Study involving two-year Windows XP experiment finds no zero-day attacks

Discussion in 'other security issues & news' started by MrBrian, Oct 8, 2011.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From http://gse-compliance.blogspot.com/2011/09/who-uses-zero-days.html (via):
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I should point out how the author defines "zero-day attack."

    Some zero-day vulnerabilities were exploited in this experiment, but the authors didn't consider them zero-day attacks because workarounds or third-party security software could have stopped them.

     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    When I have time I'll give this a read. Thank you.
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).

    Some thoughts:
    1. All of the unpatched Windows XP SP2 computers with Windows XP Firewall on eventually were compromised. Are you surprised or not?
    2. All XP SP2 computers that had even a perfect Center for Internet Security benchmark score eventually were compromised. Are you surprised or not? (To get a perfect CIS score, a computer has to be fully patched, have Windows firewall on, and have been hardened in other ways.)

    3. For computers in any of the parts of this experiment that had a software firewall on, would having a NAT (network address translation) device such as a typical consumer router have helped any? The study doesn't address this.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    HAd a really busy day. I'm actually very interested in this topic so I'm sure I'll have something to say later =p

    Good questions. I think (wihtout reading this) that a study like this outlines how exploits tend to happen at the application level and I think this really hilights why applicaitons should take advantage of kernel security.

    But that could be entirely separate, I have to read first! haha
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    This study is a test of computers doing nothing but being connected to the Internet - no user interacting with the computer and no third party software installed. All of the compromises were either the result of a network attack from the Internet, or an attack from another of the computers in the study that was compromised as a result of a network attack from the Internet. In some parts of the experiment, communication between the study computers was prohibited so that any compromise had to have come from an Internet attack.
     
    Last edited: Oct 9, 2011
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes.

    1) Unless I missed it, we don't know what exploit(s) breached the firewall, (certainly not Conficker, since those ports have been closed on WinXP by default since SP2).

    2) We don't know how their Windows firewalls were configured. Even if default, some installed programs might have a port open.

    For example, computers configured for file sharing would have Port 445 open, thus permitting an open gateway for Conficker. This was later determined to be one cause of the widespread success of Conficker.

    We just don't know. If no open ports, then, what trickery permitted the exploit to get by the firewall? I wish they would have been more forthcoming.

    In all the years of running a software firewall, I've never seen any internet exploit trigger my malware defenses.

    I would really like to know what the exploits were!

    regards,

    -rich
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The blog mentioned in the first post accepts comments without registering. I'll probably ask some questions there.
     
  9. wat0114

    wat0114 Guest

    Maybe I missed it looking over the article, but were the experiments on limited or administrator user accounts?

    As for the firewall...

     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The paper didn't specify. Since it's XP, I would assume an admin account.

    I posted a comment (moderation pending) asking some questions at the blog. If it gets posted and answered, I'll let you folks know.
     
  11. wat0114

    wat0114 Guest

    Thank you, MrBrian.
     
  12. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :). I didn't ask your question though because I had already posted before reading your post.
     
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    My questions and Dr. Wright's answers have been posted in the comments at http://gse-compliance.blogspot.com/2011/09/who-uses-zero-days.html.

    Here is one of the Q&A's:
     
    Last edited: Oct 11, 2011
  14. wat0114

    wat0114 Guest

    Thank you MrBrian for the Q/A's. I'd really liek to see test results on a fully updated Win7 system using as little as a Standard account, Win firewall w/Advanced security using Block of both in/out with applications restricted to specific protocols and ports, EMET hardening and UAC at max. No 3rd party protection whatsoever. It's time to look beyond XP and get current with the times.
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I find it hard to give credit to any report that says computers without users were owned within days of being online (if I read that correctly, it eluded to mere days being online before compromise).

    Plugging in a machine to the www without a router? Even without a router, I find that claim to be exaggerated now as it was 2 years ago. It could happen, but you can also be "live on the wire" for months and months without issue, as proven by many people.

    Now, what does this report really tell us? Without a concise breakdown of things, as has been mentioned, one can only take it with a grain of salt. Methodology, what was the methodology?

