Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Worms IT

The 12-minute Windows Heist 497

An anonymous reader writes "Sophos has come up with some pretty interesting research: apparently, there's a 50 percent chance unprotected Windows PCs will be compromised within 12 minutes of going online. Sophos came to that conclusion based on research covering the last six months of virus activity. The company said authors of malware such as spam, viruses, phishing scams and spyware have increased both the volume and sophistication of their assaults, releasing almost 8,000 new viruses in the first half of 2005 and increasingly teaming up in joint ventures to make money. The new-virus figure is up 59 percent on the same period last year."
This discussion has been archived. No new comments can be posted.

The 12-minute Windows Heist

Comments Filter:
  • by poopdeville ( 841677 ) on Thursday June 30, 2005 @09:58PM (#12957108)
    It takes slightly more time to get pwn3d now.
    • by Doppler00 ( 534739 ) on Thursday June 30, 2005 @10:00PM (#12957124) Homepage Journal
      My question is, which happens faster, first post, or getting a windows machine infected?

      Just a theoretical question...
      • Apparently, infection. To get the First Post you must be on the machine that runs some other OS.
      • The new first post virus infects your machine and posts within seconds to all new threads on /.
      • That's a complex question... You're asking a time related question and time is relative. It depends how fast the windows computer is travelling.

        if:
        f(fp) is a function of first post and
        f(wmi) is a function of windows machine infection,
        without knowing the "bi" in the "a + bi" of each function, it's just a guess.

        If I'd have to guess, I'd say first post happens faster since first posters on /. have nothing better to do.
      • I hate to be the prick who answers the theoretical question, but clearly the first post. First post was one minute after the article went up, infection is 12 mins. The first poster would have time to get a cup of coffee and return to find his machine hax0red.

    • MORE time?

      I thought the last figure was twenty minutes, down from forty minutes the previous study.

      At this rate, Windows will be owned BEFORE it goes on the Net next time - i.e., the CD will be compromised before you install it! Can't happen? Remember when Microsoft shipped a virus?

      This ties in nicely with Microsoft buying Claria! You can now get Claria embedded in your Windows CD before you even install it!
  • 50% chance? (Score:2, Insightful)

    by TheGuano ( 851573 )
    How is this figured? Are people just randomly surfing two-letters TLDs 12 minutes upon installing windows and hopping on the net?
    • Re:50% chance? (Score:5, Informative)

      by poopdeville ( 841677 ) on Thursday June 30, 2005 @10:12PM (#12957212)
      They're probably looking at a normal distribution of times. If the mean is 12 minutes, then 50% are infected before then. If this is the case, the standard deviation must be pretty high. I hope.
      • If the mean is 12 minutes, then 50% are infected before then. If this is the case, the standard deviation must be pretty high. I hope.

        I would hope that this means that the 50% of users not infected have secured their machine adequetely. If we're lucky, it means that in 12 minutes all vulnerable machines are infected and the rest are immune.

        Of course, 50% of machines being vulnerable is very high, but from these figures, the above is the best we can hope for.

    • Scaremongering (Score:5, Insightful)

      by jfengel ( 409917 ) on Thursday June 30, 2005 @10:12PM (#12957215) Homepage Journal
      There are attacks which don't require your help; Sasser in particular goes through an open port rather than through Outlook or IE. There are a few others.

      But that's pretty unlikely with a new PC, which presumably comes with the latest service packs. The article is incredibly short on actual data. There's nothing to support their 12-minute average. I get the impression that they chose the scariest headline to support an article which is mostly about phishing attacks, trojans, etc: attacks that require your help.

      So for all I know they're talking about the fact that there are enough attackers that if you throw a Windows ME (or even unpatched XP) box on the Internet, yeah, you're hacked. That says a lot, but not about how insecure Windows is. It says that there are still plenty of computers running hacks like Sasser; if you're not protected against it, you're screwed.

      That's mostly scaremongering, since unless you're installing a very out-of-date Windows, you're protected. You're not protected against new attacks, nor are you protected against many trojans. They're trying to convince you to buy software for that, which is relevant, by using scary but irrelevant numbers.
    • You are not required to do any web surfing if you connect unpatched Windows box to the Internet. It will get infected, very quickly too.
    • Re:50% chance? (Score:5, Interesting)

