Study: Unpatched PCs compromised in 20 minutes

By Matt Loney
Special to CNET News.com Published: August 17, 2004 12:22 PM PDT

Tools

Related Stories: Microsoft's blast from the past
August 12, 2004; Net watchers wary of Sasser fallout
May 6, 2004; Security a work in progress for Microsoft
January 15, 2004; Patchwork security
January 24, 2001

Don't connect that new PC to the Internet before taking security precautions, researchers at the Internet Storm Center warned Tuesday.

According to the researchers, an unpatched Windows PC connected to the Internet will last for only about 20 minutes before it's compromised by malware, on average. That figure is down from around 40 minutes, the group's estimate in 2003.

The Internet Storm Center, which is part of the SANS Institute, calculated the 20-minute "survival time" by listening on vacant Internet Protocol addresses and timing the frequency of reports received there.

"If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe," the center, which provides research and education on security issues, said in a statement.

The drop from 40 minutes to 20 minutes is worrisome because it means the average "survival time" is not long enough for a user to download the very patches that would protect a PC from Internet threats.

Scott Conti, network operations manager for the University of Massachusetts at Amherst, said he finds the center's data believeable.

"It's a tough problem, and it's getting tougher," Conti said.

One of Conti's administrators tested the center's data recently by placing two unpatched computers on the network. Both were compromised within 20 minutes, he said.

The school is now checking the status of computers before letting them connect to the Internet. If a machine doesn't have the latest patches, it gets quarantined with limited network access until the PC is back up to date.

"We are giving the people the ability to remediate before connecting to the network," Conti said.

The center also said in its analysis that the time it takes for a computer to be compromised will vary widely from network to network.

If the Internet service provider blocks the data channels commonly used by worms to spread, then a PC user will have more time to patch.

"On the other hand, university networks and users of high-speed Internet services are frequently targeted with additional scans from malware like bots," the group stated. "If you are connected to such a network, your 'survival time' will be much smaller."

In a guide to patching a new Windows system, the Internet Storm Center recommends that users turn off Windows file sharing and enable the Internet Connection Firewall. Microsoft's latest security update, Windows XP Service Pack 2, will set such a configuration, but users will have to go online to get the update, opening themselves up to attack.

One problem, experts say, is network administrators' reliance on patching and their assumption that users will quickly patch systems.

Speaking recently at the Microsoft TechEd developer conference in Amsterdam, Microsoft security consultant Fred Baumhardt said the day is likely to come when a virus or worm brings down everything.

"Nobody will have time to detect it," he said. "Nobody will have time to issue patches or virus definitions and get them out there. This shows that patch management is not the be-all and end-all."

Baumhardt stressed the importance of adaptability, using the human immune system as an example: "Imagine if your body said, 'Hmm, I have the flu. I've never had this before, so I'll die.' But that doesn't happen: Your body raises its temperature and so on, to buy time while other mechanisms kick in."

"If the human body did patch management the way (companies do), we'd all be dead."

Matt Loney of ZDNet UK reported from London.

More from News.com on this story's topics: Security
Create an email alert | RSS feed; Microsoft Windows
Create an email alert | RSS feed; Microsoft
Create an email alert | RSS feed

See more CNET content tagged:
Internet Storm Center, patch management, survival, center, worm

Add a Comment (Log in or register) 34 comments (Page 1 of 2)

Microsoft viruses: faster than Dominos
by August 17, 2004 12:39 PM PDT: Your PC 0wned in 20 minutes or less or else its FREE Linux!; Reply to this comment View reply
Processing

When Nachi was at its peak this time was 6 seconds
by Dachi August 17, 2004 12:48 PM PDT: If installing a new box you literally had to turn the firewall on before connecting the network cable. It will be interesting to see if this number changes much over the next year as more people move to SP2 and the number of zombie machines comes down.; Reply to this comment

Firewalls don't address the root problem
by Tex Murphy PI August 17, 2004 1:21 PM PDT: of user ignorance.