    Just my opinion anyway. Doom, we are all doomed :ouch:

    Sul.
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).

    I noticed that listed in their firewall configuration is a firewall exception for third-party software Backup Exec 9, which has a known vulnerability in some versions. Perhaps this was responsible for at least some of the compromises.

    If you have questions that you don't want to ask Dr. Wright yourself, list them here and I'll ask in the next batch of questions.
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  18. Dogbiscuit

    Dogbiscuit Guest

    So, in this specific context, when a firewalled XP SP2 system is connected directly to the internet, using Microsoft's patches for protection, and the system is never used except for being powered on, it will eventually become compromised.

    And his data shows that this will be due not to any zero-day vulnerabilities, but to publicly 'known' vulnerabilities likely exploited between the time a flaw is 'known' and when the flaw is patched on the system?
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for doing the leg work!

    Dr. Wright wrote,

    Until he does that, everything we say is speculation.

    Here is a huge variable:

    From your link:

    The myth of the four-minute Windows survival time
    http://www.edbott.com/weblog/2008/07/the-myth-of-the-four-minute-windows-survival-time/
    (my numbers in bold)

    1) The reference to SP2 was also found in Michael Howard's Microsoft blog about the Windows Server Service Vulnerability which was the vulnerability exploited by the Conficker Worm. (You may remember that this was patched in late 2008, yet Conficker was very successful when it emerged a few months later).

    MS08-067 and the SDL
    http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx
    Conficker remains active, as noted in the the Study:

    Looking at my log for today, I see the normal probing of those ports which, if open and the pertinent patches not installed, results in an infection via internet exploit.
    Port 135 was the gateway for the Blaster Worm and other RPC exploits; that port is still constantly probed, looking for a weakness.

    kerio_log.gif

    But they are not open, so nothing happens.

    2) I and others, including Wilders Member Kerodo, have done such an experiment. I did with both Win2K and WinXP with a properly configured firewall several years ago, letting them sit for several days with no user interaction. So much for the 4-minute myth.

    So, we wait for the results of Dr. Wright's analyses to see what tricks hackers used in their probes that sneaked past the firewall. I am especially interested in what payloads were delivered because he states that the user would not be aware of the success of some of the attacks:

    Very interesting (and mysterious). Also very unusual, in my opinion, to release a report before completing the pertinent analyses, because the reader doesn't know what to protect against.

    Sully may be right,

    (tongue in cheek, I'm sure :) )

    regards,

    -rich
     
    Last edited: Oct 12, 2011
  20. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi Rmus nice to see you're still on the case ;)

    From MrBrian's link via Rmus

    Well that's asking for trouble :p & IMO = Stupid !

    I myself tested my 100% Totally unpatched XP/SP2 comp WITHOUT a FW, on & off for several days in here https://www.wilderssecurity.com/showthread.php?t=298698

    Nothing got through whatsoever :)
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
  22. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Apparently some zero-day vulnerabilities were exploited. See post #2. I will ask Dr. Wright about this to confirm.

    FYI: more comments have been added to Dr. Wright's blog post.
     
    Last edited: Oct 13, 2011
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Dr. Wright has now revealed some of the "Firewall Exceptions" vulnerabilities. For example,

    And he continues,

    Well, if the firewall doesn't block everything, then the system is not "locked down."

    Earlier in the report, Dr. Wright writes,

    It's at this point that he should have explained that an enabled firewall doesn't necessarily mean one that blocks everything -- in other words, some ports open for Services -- rather than wait until asked about in the Comments.

    That would have permited us to view this report in an entirely different light and draw conclusions based on our own individual system configurations.

    regards,

    -rich
     
    Last edited: Oct 13, 2011
  24. Dogbiscuit

    Dogbiscuit Guest

    When you use the term 'zero-day' in that sentence, do you mean an attack for which no patch exists, but is publicly known (i.e., it has a CVE number)?

    From what I can tell, he defines a zero-day attack (for his purposes) as an totally unknown attack (publicly never seen before anywhere).
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I believe 0-day almost always believes an attack that was previously unknown.
     
Loading...
Thread Status:
Not open for further replies.