      by g-san ( 93038 ) on Thursday June 30, 2005 @10:57PM (#12957510)
      If you want a shocker, sniff your internet connection. Go download ethereal from www.ethereal.com, and open your internet connection with your firewall turned off (make sure your patches are up to date please :). Don't browse, don't do anything. Start a capture, select your PPP interface for a modem or ethernet for a broadband connection, turn on "Update list of packets in real time," and "Automatic scrolling in live capture," and turn off all the name resolution options. Click OK.
      Look for TCP SYN packets to port 135 or 445. You may have to wait a few minutes. That is something trying to make a connection to your machine, ports 135 are the main ports for Windows Networking. Heh, I turned did it while I was typing this and already got a connection attempt to 135. That is most likely a virus on some poor sods unpatched machine, running through IP addresses looking for more systems to infect. If you want to know what all that stuff is, search for it on google. And for all you hackers out there, try writing (connection to port 139 scrolling in background, hehehe) a simple TCP listener in your favorite programming language to see more than just a TCP reset.
      Bad things are living in the internet nowadays.
      • Re:50% chance? (Score:3, Informative)

        by David Horn ( 772985 )
        Wouldn't a lot of people on DSL / cable connections be safe behind their router? I imagine the majority of people use one with port forwarding turned off, as that's the setting by default.
        • Re:50% chance? (Score:3, Interesting)

          by jimicus ( 737525 )
          My cable modem isn't a modem at all. Technically, it's a bridge. The computer (or in my case, firewall) on my side of it gets a real, routeable IP address. The cable modem doesn't even appear in a traceroute and only really has an IP address for management purposes. I suspect the same is true for most cable modems.

          Similarly, there's a lot of USB DSL routers out there, and many ISPs don't support the ethernet port, if one exists. Guess what? They don't route at all. They're the DSL equivalent of good
          • Re:50% chance? (Score:5, Insightful)

            by egreB ( 183751 ) <[berge] [at] [trivini.no]> on Friday July 01, 2005 @02:59AM (#12958609) Journal
            My cable modem isn't a modem at all.
            Well, since we're on Slashdot, technically, it is a modem. It takes analogue signals and figures out digital data from them. It modulates and demodulates. Your cable modem just don't happen to be NAT'ing. Think of it as one long ethernet cable to your ISP.

            In my experience, most cable (as in television land-based cables) modems behave this way, which I find quite pleasant. Any box on your network can be reached from the outside, without funky NAT-routing. In fact, you can probably just keep asking for IP-addresses, and the modem will happily give you true, Internet-routable IP's. Enjoy.

            Now, would some people argue, NAT is great for your average Windows user, who probably don't want or need his machine available from the outside. This is the wrong way of solving problems. Any remotely modern operating system should be able to safely stay on the Internet, given a bit of care (read: patching). Furthermore, your average Windows user will often need Internet-routable IP-addresses - think Bittorrent, any P2P, remote desktop and so on.
  • Old news (Score:5, Informative)

    by Cromac ( 610264 ) on Thursday June 30, 2005 @10:00PM (#12957120)
    This isn't news. There have been reports out for months showing unprotected Windows machines being compromised within a few minutes on cable or dsl connections.

    From 11/29/2004: Unprotected PCs can be hijacked in minutes [usatoday.com]

    • My own Windows box was infected, cleaned up, and re-infected with Sasser (or Sobig or Sober or Blaster or something - I don't remember which it was) - all in the space of 2 to 3 minutes on a stinking dialup.

      That was a couple of years ago, when Windows worms (as opposed to Trojans, viruses, etc.) were a pretty new phenomenon, and when I thought I wouldn't need a firewall for my dinky little dial-up connection. Live and learn.
    • But this is news - 12 minutes is a huge improvement for microsoft.

      IIRC a previous study showed a mean time of 4 minutes on the net for expee to be taken over.
    • by Erris ( 531066 ) on Friday July 01, 2005 @02:40AM (#12958531) Homepage Journal
      This isn't news. There have been reports out for months showing unprotected Windows machines being compromised within a few minutes on cable or dsl connections.

      Sure, and anyone working retail knows that Winblows has been getting creamed for years, cable or no. This puts a number on that you can use, and the number has gotten smaller.

      "But wait," you might plead, "I remember just a few months ago reading about a minimum time to exploit of four minutes. This is twelve, how can things be getting worse and how do you know?"

      Well, Sophos knows because they have the thankless and hopless task of "protecting" hundreds of thousands of Winblows computers around the world. They came up with their figure by studying what their little clients fold them for the last six months. With so many clients, it's easy to watch them pop and extrapolate rates of infection, just like you can with radioactive material.

      What they have told you is a Winblows computer now has a HALF LIFE of twelve minutes. That's much worse than a four minute minimum because half lives have a way of adding up quickly. In 24 minutes, a given machine has only a 25% chance of not being owned. In 36 minutes, the chances of being "factory new" are down to just 12.5%. After an hour, oh my, you have less than a one in fifty chance of being virus free. Needless to say, after a few hours on line, YOU WILL BE OWNED. This is why even dial up users are suffering quickly.

