The ExperimentÃ¢â€žÂ¢

Richard M · 11-05-2005, 19:08

One week, one unpatched XP box

Summary

I freed up a Linux box this week and I had an interesting idea.
In these days of the wild internet, I wondered what would happen to an unpatched Windows XP computer.

Well, I'm going to get a good chance to find out as this weekend is the start of The Experiment? - place an unpatched, unprotected Windows XP Pro computer on the internet and watch the results.
I happen to have several spare XP Pro disks, and the one I'm going to be using is the very first edition - no service packs here folks.

Machine Spec

The computer used is nothing particularly special, but is ideal because it's exactly the sort that your mum or dad will be using to check their mail and sell stuff on eBay.

AMD Athlon 1800+
512MB PC133 SDRAM
80GB IDE hard disk
NVidia GeForce 4 MX440
Soundblaster Live 5.1 soundcard
Standard 10/100 ethernet card

As previously stated, it will be Windows XP Pro running a default installation.
The only exceptions are detailed below.

Software & Firewall Configuration

There are several important changes that will be made to the OS:

Enabling of "Remote Desktop" - this will let me check the computer from work and lets me log in from any computer at home.
TCP/IP - static IP addressing will be used and the computer will be placed in a DMZ to protect the part of the network I want to keep secure.
The reserved ports 1-1024 will be opened on the firewall and configured to port-forward to the new machine.

Schedule

So when will this happen, and how?

I'll format the disk (currently running Linux) then install Windows XP on Saturday at around 12PM (UK time).
The configuration mentioned in the previous chapter will then take place, then the ethernet cable will be connected to the switch.

The test will run for one week, unless something really interesting happens that forces me to cut the test short or extend it.

Expectations & Possibilities

I'm expecting the box to be "0wned" within an hour, possibly less.
Depending on what happens, I might do some random browsing on a default Internet Explorer - sites that your kids might visit for example, all those flashing banner ads giving away free smiley icons etc.

I'm also expecting to be hit hard by the Blaster worm, this can cause the machine to reboot constantly which will make the test a bit difficult.
If this turns out to be the case, I'll have to stop the RPC service although it'll be interesting to see how long it takes to get infected.

SANS has a top 10 Windows threats list available.

Comments

Please post your comments in the below forum thread

Paul · 11-05-2005, 19:15

What's the IP then

**Rob** · 11-05-2005, 19:16

If you aren't actually doing anything on the PC, it may take a while for it to get infected with something. It's visiting sites, getting dodgy emails and the like that is the real killer.

**Paul M** · 11-05-2005, 19:19

What's the reason for doing this ? - it probably isn't going to last long, but not many such machines really exist.

Even the pc I bought in late 2002 had SP1 on it.

Richard M · 11-05-2005, 19:20

If you'd like to spam the article link to hell on websites in the coming days, feel free.

I'm going to submit the link to several computer news websites myself, security problems need to be brought to attention.

TheBlueRaja · 11-05-2005, 19:20

Quote:

Originally Posted by Paul

What's the IP then

What he said...

Richard M · 11-05-2005, 19:22

Quote:

Originally Posted by Paul M

What's the reason for doing this ? - it probably isn't going to last long, but not many such machines really exist.

Even the pc I bought in late 2002 had SP1 on it.

Thanks for mentioning that, I recently read somewhere that around 40% of XP machines do not have SP1 - can't find the link though.

punky · 11-05-2005, 19:39

Quote:

Originally Posted by Richard M

http://www.cableforum.co.uk/board/article.php?a=67

1 unpatched XP box, 1 week.
This should be interesting...

Good luck. The other day I put a clean installed XP SP1 computer on the internet, and got a net send alert within about 10 seconds , and within about 5 mins, it had already been exploited. This was exploited before I had chance to download MS antipyware (which isn't as good as it first seems now, I think). The spyware I, (or MS antispyware and spybot S&D), couldn't get rid of it, so I had to delete, reinstall, and then reinstall SP2, antispyware before connecting it to the net again.

If it is SP2 you might last a bit longer, but SP1 will probably be exploited in minutes. (On BT openworld's network anyway)

Its a bit annoying as I wouldn't mind having SP2 on my desktop, but the b****rd won't install, and I can't seem to get round it.

philip.j.fry · 11-05-2005, 19:41

Quote:

Originally Posted by TheBlueRaja

What he said...

***** (probably)

EDIT: Removed IP because after a traceroute I don't think it is.
EDIT #2: Ping phpfuture.net to see

Perhaps you should put up a Linux box as well for comparison Rich?

Gareth · 11-05-2005, 19:50

I'm with Paul M on this one... why exactly are you doing it? It's been done before. I remember seeing a report at sans about an out-of-the-box XP machine being compromised within 18 minutes. If I remember correctly, this article itself is a couple of years old now. I'll try and find it again if you're interested.

philip.j.fry · 11-05-2005, 19:52

Quote:

Originally Posted by Gareth

I'm with Paul M on this one... why exactly are you doing it? It's been done before. I remember seeing a report at sans about an out-of-the-box XP machine being compromised within 18 minutes. If I remember correctly, this article itself is a couple of years old now. I'll try and find it again if you're interested.

Sshh, we all want the chance to pwn his machine, think I'll turn it into an ET server for the day

**David F** · 11-05-2005, 19:54

Quote:

Originally Posted by Richard M

Thanks for mentioning that, I recently read somewhere that around 40% of XP machines do not have SP1 - can't find the link though.

I come up against this yesterday,The machine was bought from a local store resently and this come with xp with no service packs,the guy had wondered why his camera said usb to slow

MrBen · 11-05-2005, 21:09

Quote:

Originally Posted by zinglebarb

The machine was bought from a local store resently and this come with xp with no service packs

That's just shoddy in my opinion. It's not hard to install SP2 on a brand-new computer, if store uses a single image they could slipstream SP2 so they wouldn't even need to do anything after the install.

Windows XP Gold (i.e. no service packs) will now not get any further security updates.

Back on topic, I read it's only supposed to be about 20 minutes now before you get 'infected'. I wonder though if the ntl: port blocking will have an effect? ("...Blaster worms spread over port 135, which has already been blocked [by ntl:]")

Ben

**Paul M** · 11-05-2005, 21:22

Quote:

Originally Posted by Gareth

I'm with Paul M on this one... why exactly are you doing it? It's been done before. I remember seeing a report at sans about an out-of-the-box XP machine being compromised within 18 minutes. If I remember correctly, this article itself is a couple of years old now. I'll try and find it again if you're interested.

Well I wasn't worried about it being done before. I'm just curious about the reason for doing on a box with no SP at all, as SP1 has been around for so long now. I would be interested in that link about 40% of XP machines having no SP, as that's quite a surprise to me.

Chris W · 11-05-2005, 21:23

Quote:

Originally Posted by MrBen

I wonder though if the ntl: port blocking will have an effect? ("...Blaster worms spread over port 135, which has already been blocked [by ntl:]")

Ben

I doubt it will effect a machine connected via nildram