[Dshield] [giac-alumni] 2/3 rds of PC's Compromised???

Dr. Neal Krawetz hf at hackerfactor.com
Sat Apr 5 13:45:27 GMT 2008 

Hi Johannes,

I think I missed the beginning of this thread.  (I only caught the
cross-posting.)

Who is saying that 30-60% of PCs are compromised?

My own informal guestimate is that it is more like 25%.
And "75%" is we include "is or at some time previously was".

In my personal experience:
While high-tech companies are very good at keeping the percentage low,
Non-techie home users are another story.  Same goes for non-tech Windows
systems at mom-and-pop stores.  I'd put these around 75% for Windows users.
(I have not met any non-tech Linux users, and the Mac users are usually
more cautious.)

Not to steal from the medical industry, but by taking a patient history
you can get a good idea as to whether their computer is infected, without
ever looking at the computer.  For example:
  - Does your computer seem like it gets slow over time?
  - Do you have to reboot often?
  - Have you ever had to reinstall your operating system because your
    computer was just not behaving well?
  - Do you have to turn off your computer because some applications, like
    email and web browsers, won't shut down?
  - Do windows occasionally flash open and close in the background, 
    even when booting up?
  - Do you download lots of freeware from the Internet?
  - Do you use search engines to find porn sites that cater to your
    current interest?  (Be honest.)
  - Do you sometimes followed a hyperlink from a spam email?  Maybe
    you did it because "it might not be spam" or "I just wasn't sure it
    was spam."
  - Do you have a running and up to date anti-spam system?
    ("Running" means actually turned on and scanning.  Many people seem to
    run it manually or turn it off when it slows the system down.  And
    "Up-to-date" means at least weekly updates.  Lots of people seem to say
    "I update it once a year. Isn't that enough?")
  - Have you ever had a virus on your computer and not know how you
    caught it?  (If they blame a friend or associate, then chalk this up
    as a confirmation.)
  - Do your kids or spouse or friends use your computer and frequently
    install stuff that you don't know about?
  - Do you ever call someone to help you fix your computer?

Count each class of confirmation once.  (Ignore multiple yes's to the
same question.)
Unscientific expectation: one confirmation = 50% chance of being infected.
Two confirmations = 75% chance of being infected (50%*50%).
Three confirmations = 87.5% chance of being infected.
More confirmations = more likely infected.

Ignore it when the user says:
  - "I only open email from people I know."
  - "My spam filter takes care of that."
  - "I never look at porn."
  - "I use [free|no-name|never-heard-of] anti-virus software!"
  - "I run Vista so I am protected."
  - "I have a firewall."
  - "I shutdown my computer every night, so I don't have to reboot."
  - "My computer is only on when I use it.  Then I turn it off."
  - "There is nothing on my computer that they would want."

Sadly, in my experience, most non-techie regular users are infected.
However, in my same unscientific guestimate, non-techie regular users are
only about 25% of the systems online.  Most computers online are corporate
and from high-tech industries or academics.  (And if a school has 25%
infected hosts, then they already know that they have a problem.)

Now, if anyone has any real-world hard numbers from their industry that
can counter my unscientific guestimate, I am very open to feedback and
references.  (I would not doubt that my experience differs from other
people.  Please prove me wrong.  Please say that I am a bitter cyber-cynic.)

					-Neal
--
Neal Krawetz, Ph.D.
Hacker Factor Solutions
http://www.hackerfactor.com/
Author of "Introduction to Network Security" (Charles River Media, 2006)
and "Hacking Ubuntu" (Wiley, 2007)


On Fri Apr  4 08:12:01 2008, Johannes Ullrich wrote:
>
> I don't think its 30-60%. Maybe 10%? But then again. The definition is
> "remote control not intended by the user", which is more then "bots
> and other malware". For example, a lot of PCs come with "support"
> accounts and the user has no idea they exist.
>
> I suggest a little experiment for a SANS conference: Could we find a
> group of volunteers who would do a thorough configuration check of
> laptops brought in by students? Maybe to go along with a good audit of
> traffic on the hotel network? I think that would be an interesting
> exercise. The goal would be to explain as much of the traffic as
> possible on the hotel network (I don't expect to be able to "explain"
> all of it). I actually think either project would be a great basis for
> a GIAC Gold paper ;-). SANSFIRE anyone?
>
> I think these days, your standard PC is rather "noisy" on the network
> and it can be challenging to figure out every single packet it sends.
> But if you can't do that: How do you identify bad traffic?
>
> - ---------
> SANS 2008 - Orlando, FL; 41 courses, April 18-25
> http://www.sans.org/info/19686

More information about the list mailing list