Windows XP: Insecure By Default
Sun Jul 25th 2004, 3:58pm
Last weekend I got roped into helping one of my wife's work friends upgrade to a brand new PC. After a full afternoon of unpacking equipment, getting it all plugged in, and copying data from the old to the new computer, it was finally time to get her Internet access working. I'd forgotten how awful the era of dialup was as we got connected and began the arduously slow task of downloading the necessary Windows XP Updates. After 20 or 30 minutes of waiting we decided to go out for dinner. But when we came back, the computer was acting really strangely. The Updates were taking forever to download, and once downloaded they wouldn't install. Buttons like "Restart" were missing, and the installed virus scanner kept shutting off. The interface showed lots of traffic even when I wasn't doing anything. Great. Suspecting the worst, I finally offered to just take the system home and get it all patched up in the comfort of my own network. I should have known better than put an unprotected Windows box on the Internet, even for a minute.

Sure enough, as soon I turned on the computer and put it in a quarantined area on my home network, it began spewing out billions of packets port 445. Sasser. Fantastic. Plus some other stuff to port 13000 I didn't recognize. I tried cleaning the system up--I got all the Windows XP updates installed, got the virus scanner all up to date, ran a Sasser removal tool, ran a few full system virus scans. It found about 5 or 6 viruses, stuff like W32.Spybot.Worm and W32.Bobax.C. However even after all the cleanup, the computer was still spewing tons of 445 packets into the aether. I nuked some processes that I didn't recognize (which did finally stop the packet storm), and removed them from the registry so they wouldn't start up again. These were all things the virus scanners didn't know about, I guess. After a little while of this, I realized I was running around a bit half-cocked, turning things off, making changes--kind of like the infamous Whack-A-Mole carnival game, where the little rodents keep popping their heads up faster than you can hit them over the head with your mallet. Although I think I finally got the worst offenders, who knows what else was lurking on the machine, or what permanent damage had been done.

At this point, I realized I could just hand back the machine, but my conscience would stand for nothing less than a full reinstall. So that's what I did--this time with the benefits of a broadband connection and a NAT firewall. The key, it appears, for those unlucky enough to not have a private network and firewall, is to enable Windows XP's built-in Internet Connection Firewall (ICF) before ever plugging in a phone or ethernet cable. Even this has problems, like apparently there's a brief period during bootup where your interfaces are on, but ICF isn't, but this shouldn't be a problem for dialup users.

Argh. I hate Windows.

The really sad thing here is, how are lay consumers expected to know that their brand new, $1000-$2000 dollar PC is going to be compromised the second they connect to the Internet? Shouldn't the computer come with a big, yellow warning label on the front of the box: WARNING: Microsoft products loaded--seek professional assistance before connecting to the Internet. A friend of mine at work always jokes that the little "Intel Inside" sticker on the front of every PC is actually a warning label. Isn't that the truth.

Here are some links that helped me out:

Visitor comments
On Fri Aug 20th 2004, 10:14am, David B. posted:
First of all great site. I love the subnetting practice tool, do you have a downloadable version? Yesterday I install XP Service Pack 2 and let me tell ya I am so far very impressed. Not being the type that likes configuring firewall programs and the like I have to admit the new security features very nice. The built in pop up blocker alone is worth it. Everything defaults to the "ON" so for the novice there is nothing to mess with. I went to several port scanning sites and connecting straigt to the cable modem, no router or nat in between it showed a nice sercure system. Of course everyone knows there will be holes to fill but if Microsoft would have proactive instead of reactive to security issues this would have been included in SP1 or even the original release of XP. David

On Fri Aug 20th 2004, 12:58pm, Steve Kehlet posted:
> I love the subnetting practice tool, do you have a downloadable version? Sure, you can download the PHP source at: Of course, to run it you'd need a web server with PHP running. Most Linux distros ship with Apache + PHP installed.

On Fri Aug 20th 2004, 12:59pm, Steve Kehlet posted:
CNET: Study: Unpatched PCs compromised in 20 minutes

> According to the researchers, an unpatched Windows PC connected to the Internet
> will last for only about 20 minutes before it's compromised by malware, on
> average. That figure is down from around 40 minutes, the group's estimate in
> 2003.
> ...
> The drop from 40 minutes to 20 minutes is worrisome because it means the average
> "survival time" is not long enough for a user to download the very patches that
> would protect a PC from Internet threats.


On Sat Nov 18th 2006, 1:30pm, Visitor posted:
>#1 reason >all xp are admin out of the box that way xp can phone home and M$ can mine data from your computer
>#2 too many services the average person will probably never use along with the ports they open
>#3 people are clueless too what is out there> umm yeah I just
opened my spiffy new dell and plugged in the ethernet cable
why is this thing acting up >>>DELL Sucks I hear that all the time then I must correct them >>no you need to learn.
>#4 this is microsoft's fault 1 making everyone admin and 2
doing nothing to educate people on how to run as non admin
OH WAIT then they can't control you > sorry I forgot