      Notice that Sophos can be off by an order of magnitude and the results will be about the same. If the half life were really 120 minutes instead of 12 minutes, you would still be owned after a few days on line. There's little practical difference to the average user between 10 hours on line and 10 days. It's doubtful they are off by that much, given ammount of data they have available.

      Just for fun, try this fun little half life game [colorado.edu]. It's a little fast and the lables are elements, but you can imagine different Winblows versions getting oowned and spewing out their toxic spam and trojans onto the rest of the world. Radioactivity, cancer and Microsoft, what great analogies. Given real world M$ performance and it's results, the cancer shoe fits much better on Steve Balmer than it does on any GPL'd project.

  • by peculiarmethod ( 301094 ) on Thursday June 30, 2005 @10:00PM (#12957121) Journal
    That article used to say 5 minutes, but I saw he was running SP2 with McafNotFree and had to change the article a bit just before publication deadline to prove a point. Whoops.

    the original can be found at: ww!@#$_
    COCARRIER
  • Hogwash (Score:5, Funny)

    by AvantLegion ( 595806 ) on Thursday June 30, 2005 @10:01PM (#12957126) Journal
    Hogwash. I've been online for over 11 1/2 minutes and I haven't had anCLICK HERE FOR DISCOUNT V1AGR4!!!11

    • Re:Hogwash (Score:3, Funny)

      by pg110404 ( 836120 )
      Hogwash. I've been online for over 11 1/2 minutes and I haven't had anCLICK HERE FOR DISCOUNT V1AGR4!!!11

      That's too bad. I've been online for 12 3/4 minutes and minIE PERFORMED AN ILLEGAL OPERATION. DO YOU WISH TO SEND A REPORT TO MICROSOFT?
  • And if you enable... (Score:5, Interesting)

    by daveschroeder ( 516195 ) * on Thursday June 30, 2005 @10:01PM (#12957128)
    ...the built in Windows XP firewall (enabled by default on SP2 and assuming you don't have any other services enabled or open) and/or have a $30 personal firewall/router, there is a 100% chance you won't get compromised.

    But wait, they're talking about spyware, viruses, and phishing. So, those things can install themselves now?

    Don't get me wrong...viewed by itself, Windows has historically a dismally horrible track record. But a patched Windows XP SP2 machine behind a personal firewall/router with current anti-virus/anti-malware protection can be a secure system. Granted, it's been a long time coming, and it's easy for many users to fall into traps, but this seems like nothing more than a typical scare tactic by an AV vendor.

    Never trust an AV vendor saying the sky is falling.
    • but it takes me at *least* 13 minutes to download all that software! WHAT WILL I DO?

      Honestly, a firewall and 3rd party software is not an excuse for an insecure OS. I don't have a firewall running on OSX, and my linux box is protected by a two line iptables firewall (just because I got bored once) and even if I turned it off, nothing could compromise it.
    • by ScrewMaster ( 602015 ) on Thursday June 30, 2005 @10:24PM (#12957300)
      Never trust anyone who says the sky is falling if they happen to have a vested interest in it. The day will come (if it hasn't already) where antivirus vendors start releasing homegrown viruses to increase sales. It's already happened in the spyware world.

      Actually, the SOP for government and business here in the U.S. has increasingly fallen into a crisis/scare-tactic mode. That is, if you don't get what you want, simply magnify an actual problem to Biblical proportions (the Bush Administration and the War on Terror), or simply manufacture a crisis (the RIAA/MPAA and the War on P2P) to deflect interest in your own failings. Either way, it seems to work pretty well.
    • by CAIMLAS ( 41445 )
      [i]..the built in Windows XP firewall (enabled by default on SP2 and assuming you don't have any other services enabled or open) and/or have a $30 personal firewall/router, there is a 100% chance you won't get compromised.[/i]

      Uh... highly doubtful.

      Spyware is included in this assessment. I'm guessing that if someone gets online, chances are they're going to go to one of the larger sites on the internet - many of them have spyware on them. Guess what? They'll probably do that within 12 minutes.
      • Spyware is included in this assessment. I'm guessing that if someone gets online, chances are they're going to go to one of the larger sites on the internet - many of them have spyware on them. Guess what? They'll probably do that within 12 minutes.

        ...and in SP2, spyware is much more difficult to install.

    • ...the built in Windows XP firewall (enabled by default on SP2 and assuming you don't have any other services enabled or open) and/or have a $30 personal firewall/router, there is a 100% chance you won't get compromised.

      Right, that's why they say unprotected windows pc. Those items you mention are some sort of protection...

      (so does that mean that you should always use protection when using windows..? :)
    • So, those things can install themselves now?