You can pile on the latest anti-viral and firewall software on your PC, shut down file-sharing and all the other useless services crammed into windows, but all it takes is one stupid move such as openning an infected attachment - and it's game over.

With over 50 million lines of code in Windows, you can bet that there are a lot of day-zero exploits just waiting to happen.

I don't know which is worse - the bugs we don't know in Windows (because nobody has seen the source code), or the fact that a smart hacker could find a hole in open-source Linux. Hey, it's a tight OS, but I'm sure there are holes in that OS too.; Reply to this comment View all 2 replies
Processing

An interesting addendum
by August 17, 2004 1:28 PM PDT: Would be to create a similar chart for Mac OS X and for Linux.
Then c|net could write about that.

Oh wait... a story that might put Apple in a positive light? I
forgot this was c|net! Never mind!; Reply to this comment

Patches and the human body
by R Me August 17, 2004 2:32 PM PDT: What a poor misguided piece.
Not one word about the real root of the problem...MS
If the human body had to depend on MS to insure birth I certainly wish Bill G. would be the first nural implant.; Reply to this comment

Duh!
by arthur-b August 17, 2004 3:24 PM PDT: As long as people choose to ignore causes and opt for symptom fighting instead the world will see no end to spam, spyware, zombied PCs, worms and what not.

For years the world has seen a steady increase in attack vectors and still the only answer to all that is symptom fighting. The blaming finger has been pointed to almost anyone and anything: users, administrators, managers, third-party software, developers, vendors, hackers, crackers and even politicians.

Is there any end in sight?

Realisticly speaking no. As long as plenty of people are willing to jump through hoops and see improvement in that then that's exacly the kind of customer demand that will be satisfied. Hey, it keeps the stock holders happy so why change the game plan?

In the mean time alternatives are getting spin doctered because they are not part of the business plan. But then who would expect Ford to recommend BMWs? Or even a Ford driver to admit that he would rather like to drive a BMW but is afraid of having to handle gears?

Lucky enough for us the alternatives are getting harder and harder to ignore though. Also because other stock holders (and tax payers) would like to improve their bottom line.; Reply to this comment

A large missing point
by KDoggMDF August 17, 2004 9:07 PM PDT: Dont you think that there is a large portion here that is being missed though? yes, Viruses can travel networks without opening any file or downloading anything, but what about when you do visit a website and ad-ware or spyware is dropped onto your computer? It can be just as harmful, if not worse. Why? Well, for one, it bugs the crap out of you. Two; it sends your personal data to who knows where to who knows who. Three; it can just as easily compromise your system and turn off your firewalls and virus protections to allow other threats to invade your PC and the other PCs on your network. Until someone decides to make a program that has the best antivirus, firewall, spyware removal and protection, and tips on how to have a safe computer, and it is easily accessible and cheap or free, there is always going to be this problem and it is going to get worse and worse.; Reply to this comment

Firewall will extend survival time
by August 18, 2004 2:49 AM PDT: It's NOT everything you need to secure your machine - but installing a firewall BEFORE you connect the machine to the Internet will significantly lengthen its survival time when you connect it afterwards.

That's why I keep a copy of ZoneAlarm/etc handy in a CD.

by the way - I've seen machines infected in as quick as 5 minutes. At the height of a worm's outbreak, this may fell down further to even seconds.

Thanks,
Harry; Reply to this comment View reply
Processing

viruses
by dwhite25 August 18, 2004 4:37 AM PDT: useing Windows XP as your OS means you shouldn't be
on the net. Why doesn' t Joe Public catch on
Linux,Unix,BeOS,just about any thing but Windows is
immune hear me, IMMUNE to all Windows viruses.; Reply to this comment View all 2 replies
Processing

Correction
by dwhite25 August 18, 2004 8:19 AM PDT: Running Windows . My PC doesn' t run windowsso it
wouldn't be compramised at all(the patches wouldn't
work either).; Reply to this comment