Infected in 20 minutes
Stepping in and taking charge
Opinion What normally happens within twenty minutes? That's how long your average unprotected PC running Windows XP, fresh out of the box, will last once it's connected to the Internet.
It's interesting to ponder just how much time - in hours, in minutes, sometimes in mere seconds - it takes for a disaster to occur. The space shuttle Challenger exploded 73 seconds after liftoff in 1986. In 6 minutes on July 6, 1944, the horrific Hartford Circus Fire killed over 150 people, mostly women and children. About two hours and 40 minutes passed between the time that the unsinkable Titanic struck an iceberg and when it finally slipped below the ocean's waves. The worst industrial accident in American history - the Texas City Disaster of 1947 - started with a fire aboard the ship Grandcamp which resulted in a tremendous explosion about 75 minutes later, followed by the explosion of the vessel High Flyer after fifteen hours. Russian operators began "experimenting" on the Chernobyl reactor at 1 a.m. on April 25, 1986; exactly 24 hours and 23 minutes later, the reactor exploded in the worst nuclear accident in history.
Of course, computers and computing system have faced disasters before too, although none to my knowledge has ever resulted in death or serious injury - and thank goodness. The Slammer worm did most of its dirty work in under ten minutes. A half an hour is all it took for Nimda to spread worldwide. The Witty worm took an almost leisurely 45 minutes - but in that time it managed to infect every possible machine in its threat portfolio. And the slowpoke of the bunch is Version 2 of the Code Red worm, which worked for almost 14 hours to infect 359,000 machines, but at one point it was taking over 2,000 new computers every minute, which ain't bad (be sure to check out the cool animations demonstrating the rapacious spread of the worm).
Let's add a new time frame for computing disaster to the list above, one that every security pro should know: 20 minutes. That's not too long, if you think about it. You can't drive very far in most cities in 20 minutes. You can't watch an entire episode of The Mary Tyler Moore Show (sorry, but I love Mary) in that time. You sure as hell can't calculate your taxes (amazingly, though, you can learn HTML, or cook a nice dinner, or even practice yoga - who knew?). And what's something else that takes 20 minutes?
Oh, that's how long your average unprotected PC running Windows XP will last once it's connected to the Internet ... before it's compromised and effectively 0\/\/n3d.
The SANS Institute Internet Storm Center released those eye-opening numbers a few days ago. Go take a look at their graph, and you'll note that the current time of 20 minutes is half that of what it was a year ago, although, to be fair, the average has been both higher and lower - over an hour last Christmas and only about 15 minutes in the spring. That hour at Christmas seems like an aberration, and the overall trend has definitely been downward, towards far shorter times before your Windows box is not really yours any longer.
As the SANS Institute notes, 20 minutes is not long enough to update your Windows PC before it is too late. If you take a new PC out of the box, plug it in to the Internet, and power it on, most people (most people? OK - a lot of people. Uh, alright - some people. Erm ... *sigh*. A few people. Happy?) know enough to immediately hie thee over to Windows Update and get the latest patches from Microsoft. Then reboot. And get more patches. And reboot. Ad infinitum. Oh, and don't leave out the latest anti-virus updates either. Gotta have those. Oh oh oh - don't forget Windows XP Service Pack 2, the gotta-have update from Microsoft, which "may be as small as 70 megabytes (MB) or as large as 260 MB".
And users are supposed to download all this in less than 20 minutes?
Forget it. You and I both know the truth. Most people start their computer and head over to eBay to look up auctions for Precious Moments figurines, or start reading email, or check out their son-in-law's newly posted photos of little Susie and that scamp little Johnny, or fire up a game of Pinochle on Yahoo! Games. Windows Update? Huh? What's that? Why do I need to "protect" this computer? I just bought it!
And soon enough, Grandpa and Grandma's new Windows computer is spewing out email ads for offshore casinos, and SUPERLOW!!! mortgage rates, and \/1@gra and (1@li5, and God knows what else.
And it took just 20 minutes.
The SANS Institute tries to help by offering a free download of a great little 1.2 MB PDF wonderfully titled, "Windows XP: Surviving the First Day" (makes XP sound like a communicable disease, doesn't it? "Mrs. Jones, I'm sorry to inform you, but we've run the tests, and it appears that you have XP. Now don't cry - it's bad, but it's not a death sentence. Modern science has advanced in recent years, and it's now possible to live a reasonably happy life with XP. And there's a survivor's group that you'll want to meet as well.").
It really is a useful document, and the SANS Institute should be commended for making it available. It's clear and concise, relatively free of technojargon, and well-illustrated with screenshots that help explain exactly what to do. And it even has a nice little checklist at the back, and you know I love checklists. The problem is, Mom and Dad and Grandma and Grandpa aren't going to read this document. Even if all of us printed it out and gave it to our parents and grandparents and friends, they still wouldn't read it. It's 13 pages! And sure, it has pictures, but there are words in there too!
So, once again, it's up to the largest pro bono workforce in the world - the security pros who help everyone they know with their computers - to step up to the plate and say what I'm sure they've all said before: "OK, when you get that new computer, do not plug it in until I've gotten over there to help you set it up!" And over we come, with our CDs and USB jumpdrives crammed full of patches and updates and software, ready to inoculate that PC before it's turned loose on the Net.
Stepping In & Taking Charge
New PCs sold in a few months should have less of an issue with this whole mess, since they'll come with XP Service Pack 2 already installed, which means that the firewall will finally be turned on by default, which should help somewhat. In fact, I'd much rather have a friend call and ask why she can't play Star Trek StarFleet Command III 1.0 than have her call and ask me why her computer is running so slowly, and why she has these popup windows opening up all the time, and my goodness but they're nasty. But Service Pack 2 is only for XP, and 25% of users are still running Windows 98 ... or something older. Heck, 25% of all Windows servers are still on NT 4. Service Pack 2 sure isn't going to help those people.
For the good of the Net, and therefore for the good of all Net users, I'm glad that Microsoft's new service pack turns on the firewall by default. If applications break, too bad. If a user isn't educated enough to know how to open up a port he needs to run a particular program that needs a hole punched in the firewall, then that user shouldn't have unfettered access to the Net anyway. I'm almost getting to the point where I think that the best thing security pros could do for their friends and family still running pre-XP systems would be to tell them that they're going to upgrade their computers to the latest super-duper Microsoft service pack, and then do the following:
- Set Windows Update to automatically update the computer, without asking questions.
- Install a personal firewall that blocks almost everything by default.
- Buy a 2- or 3-year subscription to an anti-virus program and set it up to automatically download all updates.
- Buy an anti-spyware tool and set it up to automatically update, scan, and remove spyware.
- Replace Internet Explorer with Mozilla or Mozilla Firefox, and then hide that blue E so it's not on the desktop.
- Replace Outlook Express with Mozilla Thunderbird.
When it's done, tell them that Microsoft's "updates" have fixed their PC. Explain that they're a bit more circumscribed than they used to be, but it's for their own good. I calculate that the above will take about 20 minutes. It could be the best 20 minutes you've ever spent on their computer. And it will certainly help prevent a disaster, instead of contributing to one. Of course, you could just have them switch over to Linux or Mac OS X, but I somehow think that might take longer than 20 minutes. Ah well. 20 minutes here, 20 minutes there, and it just might add up - to a safer computer, and a safer Net. Let's get started.
Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.