      Yep, and they're not subtle about it either.....My favourite is:
      YOUR COMPUTER MIGHT BE INFECTED. RUN OUR ANTIVIRUS UTILITY TO CLEAN IT.

      Might be infected? Might be? no shit sherlock. That's like smashing windshields in a parking lot and putting a "We replace windshields while you wait" note on the driver's seat.
    • by ozmanjusri ( 601766 ) <.aussie_bob. .at. .hotmail.com.> on Friday July 01, 2005 @12:02AM (#12957865) Journal
      But wait, they're talking about spyware, viruses, and phishing. So, those things can install themselves now?

      Until recently, I've had no real problems with viruses/malware myself, but last week I was setting up a (friend's) computer with a fresh install of XP. I'd completed the install and downloaded a few tools, drivers etc to finish the job, and had started cleaning up the debris - temporary dirs etc. I switched to the desktop and noticed a file there that I didn't recognise, but assumed was one I'd downloaded. I double-clicked the file to see what it was...
      I realised just how dumb that was even as I was doing it, but too late. Explorer started up and tried to visit some gambling site. Closing it just started another instance. I pulled the net cable from the back, did some checking and found I'd installed something called "Surf Buddy".

      There was no uninstall, killing the task in the Task Manager didn't work - it'd just respawn. Edits in the registry would be "healed", and in the end, it took more than an hour of work and several reboots into safe mode to track down and clean the infestation.
      Yep, you're right that only people who do dumb things will get compromised when they're behind firewalls etc, but how many people never do a dumb thing in their lives?

      The problem with Windows isn't just that its easily compromised. It's that its bloody hard to fix when it has happened.
    • A firewall doesn't protect everything. A firewall with a clueless user at the helm won't protect you from quite a lot. It won't protect you from buffer overflows, system exploits, or a lot of other automated exploits. It won't protect you from a lot of spoof attacks. It will make you non-pingable, which helps, but anything you have enabled might still be a way in. Saying that having the built-in XP firewall running gives you a 100% chance of not being compromised is like saying that having antilock bre
    • " ...the built in Windows XP firewall (enabled by default on SP2 and assuming you don't have any other services enabled or open) and/or have a $30 personal firewall/router, there is a 100% chance you won't get compromised."

      Sheer ignorance. You _will_ get compromised. Personally i believe that apart from tracking cookies, everything else infecting your system means that something is wrong with your system either on design or coding level. The problem is, that even if you run a software firewall, a realtim
  • by toupsie ( 88295 ) on Thursday June 30, 2005 @10:03PM (#12957135) Homepage
    So what Sophos is saying is that buying a new PC and connecting it to the internet to access Windows Update is too dangerous. By the time the average PC/Windows users connects to Windows Update, they have a 50% chance of being compromised. It might be time for Microsoft to instruct Windows XP to firewall itself to Windows Update only until it has fully patched itself.

    You know, on second thought, the better idea is just get a Mac. The average PC user will find it safer and they can do 99% of what they were going to do anyways.

    • So what Sophos is saying is that buying a new PC and connecting it to the internet to access Windows Update is too dangerous. By the time the average PC/Windows users connects to Windows Update, they have a 50% chance of being compromised. It might be time for Microsoft to instruct Windows XP to firewall itself to Windows Update only until it has fully patched itself.

      I would imagine that almost any new Windows PC now ships with Windows XPSP2 which means the Windows Firewall is turned on by default. So yo
  • 8000? (Score:5, Interesting)

    by modemboy ( 233342 ) on Thursday June 30, 2005 @10:04PM (#12957139)
    8,000 new viruses? Say what?
    How many of those are just viruses edited by some script kiddy to say "0wn3d by Fr0g3r" or some such shit?
    Like sobig.a, sobig.b, sobig.c, sobig.d, sobig.e, etc...

    What I'd like to know is how many unique types of attacks are exploited by new viruses, that would be a useful statistic...
  • by Synbiosis ( 726818 ) on Thursday June 30, 2005 @10:04PM (#12957140)
    I'd like to see the actual numbers and the methodology of their study. It seems like all of the compromising attacks require action on the part of the user, like downloading unknown attachments, clicking spam links, and browsing shady porn sites.

    I don't see how any of those could be affect turning on your computer and using automatic updates.
  • Impressive (Score:5, Interesting)

    by dedazo ( 737510 ) on Thursday June 30, 2005 @10:04PM (#12957141) Journal
    And the last time someone "measured" this, it was 23 seconds or something like that.

    And the next time it will be 23 minutes. And so on.

    You could not pay me to put a Windows or Linux machine on my DMZ. They're all behind my $30 NAT router and they can be patched to my heart's content without having to worry about them getting p0wn3d. Oh, and to all you Linux fanboys who are going to be insulted by this - try putting a fresh RH9 (off ISOs) on your DMZ, and let's see how long it lasts.

