Ten years later, Windows XP still dominates the Web

Discussion in 'other software & services' started by tgell, Jan 2, 2012.

Thread Status:
Not open for further replies.
  1. wat0114

    wat0114 Guest

    There's something on SRP...

    -http://www.mechbgon.com/srp/

    plus a thread on it and LUA...

    -http://www.wilderssecurity.com/showthread.php?t=200772&highlight=srp

    There are also some HIPS programs that can help if one's comfortable using them.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    I haven't read all of the posts, since I imagine that they will just echo what's been written in the past about an older Windows OS.

    However, this comment caught my eye:

    I would like to check this out: can you point me to a URL with an in-the-wild exploit so I can test?

    thanks,

    ----
    rich
     
  3. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,352
    Give 'em time :D
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I was going by statistics, which have shown much greater rootkit infections on XP as well as infections on XP being caused by OS exploits instead of 3rd party exploits as is the case on Vista/ 7.

    If you'd like to test out exploits why not try metasploit? I believe they have a free version.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    I don't normally pay too much attention to statistics - I can not know from a distance the circumstances/scenarios/details of how the infections occurred.

    I prefer to see how exploits in the wild are served up. It's much more meaningful for me.

    But thanks anyway,

    ----
    rich
     
  6. BrandiCandi

    BrandiCandi Guest

    http:// www. exploit-db.com/platform/?p=windows&page=175
    For testing purposes obviously.
     
  7. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I would think that to be true and we have the cross platform Malware to worry about.
     
    Last edited: Jan 6, 2012
  8. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,068
    Location:
    USA
    I have only seen that problem in VMWare. I have never had an issue in Virtual PC or VirtualBox. Updating VMWare Tools almost always breaks activation. For older versions of Windows Virtual PC works fine and there likely won't be any more update for that anyway.

    I don't think any desktop OS is excluded from VM use as long as you have a valid license. I think the issues were with running a non Pro/Ultimate OS as a host and trying to run another copy with the same license.
     
  9. BrandiCandi

    BrandiCandi Guest

    [AnotherTangent] Software restriction policies- I've been trying to wrap my head around these in both Linux & Windows. So Windows software restriction policies allows you to determine exactly what each program will be allowed to do. For instance I could confine my browser so that any malware I encounter can't access system files. It would prevent escalation of privileges. Is that the general gist? [/AnotherTangent]
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    lol I wish SRP were that useful.
     
  11. BrandiCandi

    BrandiCandi Guest

    Thanks Jack!
     
  12. BrandiCandi

    BrandiCandi Guest

    It's not? So it doesn't work like AppGuard or AppArmor? What, is SRP easy to escalate out of?
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    No it's not like AppArmor. Apparmor restricts file access by program. SRP just stops programs from running unless you OK them to run.

    Application whitelisting is bypassable. Exploits can work within programs via ROP or they can hop to other programs. Not a lot of people run whitelisting so I doubt many exploits take this into account.
     
  14. wat0114

    wat0114 Guest

    Anything already installed under the SRP-approved directories, when SRP is enabled, is allowed to run.

    What is ROP? Also, how would an exploit "hop" to another program, especially if said exploit is not SRP-approved?
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Right.

    Return Oriented Programming. Exploits don't need to start their own processes or downlnoad payloads, there's nice juicy code for them to work with right in the exploited program :p

    By never hitting the disk.

    https://www.wilderssecurity.com/showthread.php?t=315130
     
  16. BrandiCandi

    BrandiCandi Guest

    OK, what I'm looking for is MAC for windows. But I think that's pretty far off the topic of XP's future. So I started another thread.
     
  17. wat0114

    wat0114 Guest

    Right, the blog about never hitting the disk. Of course like so many of these blogs, they don't really explain how they would work in an actual, non-controlled-environment scenario. Essentially, what needs to happen from start to finish for these exploits to be successful.
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    ROP is well documented. Moving from one thread to another through IPC (as the name states, inter-process calls) is just a function of operating systems.
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    That's just a metasploit-type site where anyone can download/run malware demos.

    As I indicated earlier, I'm interested in seeing how an exploit is served up in the wild. Then, I can evaluate my own defenses.

