[ISN] Unprotected PCs Fall To Hacker Bots In Just Four Minutes

InfoSec News isn at c4i.org
Wed Dec 1 06:09:48 EST 2004


By Gregg Keizer
November 30, 2004 

The lifespan of a poorly protected PC connected to the Internet is a
mere four minutes, research released Tuesday claimed. After that, it's
owned by a hacker.

In the two-week test, marketing-communications firm AvanteGarde
deployed half a dozen systems in "honeypot" style, using default
security settings. It then analyzed the machines' performance by
tallying the attacks, counting the number of compromises, and timing
how long it took an attack to successfully hijack a computer once it
was connected to the Internet.

The six machines were equipped with Microsoft Windows Small Business
Server 2003, Microsoft Windows XP Service Pack 1 (SP1), Microsoft
Windows XP SP1 with the free ZoneAlarm personal firewall, Microsoft
Windows XP SP2, Macintosh OS X 10.3.5, and Linspire's distribution of

Not surprisingly, Windows XP SP1 sans third-party firewall had the
poorest showing.

"In some instances, someone had taken complete control of the machine
in as little as 30 seconds," said Marcus Colombano, a partner with
AvanteGarde, and, along with former hacker Kevin Mitnick, a
co-investigator in the experiment. "The average was just four minutes.  
Think about that. Plug in a new PC--and many are still sold with
Windows XP SP1--to a DSL line, go get a cup of coffee, and come back
to find your machine has been taken over."

Windows XP SP1 with the for-free ZoneAlarm firewall, however, as well
as Windows XP SP2, fared much better. Although both configurations
were probed by attackers, neither was compromised during the two

"If you're running a firewall so your machine is not seen, you're less
likely to be attacked," said Colombano. "The bot or worm simply goes
onto the next machine." Although Windows XP SP1 includes a firewall,
it's not turned on by default. That security hole was one of those
plugged--and heavily touted--by Microsoft in SP2.

The successful attacks took advantage of weak passwords on the target
machines, as well as a pair of long-patched vulnerabilities in
Microsoft Windows. One, the DCOM vulnerability, harks back to July,
2003, and was behind the vicious MSBlast worm of that summer. The
second, dubbed the LSASS vulnerability, was first disclosed in April,
2004, and led to the Sasser worm.

The most secure system during the experiment was the one running
Linspire's Linux. Out of the box, Linspire left only one open port.  
While it reacted to ping requests by automated attackers sniffing for
victims, it experienced the fewest attacks of any of the six machines
and was never compromised, since there were no exposed ports (and thus
services) to exploit.

The Macintosh machine, on the other hand, was assaulted as often as
the Windows XP SP1 box, but never was grabbed by a hacker, thanks to
the tunnel vision that attackers have for Windows. "The automated
bot/worm attackers were exclusively using Windows-based attacks," said
Colombano, so Mac and Linux machines are safe. For now. "[But] it
would have been very vulnerable had code been written to compromise
its system," he added.

For the bulk of users who work with Windows, however, Colombano didn't
recommend dumping Redmond's OS and scurrying for the protection of
hacker-ignored platforms.

"Update Windows regularly with Microsoft's patches, use a personal
firewall--third-party firewalls still have their place, since
Microsoft's isn't suited to guard against outbound attacks--keep
secure passwords, and use some type of anti-virus and anti-spyware
software," he advised. Of the list, the firewall is the most
important. The study concluded, for example, that Linux- and
Windows-based machines using an application firewall were the best at
preventing attacks.

"No machine is immune," he counseled. "No human is safe from every
virus, and it's the same for machines. That's why people have to have
some personal responsibility about security. You have to be a good
citizen on the network, so you're not only protecting yourself, but
others who might be attacked from exploits originating on your

More information about the ISN mailing list