My PC Honeypot test

Posted:
in General Discussion edited January 2014
Having "switched" a few year back our house has been PC free for a while now. I've been reading all the stories about PC's that are not behind a firewall etc can be infected in about 20mins by just sitting there...! I just had to see this for myself!



So I booted up Virtual PC with an unpatched version of windows and turned off the firewall and opened all the ports to that computer..



Within minutes the computer started to run slow and then after about 30 mins the windows help service crashed. This must be the first buffer overrun. I left it running after about 50 mins a network admin message popped up saying that windows will shutdown..! Save to say that PC was now 0wn3d!



I downloaded AVG antivirus to see how bad the infection was, this was not an easy task as the trojans were eating alot the the PC's CPU. I managed to get it to work by lowering the priority of the bad processes.



It eventually found 8 Virus/Trojans! and this from a PC's that was only on the net for about 2 Hours!



I know most users are now protecting themselves with firewalls and making sure all the updates are there, but I still know users that refuse to install SP2 because someone told them that it stopped programs from working or it slowed the machine down!



Many say hat if the Mac had a bigger "market share" things would be as bad for us?

I'm not so sure.. I would have thought that with Mac users going on how secure the mac is compared to PC's there would be loads of people creating trojans for the mac, just to shut us up?!

Comments

  • Reply 1 of 18
    ilawilaw Posts: 15member
    That's very interesting. How can a computer be infected by just sitting there? Surely the user would need to use the internet a bit.



    I use Windows XP Pro but I think I'm pretty safe because I have 7 different 'anti-' programs (I think that is a bit over kill) that either run in the background or I run every week or so. The only things I usually get are tracking cookies and even that is a rarity now.
  • Reply 2 of 18
    a_greera_greer Posts: 4,594member
    Quote:

    Originally posted by iLaw

    That's very interesting. How can a computer be infected by just sitting there? Surely the user would need to use the internet a bit.





    Nope, units that have already been own3d are zombies that run scans up and down ip blocks looking for open windows ports, then when one is found, a conneciotn is established and the bad code is transmitted.



    A router blocks the crap because the router has no windows OS holes, thus it just ignores those packets the same way that linux un*x or OSX would.
  • Reply 3 of 18
    ilawilaw Posts: 15member
    I'm glad I'm returning to OS X in a few weeks time (new Powerbook). I forgot my router does all that crap, I suppose I just take it for granted that I have all the protection.
  • Reply 4 of 18
    tadunnetadunne Posts: 175member
    Quote:

    Originally posted by iLaw

    I'm glad I'm returning to OS X in a few weeks time (new Powerbook). I forgot my router does all that crap, I suppose I just take it for granted that I have all the protection.



    I just feel sorry for the poor souls that buy a machine with a version of windows without the Firewall turned on by default. As soon as they get home and plug it into their routerless connection.. game over!



    Thing is apart from the machine running slow, they probably would never know if they didn't have any Virus software telling them their machine is infected.



    Of course even a firewall can not protect the other poor souls who still use IE!



    The whole internet has become one huge distributed hacking machine doing all it can to steal the resources of your PC!



    We the Mac community should learn from all this and make sure our Mac's are as secure as possible. If true that a big part of our protection is security by obscurity and if the Sales of the Mac Mini are good then it's only time before we become a target.



    I think Apple is doing a good job at getting security updates to us, but I wish they would ship OS with the Firewall turned on.
  • Reply 5 of 18
    scottscott Posts: 7,431member
    You guys see this? You may want to switch your bank.





    Wells Fargo Web-Enables ATMs



    Wells Fargo has completed a five-year project to Web-enable its 6,200 ATMs in 23 states. Now the ATMS will be Windows based rather than OS/2 based. Avivah Litan, an analyst at Gartner Inc., in Stamford, Conn., said the move to Windows-based systems is "not great news for the security of the system. I'm sure there's a lot of holes that will be created because of this."
  • Reply 6 of 18
    tadunnetadunne Posts: 175member
    Quote:

    Originally posted by Scott

    You guys see this? You may want to switch your bank.





    Wells Fargo Web-Enables ATMs



    Wells Fargo has completed a five-year project to Web-enable its 6,200 ATMs in 23 states. Now the ATMS will be Windows based rather than OS/2 based. Avivah Litan, an analyst at Gartner Inc., in Stamford, Conn., said the move to Windows-based systems is "not great news for the security of the system. I'm sure there's a lot of holes that will be created because of this."




