these Live CD's in times of dire need (i.e. when windows has decided to break) and one guy even used one for a few months because his HDD died on him - but how do you patch THOSE?

Why would you bother? A live CD can only be infected upon creation. After that, any infection is automatically removed when the computer is shut down & the ramdisk is closed.

As for using an old disk for installs, the big advantage is that most Linux install CD's assume you know what your doing & have a minimum of exposure - letting you install/start the services you need. From my experience, MS turns most of the stuff on, presumably on the theory you're too stupid to do it yourself if you should ever want to.

Re:Um, what version?

[ozmanjusri]

Yet you'll notice that the /. crowd isn't bleating on about the 33 year old Unix bug that's only just been fixed this week.

Yes they did [slashdot.org].

And you're seriously trying to compare a bug in a largely obsolete parser generator that only runs on one version of BSD, with an entire OS that's so poorly written that it can't even last 5 minutes without being pwned?

You evangelists are getting desperate. No wonder Microsoft is having to spend +$300 million [zdnet.com] to try to persuade MVPs not to abandon ship...

The time of worry is over.

Lol...

Re:How is this measured

[jamesh]

I made a monumental screwup and broke the firewall (iptables on a Linux machine) in such a way that there was no filtering to one of our /24 IP addresses. The IP address belonged to a Windows server running an unpatched version of MSSQL, and Blaster was at it's peak. It took no less than 10 seconds from the time I activated the updated (broken) firewall rules to me scratching my head wondering why the router appeared completely dead.

Blaster had infected the machine within about 10 seconds and the traffic had killed the router (well... not killed, it came back to life when I pulled the plug on the infected machine).

Fortunately Blaster was memory resident only so there was no lasting damage.

Of course one infection doesn't prove anything, looking through the firewall logs at the time the average blaster packet per IP address was a few minutes so I think I was just unlucky to have been owned that quickly.

Make Them Default Closed Except to Microsoft.com

[Doc Ruby]

If Microsoft set every fresh Windows install to connect to only Microsoft.com on the Internet until either Microsoft.com, or the console, or some other specific named/numbered host said that Windows is "safely* patched", then this race condition would not be a problem. They could allow the "patch lock" on network access to be released by the installing operator at the console, or that operator could set a pointer to some other machines allowed access, or Microsoft.com's patch servers could send a list of servers. All other network access would be locked out until someone authorized said the machine was ready to connect to the general network/Internet access.

Such a revision should take a couple of Microsoft programmers a week or so to implement and test. Of course, if Windows were OSS, then anyone in the Microsoft developer community could patch Windows to work right. And anyone could inspect that patch to ensure that it worked right, before trusting it not to be just another security hole.

But of course, Microsoft is so far from anything approaching real openness or modern security practices that its fundamental insecurity in an Internet environment is one of its basic features. Its most prized feature on the hundreds of millions of machines compromised worldwide, many the first time they're connected to the Internet, among the bad guys out there who love Microsoft's closed and counterproductive "security" practices even more than Microsoft loves them.

(* OK, Windows is never "safely patched", but it's a start.)

Re:How is this measured

[mysticgoat]

XP SP2 was released in August of 2004. Why are we talking about 4 year old software?

For people like me, TFA was highly relevant.

I'm now using Linux (Ubuntu) for more than 95% of my work. But I still have WinXP on dual boot since I've got a couple of image processing workflows in PaintShop Pro that I haven't developed Linux equivalents for as yet, and since my 8 color Canon i9900 only achieves its full potential (13"x17" photorealistic posters) when I use the proprietary Windows driver.

I have not had to do a re-install of WinXP for more than 5 years. Back then, I re-installed from the original disks, got on the internet, and spent hours downloading and installing patches (and weeks reloading software and tweaking configurations). Had I not read TFA, I would have been using the same approach if WinXP crapped out on me today. I probably would not have noticed that WinXP had gotten pwned in the first few minutes, since I have done 0 none nada Windows installs in the last 5 years. I'm letting that skill set rust away.

Now I know that the next time WinXP craps out, I need to use Ubuntu to gather up the latest SP and patches and prepare an update disk, then disconnect the network cable before doing the WinXP reinstall.

So what should I keep in mind as I go scrounging for the latest WinXP SP, etc, from Ubuntu? Remember that I might not need to do this for a couple of years or so (prolly not until the HD that has the WinXP partition dies). Will I run afoul of Genuine Windows Advantage?

BTW, Ubuntu is a pretty slick platform for 3D modeling. I'm getting reasonably fast renders with a 1.6 MHZ CPU and 1 GB of ram. Much better than what I was getting with WinXP. Some of this would be improvements in Blender, but I'm pretty sure most of the improvement is from the lower overhead of the OS.

Re:What about NAT?

[Buelldozer]

That's what you think...until the day you reboot and say "Why is my machine loading an mIRC client at startup?"

I've got a Windows 2003 SBS machine on the bench right now, only even that question wasn't sufficient for the inhouse IT staff to realize they had a problem!

Personally installed blinders can be a powerful thing.

negative value...?

[modul8]

Hey all...

During the blaster/codered days, I witnessed a win2000 (yeah, slightly off topic, i know) workstation fall victim DURING THE INSTALL (prior to install completing / prior to the first real boot into OS). This occured shortly after the network configuration etc screen that is displayed after TZ / regional configuration...

reminds me of some multiplayer-game respawn location exploitism (don't remember which game[s])

Re:Funny thing is that Zone Alarm has had vulns

[buswolley]

I'm not quite a newb or anything. But, how do you know if you've been owned? Standard anti-virus checks? Something more difficult to detect?