    • I did this as a test a while ago.. Its still sitting there untouched. :P

      For me, the windows machine lasted 3 minutes (but this was 6 months ago.)

    • Run something more modern and you will be fine, like Debian 3.1. Alot of people use Linux on their routers (old systems as routers.) I do the same, but I run OpenBSD on my router (*BSD, not Linux.) I find greater flexibility in OpenBSD with ipf than some cheap router that is hard to update the firmware of if there is an exploit discovered.
    • Actually I had such a box (RH9) for some months as my firewall, and never had a breakin. (nowdays I run suse)

      In any case, it's fairly tight, right out of the box. You can pretty much install suse pro from the dvds, connect it directly to the internet, and go to bed and sleep like a baby.

      This sort of thing BTW would seem remarkable only to someone from a microsoft windows background.
    • try putting a fresh RH9 (off ISOs) on your DMZ, and let's see how long it lasts.

      2.5 years and counting, here. Default workstation installs of RH8 and later don't leave any ports open. Same goes for every other Linux distro I've tried in the past couple of years.

      Nice troll, though.
  • What about the other 50%? does it take another 12 minutes for 50% of that figure?

    Does that mean the half life of windows is 12 minutes?
  • by jerkychew ( 80913 ) on Thursday June 30, 2005 @10:08PM (#12957176) Homepage
    I love telling this story to people that ask why they should run Windows Update / run a firewall / get antitivirus, etc.:

    I was at a client's site, and needed to do some testing on their backup DSL line. Since it was a backup meant to plug into the main firewall in case of an outage, the line had no firewall - It was wide open.

    I had a laptop I had just rebuilt for an employee. Win2K, SP4. Unpatched, no antivirus. I planned on jumping on the line for all of five minutes to do some quick IP testing, and I just didn't think about it being vulnerable.

    So, I change the IP and plug into the DSL line. I'm plugged in no more than two minutes, and I get the damn "Windows is shutting down" dialog box. It reboots, and all hell breaks loose. Within those two minutes the damn machine had contracted the Blaster worm. I formatted and reloaded it to be safe, and learned a fun lesson that day. Good thing the laptop didn't have any important data on it.
    • When did the "Code Red" worm come out? July 2001? I consulting and setting up an Exchange 2000 server that summer at a client site and asked them what kind of firewall they had right before we started. They said, "Firewall?", and I said, "Oh $h!+". I built it offline and got whatever service pack and patches I had on CD loaded on the box. I plugged it in to WindowsUpdate and it was dead before the page started downloading the first update. I had to download all the patches to my laptop (fully patched of cou
  • Trojan anyone? (Score:3, Insightful)

    by abes ( 82351 ) on Thursday June 30, 2005 @10:09PM (#12957181) Homepage
    Perhaps part of the problem is people downloading their favourite infected app..
  • Its true!!! (Score:2, Interesting)

    by RootsLINUX ( 854452 )
    This is what brought me to Linux in the first place. The story takes place in February 2004. After an old hard drive failed on my PC and I bought a replacement, I re-installed Windows XP Pro and proceeded about my business, but within half an hour of getting online I got a typical windows error message pop-up about so-and-so process unexpectadly terminating, then Windows said it had to restart and gave me a 60-second countdown to save my work. I was like WTF!?!? So after several reboots and having the same
    • Think of it as a really high tech equivalent to the "whack the gopher" game, only more frustrating.

      Talk about frustration, what really pisses me off is why mircosoft can't roll all their critical updates on a weekly basis into a service pack x.y thing. Hell, it's not like they can't automate the process. I know some people who sell computers and thanks to the "automatic updates" method microsoft likes to push, it's far more convenient to connect every new machine to the net one by one and apply critical up
  • HAHAHA (Score:2, Interesting)

    I can believe it. Ive spent the past 2 years of my life doing support for Verizon..DSL/FIOS seriously I cant even keep track of the amount of times i helped a customer get connected and by the end of the call their pc would be shutting down... Most of the time its thier fault..I laughed my butt of when transfering someone to a billing office and thier pc already had a virus when i just told the to do thier updates before doing anything else..... besides this is just another reason to use linux
  • by Waltre ( 523056 ) *

    Surely the diligence of the user needs to be taken into account.

    Windows users are generally less inclined than linux users to work on securing their machines, and seem to be much less informed about whether they should really be downloading those smilies, or that cute pet that sits on their desktop.

    The intelligence/experience of the user has a lot to do with how easily the PC can be compromised, and this is regardless of their choice of OS.