    Dont the people who make these desisons really understand how bad this is!



    From a relablity point of view if nothing else!
  • Reply 7 of 18
    relicrelic Posts: 4,735member
    I use Windows for one reason; games (AND NOTHING ELSE!) so blast me. That being said though, I haven?t received a virus or Trojan since 1998, my secret, hardware firewall and virus perfection. In fact I even disabled the software firewall and virus protection locally on that machine. Windows is no less secure then OSX or Linux it just happens to be the popular choice of crackers and virus writers, knowing this just protect your self accordingly. I don?t even surf on OSX unless I have a hardware firewall.



    This is what I use, mGuard;





    HARDWARE

    Ultra-compact casing

    Intel IXP 425 processor with 266 MHz

    32 MB RAM

    16 MB Flash

    2 x 10/100 Mbit Ethernet

    Electricity supply via USB or with external power supply



    SECURITY FUNCTIONS

    VPN connection, Shared Secret

    VPN connection, internal and external X.509 certificates

    IPsec protocol

    3DES, AES hardware encryption up to 35 Mbit/sec

    L2TP

    Stateful inspection firewall

    Transparent mode



    OPTIONAL VIRUS PROTECTION

    Hardware virus protection with Innominate mGuard

    Daily updating of signatures

    Email scanning



    FURTHER FUNCTIONS

    Browser-based administration

    Copy-protected file system

    Secure boot loader

    DHCP





    Their great for traveling to.
  • Reply 8 of 18
    a_greera_greer Posts: 4,594member
    Quote:

    Originally posted by tadunne

    We the Mac community should learn from all this and make sure our Mac's are as secure as possible. If true that a big part of our protection is security by obscurity and if the Sales of the Mac Mini are good then it's only time before we become a target.



    If I hear linux/unix/macos is secure because it is obscure one more time, I will throw something...It is secure because you do not run as root all of the time as you have to do in windows (the "user" account in XP is a friggen joke) thus, before any OS level change can be made (like, oh say installation of a third party web browser plugin/service), you have to enter your root (aka administrator) password, thus, things cannot just install themselves into the kernal wily-nily like with windows.



    also: worms, if a major worm would be released for *nix, you would see a prompt to type your root password so the code could be authorized to exicute, in windows, home users run as "root" 24/7, this is why windows has 90% of the problems that it does.



    It is security by good policy, design and implementation; not obscurity.
  • Reply 9 of 18
    relicrelic Posts: 4,735member
    linux/unix/macos is secure because it is obscure.



    Relic ducks for fist of fiery.
  • Reply 10 of 18
    splinemodelsplinemodel Posts: 7,311member
    Quote:

    Originally posted by Relic

    Windows is no less secure then OSX or Linux it just happens to be the popular choice of crackers and virus writers, knowing this just protect your self accordingly. I don?t even surf on OSX unless I have a hardware firewall.



    I thought that too, but it's actually untrue. Mac OS X, at least, is inherently more secure than Windows.



    1) Microkernel and open source backbone make finding bugs and holes a much more streamlined process.



    2) Windows doesn't require an admin password to alter delicate system settings. (registry)



    3) It's a fairly straight forward process to hack into windows without knowing the admin password. If you have an OF password set, you're pretty much bulletproof on the mac.



    Anyway, this has been explained many times before, and a quick net search will do anyone better than a long "debate" in this thread.
  • Reply 11 of 18
    relicrelic Posts: 4,735member
    Quote:

    Originally posted by Splinemodel

    I thought that too, but it's actually untrue. Mac OS X, at least, is inherently more secure than Windows.



    1) Microkernel and open source backbone make finding bugs and holes a much more streamlined process.



    2) Windows doesn't require an admin password to alter delicate system settings. (registry)



    3) It's a fairly straight forward process to hack into windows without knowing the admin password. If you have an OF password set, you're pretty much bulletproof on the mac.



    Anyway, this has been explained many times before, and a quick net search will do anyone better than a long "debate" in this thread.




