Study involving two-year Windows XP experiment finds no zero-day attacks

From http://gse-compliance.blogspot.com/2011/09/who-uses-zero-days.html (via):

 

I should point out how the author defines "zero-day attack."

Some zero-day vulnerabilities were exploited in this experiment, but the authors didn't consider them zero-day attacks because workarounds or third-party security software could have stopped them.

 

When I have time I'll give this a read. Thank you.

 

You're welcome .

Some thoughts:
1. All of the unpatched Windows XP SP2 computers with Windows XP Firewall on eventually were compromised. Are you surprised or not?
2. All XP SP2 computers that had even a perfect Center for Internet Security benchmark score eventually were compromised. Are you surprised or not? (To get a perfect CIS score, a computer has to be fully patched, have Windows firewall on, and have been hardened in other ways.)

3. For computers in any of the parts of this experiment that had a software firewall on, would having a NAT (network address translation) device such as a typical consumer router have helped any? The study doesn't address this.

 

HAd a really busy day. I'm actually very interested in this topic so I'm sure I'll have something to say later =p

Good questions. I think (wihtout reading this) that a study like this outlines how exploits tend to happen at the application level and I think this really hilights why applicaitons should take advantage of kernel security.

But that could be entirely separate, I have to read first! haha

 

This study is a test of computers doing nothing but being connected to the Internet - no user interacting with the computer and no third party software installed. All of the compromises were either the result of a network attack from the Internet, or an attack from another of the computers in the study that was compromised as a result of a network attack from the Internet. In some parts of the experiment, communication between the study computers was prohibited so that any compromise had to have come from an Internet attack.

 

Yes.

1) Unless I missed it, we don't know what exploit(s) breached the firewall, (certainly not Conficker, since those ports have been closed on WinXP by default since SP2).

2) We don't know how their Windows firewalls were configured. Even if default, some installed programs might have a port open.

For example, computers configured for file sharing would have Port 445 open, thus permitting an open gateway for Conficker. This was later determined to be one cause of the widespread success of Conficker.

We just don't know. If no open ports, then, what trickery permitted the exploit to get by the firewall? I wish they would have been more forthcoming.

In all the years of running a software firewall, I've never seen any internet exploit trigger my malware defenses.

I would really like to know what the exploits were!

regards,

-rich

 

The blog mentioned in the first post accepts comments without registering. I'll probably ask some questions there.

 

Maybe I missed it looking over the article, but were the experiments on limited or administrator user accounts?

As for the firewall...

 

The paper didn't specify. Since it's XP, I would assume an admin account.

I posted a comment (moderation pending) asking some questions at the blog. If it gets posted and answered, I'll let you folks know.

 

Thank you, MrBrian.

 

You're welcome . I didn't ask your question though because I had already posted before reading your post.

 

My questions and Dr. Wright's answers have been posted in the comments at http://gse-compliance.blogspot.com/2011/09/who-uses-zero-days.html.

Here is one of the Q&A's:

 

Thank you MrBrian for the Q/A's. I'd really liek to see test results on a fully updated Win7 system using as little as a Standard account, Win firewall w/Advanced security using Block of both in/out with applications restricted to specific protocols and ports, EMET hardening and UAC at max. No 3rd party protection whatsoever. It's time to look beyond XP and get current with the times.

 

I find it hard to give credit to any report that says computers without users were owned within days of being online (if I read that correctly, it eluded to mere days being online before compromise).

Plugging in a machine to the www without a router? Even without a router, I find that claim to be exaggerated now as it was 2 years ago. It could happen, but you can also be "live on the wire" for months and months without issue, as proven by many people.

Now, what does this report really tell us? Without a concise breakdown of things, as has been mentioned, one can only take it with a grain of salt. Methodology, what was the methodology?

Just my opinion anyway. Doom, we are all doomed

Sul.

 

You're welcome .

I noticed that listed in their firewall configuration is a firewall exception for third-party software Backup Exec 9, which has a known vulnerability in some versions. Perhaps this was responsible for at least some of the compromises.

If you have questions that you don't want to ask Dr. Wright yourself, list them here and I'll ask in the next batch of questions.

 

Survival Time on the Internet (without software firewall or router)
The myth of the four-minute Windows survival time

 

So, in this specific context, when a firewalled XP SP2 system is connected directly to the internet, using Microsoft's patches for protection, and the system is never used except for being powered on, it will eventually become compromised.

And his data shows that this will be due not to any zero-day vulnerabilities, but to publicly 'known' vulnerabilities likely exploited between the time a flaw is 'known' and when the flaw is patched on the system?

 

Thanks for doing the leg work!

Dr. Wright wrote,

Until he does that, everything we say is speculation.

Here is a huge variable:

From your link:

The myth of the four-minute Windows survival time
http://www.edbott.com/weblog/2008/07/the-myth-of-the-four-minute-windows-survival-time/

(my numbers in bold)

1) The reference to SP2 was also found in Michael Howard's Microsoft blog about the Windows Server Service Vulnerability which was the vulnerability exploited by the Conficker Worm. (You may remember that this was patched in late 2008, yet Conficker was very successful when it emerged a few months later).

MS08-067 and the SDL
http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx

Conficker remains active, as noted in the the Study:

Looking at my log for today, I see the normal probing of those ports which, if open and the pertinent patches not installed, results in an infection via internet exploit.
Port 135 was the gateway for the Blaster Worm and other RPC exploits; that port is still constantly probed, looking for a weakness.



But they are not open, so nothing happens.

2) I and others, including Wilders Member Kerodo, have done such an experiment. I did with both Win2K and WinXP with a properly configured firewall several years ago, letting them sit for several days with no user interaction. So much for the 4-minute myth.

So, we wait for the results of Dr. Wright's analyses to see what tricks hackers used in their probes that sneaked past the firewall. I am especially interested in what payloads were delivered because he states that the user would not be aware of the success of some of the attacks:

Very interesting (and mysterious). Also very unusual, in my opinion, to release a report before completing the pertinent analyses, because the reader doesn't know what to protect against.

Sully may be right,

(tongue in cheek, I'm sure )

regards,

-rich

 

Hi Rmus nice to see you're still on the case

From MrBrian's link via Rmus

Well that's asking for trouble & IMO = Stupid !

I myself tested my 100% Totally unpatched XP/SP2 comp WITHOUT a FW, on & off for several days in here https://www.wilderssecurity.com/showthread.php?t=298698

Nothing got through whatsoever

 

I now remember you did that!

 

Apparently some zero-day vulnerabilities were exploited. See post #2. I will ask Dr. Wright about this to confirm.

FYI: more comments have been added to Dr. Wright's blog post.

 

Dr. Wright has now revealed some of the "Firewall Exceptions" vulnerabilities. For example,

And he continues,

Well, if the firewall doesn't block everything, then the system is not "locked down."

Earlier in the report, Dr. Wright writes,

It's at this point that he should have explained that an enabled firewall doesn't necessarily mean one that blocks everything -- in other words, some ports open for Services -- rather than wait until asked about in the Comments.

That would have permited us to view this report in an entirely different light and draw conclusions based on our own individual system configurations.

regards,

-rich

 

When you use the term 'zero-day' in that sentence, do you mean an attack for which no patch exists, but is publicly known (i.e., it has a CVE number)?

From what I can tell, he defines a zero-day attack (for his purposes) as an totally unknown attack (publicly never seen before anywhere).

 

I believe 0-day almost always believes an attack that was previously unknown.