    Take MS08-067 as an example: exploiting the Windows Server Service via a specially crafted Remote Procedure Call (RPC) request.

    The infamous Conficker worm had a fun time with this vulnerabilty starting in November 2008, and added millions to its botnet club in the ensuing months.

    An investigation revealed that the first variant, Conficker.A, intruded via an unsecured port 445.

    • Security-aware people already had ports secured from within the OS itself, or with a 3rd party product.

    The next variant, Conficker.B intruded via exploiting the Autorun feature in Windows, to load a DLL.

    • Security-aware people already had this type of attack easily prevented, either from within the OS itself, or with a 3rd party product.
    _________________________________________________________________________________________________​

    By the way: In the "Let's bash older versions of the OS as being more vulnerable" department, note that MS08-067 exploited all versions of Windows, including the latest at that time, Windows Vista and Windows Server 2008.

    Microsoft Security Bulletin MS08-067
    Published: Thursday, October 23, 2008
    Critical Vulnerability in Server Service Could Allow Remote Code Execution
    http://technet.microsoft.com/en-us/security/bulletin/ms08-067

    _________________________________________________________________________________________________​

    By the way #2: In the "The current version of an OS is more secure because of updates/patches" department, note the date of the patch for MS08-067 -- one month before the onslaught of Conficker.

    Patches mean nothing if not installed:

    Windows users indifferent to Microsoft patch alarm, says researcher
    December 4, 2008
    http://www.computerworld.com/action...wArticleBasic&taxonomyId=89&articleId=9122599

    'Huge increase' in worm attacks plagues unpatched Windows PCs
    Microsoft scolds users who never applied October's emergency update
    January 12, 2009
    http://www.computerworld.com/s/arti...s_plagues_unpatched_Windows_PCs?source=NLT_PM

    _________________________________________________________________________________________________​

    My experience has been that security-aware people do patch, and also have protection in place that negates any 0-day payload.

    None of this is to advocate keeping an old version of an OS. Rather, just to put things into perspective:

    • Having the latest version of an OS doesn't necessarily mean that a user cannot be infected.

    • Having an older version of an OS doesn't necessarily mean that a user will be infected.

    ----
    rich
     
  20. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    Originally Posted by Rmus

    Spot on, my thoughts Exactly :thumb:
     
  21. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,294
    • Having the latest version of an OS doesn't necessarily mean that a user cannot be infected.

    • Having an older version of an OS doesn't necessarily mean that a user will be infected.



    Best post in this thread and 100% TRUTH :thumb:
     
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Of course it doesn't. It just means that you're more of a target and an easier one. Thankfully, as users, we don't have to worry much about direct attacks. Changing up the system is enough to completely wreck an automated attack, even if the defenses are poor and easily circumvented the automated attacks don't take it into account so it flat out fails.

    So if you're willing to call that security, by all means.
     
  23. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,631
    Location:
    USA
    What's clear to me when reading a thread like this one is that some people just will not or can not change their minds regardless of how information is presented to them.

    Or, to put it another way...

    Faced with the choice between changing one's mind and proving that there is no need to do so, almost everyone gets busy on the proof. - John Kenneth Galbraith
     
  24. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Classic HIPS, even older ones like SSM were able to control interprocess activity on a per process level. Just because Windows doesn't provide the means to do this doesn't mean it can't be done. The 3rd party tools have always been ahead on things like this. Microsoft just copies the ideas, weakens them down, then adds them to their next OS.
    ROFL!! Changing away from "the norm" is one of the most successful tactics ever devised, both defensively and offensively. Few defenses work better than making your opponent miss their intended target. It's been at the core of successful military strategy almost forever. I suggest that you read The Art of War before you make such a blanket statement.
    Exactly right. Any OS can be made extremely tough with the right policy enforced by the right tools.
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    You've misunderstood. Changing things up is a fine way to go about it but it assumes ignorance on the side of your attacker. This only works for automated attacks that don't take your protection into account. Any other scenario leads to easy workarounds and an owned computer.

    Perhaps you should read the part of his posts that mentions patching lol (edit: Altohugh I think it's cloneranger who doesn't patch? I can't remember >_>)

    But no, not any OS can be made "extremely tough." Just extremely uncommon.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.