    Point taken, but as it's just a toy OS for me, Aaaah who cares infect the f-cker, that's what Ghost is for.
  • Reply 12 of 18
    chychchych Posts: 860member
    Even on *NIX systems, there are tons of zombied hosts trying to install a rootkit (i.e. by guessing passwords for root/common user names). My home computer (OS X) and work computer (linux) get these attempts around once a second, it's ridiculous (and mostly from korea) - just check your sshd logs (if you don't have an external firewall). Don't use trivial passwords then (if you have ssh on). But then again, passwords is just a fancy form of obscurity, though not as trivial as an unpatched XP.



    And at least on *NIX systems, services (SSH) are off by default, most of the time.
  • Reply 13 of 18
    anandanand Posts: 285member
    Quote:

    Originally posted by chych

    Even on *NIX systems, there are tons of zombied hosts trying to install a rootkit (i.e. by guessing passwords for root/common user names). My home computer (OS X) and work computer (linux) get these attempts around once a second, it's ridiculous (and mostly from korea) - just check your sshd logs (if you don't have an external firewall). Don't use trivial passwords then (if you have ssh on). But then again, passwords is just a fancy form of obscurity, though not as trivial as an unpatched XP.



    And at least on *NIX systems, services (SSH) are off by default, most of the time.




    Could you explain to a newbie how to test this? I have a broadband connection and have never worried about the mac becoming infected to hacked, but it would be nice to check.
  • Reply 14 of 18
    chychchych Posts: 860member
    Quote:

    Originally posted by anand

    Could you explain to a newbie how to test this? I have a broadband connection and have never worried about the mac becoming infected to hacked, but it would be nice to check.



    -Open up /Applications/Utilities/Console.app

    -Open the "Logs" sidebar by pressing the "Logs" toolbar button

    -Select system.log

    -On the top right in the toolbar in the 'filter' field, enter in 'sshd'



    Then see if you have any weird activity, if not you're fine. You won't have anything if ssh is off (in system prefernces-> sharing, if 'remote login' is on, ssh is on). If you do keep ssh on, make sure you do not use trivial passwords. I personally have ssh set such that only my userid is allowed to login.
  • Reply 15 of 18
    sunilramansunilraman Posts: 8,133member
    hey hey... i got no sshd thingy problemas



    i have been running virtual pc with GASP! windows98 and office97 because of a very very important database for my parents that run a small paediatric clinic (i have been too lazy to change anything since i finished making the database/app thingy for them 'back in 1998 )



    but luckily my neighbours wireless router (we share one DSL connection) has a pretty decent firewall that helps me sleep better at night...



    that and using Mac OS 10.3.8 most of the time, we have another machine with Windows2000 but that's behind the wireless router firewall as well...



    great PC honeypot test. that must be so awesome to just see it go to sh1t like that and laugh perhaps cruelly, that this actually happens to a lot of people who just don't know any better
  • Reply 16 of 18
    sunilramansunilraman Posts: 8,133member
    Quote:

    Originally posted by Relic

    Point taken, but as it's just a toy OS for me, Aaaah who cares infect the f-cker, that's what Ghost is for.



    dude, i've seen some internet cafes have a hardware-card Ghost-type thingy for their pee-cees... they just Ghost-type restore a machine, say, about every other day...!!
  • Reply 17 of 18
    xoolxool Posts: 2,460member
    Once something gets behind the firewall, it will spread between all your local machines. The firewall only protects you from outside.



    If I had multiple windows boxes I'd still be worried even if your Lan is firewalled.
  • Reply 18 of 18
    sunilramansunilraman Posts: 8,133member
    Quote:

    Originally posted by Xool

    Once something gets behind the firewall, it will spread between all your local machines. The firewall only protects you from outside.



    If I had multiple windows boxes I'd still be worried even if your Lan is firewalled.




    luckily i'm only running win98 within virtual pc and have backed up the hard disk images so if my win98 vpc image becomes massively corrupt/infected/etc i just pull a 'clean' backup off me cd or iPod mini.



    as with my parents old win2000 machine, i'm with Relic... infect that f8cker!! i couldn't be bothered maintaining windows POS boxes anymore. i think secretly i am hoping some nasty ass thing will make it through some 'mcafee internet security 2004' suite we got running on that and totally like fry the hard disk or something**



    would be a perfect excuse to get a Mac mini then yay!





    **where i am now if the 20gb hard disk dies that's the end of the pee cee because we can't find replacement 20gb 3.5" disks, and 40gb drives and above are not compatible with the bios in the aging pee cee we have
Sign In or Register to comment.