  • Ofcourse.. (Score:4, Insightful)

    by majest!k ( 836921 ) <slash@[ ]estik.net ['maj' in gap]> on Thursday June 30, 2005 @10:20PM (#12957270)
    First Kaspersky, now Sophos... I've lost all respect for AV vendors. Using scare tactics to sell software is just sad.

    Here's all it takes to keep your Windows box safe: a router (or SP2) and Firefox. Oh, and enough common sense to not run any executable file sent to you by a stranger.

    There, I let the secret out.
    • Why is it sad?

      IMHO if you're running unpatched microsoft windows you should be scared.
    • Re:Ofcourse.. (Score:3, Insightful)

      by master_p ( 608214 )
      What if I am not a computer expert? what is a router, then? how do I install it? how do I operate it? etc etc. You see, it's not that simple.

      And admitting that one needs one device just to secure another speaks volumes about the design of that other device.
  • by mikeophile ( 647318 ) on Thursday June 30, 2005 @10:23PM (#12957294)
    After 12 minutes, an unprotected PC running Windows is both compromised and uncompromised until a tech collapses the state vector by producing a hefty bill for checking.

  • by unassimilatible ( 225662 ) on Thursday June 30, 2005 @10:25PM (#12957307) Journal
    or another firewall app on disk. Right after you install Windows, install Zone Alarm or other firewall, then connect your Net cable, then go to Windows update. Problem solved.

    Might be nice to have SP1 on disk too...

  • I really do not believe this. My PC has been Windows XP for years. I have no firewall. I have a static IP. I have an ActionTec modem and Cisco router. I have Norton Corporate. I have no problems, and I do know how to tell. So why have I been so problem free? WHY? I don't know... I think it is "security" companies that blow a problem out of preportion.
    • Because you are probably behind a NAT router, which generally acts *like* a firewall - ie it allows outbound traffic and inbound responses, but not unsolicited inbound connctions.

      It is the inbound connections from worms that cause the problems. NAT solves that unintentionally.

    • by rjh ( 40933 )
      Um, dude?

      Here's the thing: I can't tell if you're kidding or not. Because sure, there's something to be said for the "security companies are blowing problems out of proportion" idea.

      On the other hand, your nick is Saeed al-Sahaf.

      So I can't help but wonder if there's going to be a follow-up about how at this moment you're personally grilling the stomachs of script kiddies in hell or something.

      (For Slashdotters with no sense of history: Mohammed Saeed al-Sahaf was the Iraqi press secretary during the Gu
  • You mean to say... (Score:3, Insightful)

    by Dunbal ( 464142 ) on Thursday June 30, 2005 @10:40PM (#12957409)
    that actually it takes longer now to infect a Windows machine? It used to be 6 minutes...

    I guess it all depends where you are connected. When I connect in Costa Rica I get DOZENS of threats (using Zone Alarm), almost all from local IP's. A good guess would be the local internet cafe's running dirty pirated windows OSes. Here in the US I get maybe 1 a day.

    Since SP-2 I have run my Windows PC's with just the basic SP-2 firewall at times, with no intrusions.

    I am as anti-microsoft as the next slashdotter, but credit has to be given where it is due. Pre-SP2 was a wide open OS, which is now fixed. Now you have to make a special effort to get your box pwn3d. The article is bogus IMO.
  • Either it does, or it doesn't. Anything's fifty percent. Either I win the lottery, or I don't. Either I find that uber rare weapon in some random MMORPG, or I don't.
  • by ChadN ( 21033 ) on Thursday June 30, 2005 @10:50PM (#12957468)
    How the heck is a Firewall necessary to keep a default Windows box secure? In other words, if a Windows firewall is there to disallow services (or protocols) from receiving connections from the outside world, then what are these services, and why are they running in the first place?

    I understand that by deceiving a user, a malicious service can be started up and listen on the internet, and become a vector for infecting your machine. But that requires an act of the user. If I NEVER enable any special services on my machine, than only the default services are running, and they must somehow be allowing malware to install, right? So, why aren't these services fixed, or disabled by default?

    Finally, if these servies are necessary to the proper running of my machine, then when I use them the Windows firewall software will ask if I do not want to block that port, service, etc. Once that occurs, am I not just as unprotected as if I never used the firewall software? How does it really help?

    So, that's a lot of questions, but I would appreciate an explanation. Are the attacks on windows solely due to users running malware directly, or are there vectors by which, without any user action (ie. no browsing w/ ActiveX controls, no javascript, no running malicious executables, no starting email attachments, etc) the machine can get infected anyway? If so, what are those services? It's not like a Windows machine, by default, needs to have an email/web/network disk/instant messaging service running, so why does it?

    NOTE - I googled "insecure windows services" and got some info; indeed windows does have a bunch of services open to the world by default (un-f'ing believable). Can anyone say which ones are primarily allowing machines to become zombies?

    http://www.ss64.com/ntsyntax/services.html [ss64.com]
    • Which services? (Score:4, Informative)

      by freeweed ( 309734 ) on Friday July 01, 2005 @12:48AM (#12958108)
      A whole slew of services: RPC, SMB/CIFS (file sharing), UPNP...

      Ports: 135, 137, 138, 139, 145, 500, 1025...

      Windows 2000/XP has a TON of default listening services, most of which have been exploited over the years by various worms. Only way to turn most of these "off" (other than to render your system unusable) is to run a software firewall, Microsoft's or 3rd party. They're turned on and listening for "convenience", I imagine. I will admit that in a corporate environment it's handy as hell to be able to admin just about anything on a box without doing a thing. Why the hell these were left on for home users is beyond me.

      Ah, Blaster, Sasser, et al, you will always have special places in my heart.

  • Im the proof (Score:3, Interesting)

    by future assassin ( 639396 ) on Thursday June 30, 2005 @10:59PM (#12957531)
    5 months ago I decided to get a new hd and reformat. Well got Win 2000 Server installed and went to the windows update site. 5 min into the updates I get the 25 seconds till shut down warning. I spent the next hour pulling out my hair while I tried to get the Blaster variant removed. Best part is I got hit with two other viruses that take over IE in that time.

    So I decided to start over gain but just being curious I wanted to see what would happen again. Well this time I made it past the windows updates when I got hit again and infected. After That I stuck the WIN box behind my IP Cop box and I was fine after that install.

    Yesterday I got a new box to mess with and started to install Win2000K Server. Got it installed and by the time I managed to go and download Outpost firewall I get hit with the some Blaster virus. I managed to delete it but with in minutes IE got hijacked and my CPU prosess's where being eaten up by WINAMP.EXE and other random letter exe files.

    Im not sure about you guys but its quite amazing how quickly a windows machine will get infected if its not behind a firewall. Now I'v had people tell me Im stupid and should have gotten the MS Patch CD but WTF is a single computer joe/jane windows user to do?. Wait a week for the patch cd before they can reinstall their OS?

    Anyways just an real world example of how quickly it can happen. Yes I do use windows for my daily computer as there is no other alternative that gives me the aps I need with out having to use alternatives or emulators which at the moment lack in features.


    I'm a cumputer user I dotn need to know how to spell or punctuate.

  • by Dzimas ( 547818 ) on Thursday June 30, 2005 @11:23PM (#12957661)
    12 minutes after leaving the lot, 50% of new cars would be violently car-jacked, their owners left by the side of the road wondering why some zitty-faced kid just drove the shiny new car into a tree. And so car dealerships would stop selling cars without armour, bullet-proof glass and tires, and so on.
    • It takes a lot less than 12 minutes to break into just about any car.

      The reason Windows (and other OSs) fare so badly is the process is automated.

      Whenever I've seen security reports on car break-ins, there's usually like 1 or 2 models (not manufacturers) that get a special mention because it takes longer than 90 seconds to get into them or something ridiculous like that. Most cars succumb to the tame car thief in the tests in about 15 seconds or less. Compulsory immobilisers (in the UK, at least) on

  • by ktakki ( 64573 ) on Thursday June 30, 2005 @11:40PM (#12957754) Homepage Journal
    I run a company that provides contract support and administration for small- to medium-sized businesses. We also do some work in the residential sector, but it's not our focus.

    In order to test the malware-busting skills of new employees, I would routinely infect a test machine with adware and spyware. I had two methods, based on the two most common scenarios we've encountered:
    1. Bored employee surfing pr0n and online casino sites or downloading free screensavers.
    2. Teenaged child using P2P apps or browsing sites that offer song lyrics or buddy icons for IM apps.

    I would use a stopwatch and time myself, stopping at 15 minutes. For Case 1, I'd search Google for "casino" or "sex" and hit those sites. For Case 2, I'd search for "lyrics" or "buddy icons" and hit the top ten or fifteen sites listed.

    At no time did I ever click "yes" when prompted to install software. The point was to attract the "drive-by" malware, the ones that didn't put an entry in "Add/Remove Programs", the ones that were the hardest to remove (e.g., randomly named polymorphs, malware that sees if one tries to terminate the process or remove a registry key and re-installs, malware that prevents anti-spyware programs from running, etc.).

    In fifteen minutes, I can infect an XP box with between 400 and 600 objects (by AdAware's count). That's the result of hitting between 10 and 15 sites. Often, that's enough to inflate the number of running processes from 30 or so to about 60. Pop-ups appear even if IE isn't explicitly running. Case 1 infections often leave the computer in an unusable state, and by unusable state I mean "tits and ass all over your screen".

    I give a prospective employee two hours to disinfect the computer, though I do cut major slack if it takes longer but they've got the right attitude and methodology. If hired, I show them how to get this down to under an hour (AdAware, Spybot, UBCD, manual cleaning, etc.).

    Malware removal is about 30% of our billable hours. Since our contracts with our clients call for a certain amount of hours of service and maintenance each quarter, bug hunting is a distraction from the real work of administration: keeping up to date with patches and software updates, implementing our infrastructure upgrade roadmap, and software support and training. In other words, nearly a third of the time we spend doing productive work for our clients is spent whacking malware that targets Windows PCs.

    Finally, we do try to come to terms with the fact that sometimes this is a human resources problem and not a technological problem. In Case 1, Employee X should not be surfing pr0n or playing Texas Hold-em on the job. As contractors, we try to block certain sites at the firewall, though that's a game of whack-a-mole, and we encourage all workstations to have monitors that face a common area (knowing someone can randomly shoulder-surf you is a big deterrent). Case 2, the residential case, is more problematic, since the sites that install drive-by malware are pretty innocent (lyrics, IM buddy icons). Permissions/ACLs would help, but there are so many applications that need admin rights to run that it's a joke. I've steered a few residential customers towards Apple Mac Minis and iMacs and have had no complaints after the fact.

    Bottom line: it's a fucking jungle out there.

    k.
  • by spisska ( 796395 ) on Friday July 01, 2005 @12:41AM (#12958076)
    I really find it quite ironic that there's so many MS apologists in this discussion willing to say that getting infected is the user's fault for being too stupid to have a commercial A/V package installed (at additional expense) and have a hardware firewall (at additional expense) between their system and the internet.

    Yes, I know that AVG is free and very good, and Zone Alarm has a free version (I make sure both are on every MS box I have to look after).

    But this ignores at least two problems. First, OEM PCs don't come with AVG or ZA, they come with Norton or Symantec or McAfee and a very short period of free support. Two months after you bring your new PC home and the new NetskyBlaster.z hits your hotmailbox, you're SOL. Why, if MS is so focused on improving security, do MS customers need to rely on 3rd party vendors for A/V security software?

    Secondly, the firewall in XP SP2 is certainly an improvement over nothing at all (or over nothing useful, a category to which the the pre-SP2 firewall certainly belongs). So then why do I need to buy a $70 hardware firewall if XP has a firewall already?

    Why does ZA tell me about so many more applications that want to reach the internet than the XP firewall? Why the hell does rundll need the internet (let alone Nero, or my printer for that matter), and why doesn't the XP firewall tell me about it?

    For a commercial software vendor, MS's security record is beyond dismal. For a company that claims security as a priority, MS's poor performance would be laughable if it weren't so damned expensive and time consuming.

    Why is it that Linux vendors can provide fully configurable firewalls that block anything and everything (if that's what you want) out of the box, but MS Windows insists on leaving open ports, enabling ActiveX, and phoning home to download updates whether you want it or not?

    Why is it that wierdo hippy-commu-nazi Linux developers understand the difference between user and administrator but MS developers insist on every little widget having complete kernel access?

    Why is it that MS thinks security is something to tack on to an OS through SPs, weekly downloads (with requisite reboots), patches, and 3rd party products, rather than something that is built into the code?

  • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Friday July 01, 2005 @02:12AM (#12958412)
    I set up a fresh workstation PC for my mother barely a year ago. New Linux compliant components, a top grade Asus Mobo, Infineon RAM, a nice case, etc. Time was getting short and I in the last moment I decided to screw Linux and install Win2K to avoid the driver setup hassle and have her a more stable DVD playback. (turns out that was pointless, since Win2k had more driver hassle than Linux later on)
    The first time it went onto the internet was across a brand new 56 anaog modem. I swear it was less than 15 Minutes when the first addware started to pop up - and we just had gone online for a very short period to test her mail account.
    My mother emphasised a clear "No go" and I felt the very same way. I went to the next convienience store, got a copy of Aurox (a european/polish magazine fedora-variant Linux distro) and installed it right away.
    I still use Win2K for the occasional task that can only be done with it, but I don't do anything mission critical with it anymore. Since 4 weeks ago my Mom has a Mac Mini (the PC had untracable power issues) and is happier than ever before.
    Bottom line:
    Mac to get the job done, x86 Debian or Ubuntu Linux for cheap PC workhorses/servers/tinkerboxes/old-hardware-recycl ing. Anything else I can't take serious anymore.

FORTUNE'S FUN FACTS TO KNOW AND TELL: A guinea pig is not from Guinea but a rodent from South America.

Working...