[Dshield] [giac-alumni] 2/3 rds of PC's Compromised???
Dr. Neal Krawetz
hf at hackerfactor.com
Sat Apr 5 13:45:27 GMT 2008
I think I missed the beginning of this thread. (I only caught the
Who is saying that 30-60% of PCs are compromised?
My own informal guestimate is that it is more like 25%.
And "75%" is we include "is or at some time previously was".
In my personal experience:
While high-tech companies are very good at keeping the percentage low,
Non-techie home users are another story. Same goes for non-tech Windows
systems at mom-and-pop stores. I'd put these around 75% for Windows users.
(I have not met any non-tech Linux users, and the Mac users are usually
Not to steal from the medical industry, but by taking a patient history
you can get a good idea as to whether their computer is infected, without
ever looking at the computer. For example:
- Does your computer seem like it gets slow over time?
- Do you have to reboot often?
- Have you ever had to reinstall your operating system because your
computer was just not behaving well?
- Do you have to turn off your computer because some applications, like
email and web browsers, won't shut down?
- Do windows occasionally flash open and close in the background,
even when booting up?
- Do you download lots of freeware from the Internet?
- Do you use search engines to find porn sites that cater to your
current interest? (Be honest.)
- Do you sometimes followed a hyperlink from a spam email? Maybe
you did it because "it might not be spam" or "I just wasn't sure it
- Do you have a running and up to date anti-spam system?
("Running" means actually turned on and scanning. Many people seem to
run it manually or turn it off when it slows the system down. And
"Up-to-date" means at least weekly updates. Lots of people seem to say
"I update it once a year. Isn't that enough?")
- Have you ever had a virus on your computer and not know how you
caught it? (If they blame a friend or associate, then chalk this up
as a confirmation.)
- Do your kids or spouse or friends use your computer and frequently
install stuff that you don't know about?
- Do you ever call someone to help you fix your computer?
Count each class of confirmation once. (Ignore multiple yes's to the
Unscientific expectation: one confirmation = 50% chance of being infected.
Two confirmations = 75% chance of being infected (50%*50%).
Three confirmations = 87.5% chance of being infected.
More confirmations = more likely infected.
Ignore it when the user says:
- "I only open email from people I know."
- "My spam filter takes care of that."
- "I never look at porn."
- "I use [free|no-name|never-heard-of] anti-virus software!"
- "I run Vista so I am protected."
- "I have a firewall."
- "I shutdown my computer every night, so I don't have to reboot."
- "My computer is only on when I use it. Then I turn it off."
- "There is nothing on my computer that they would want."
Sadly, in my experience, most non-techie regular users are infected.
However, in my same unscientific guestimate, non-techie regular users are
only about 25% of the systems online. Most computers online are corporate
and from high-tech industries or academics. (And if a school has 25%
infected hosts, then they already know that they have a problem.)
Now, if anyone has any real-world hard numbers from their industry that
can counter my unscientific guestimate, I am very open to feedback and
references. (I would not doubt that my experience differs from other
people. Please prove me wrong. Please say that I am a bitter cyber-cynic.)
Neal Krawetz, Ph.D.
Hacker Factor Solutions
Author of "Introduction to Network Security" (Charles River Media, 2006)
and "Hacking Ubuntu" (Wiley, 2007)
On Fri Apr 4 08:12:01 2008, Johannes Ullrich wrote:
> I don't think its 30-60%. Maybe 10%? But then again. The definition is
> "remote control not intended by the user", which is more then "bots
> and other malware". For example, a lot of PCs come with "support"
> accounts and the user has no idea they exist.
> I suggest a little experiment for a SANS conference: Could we find a
> group of volunteers who would do a thorough configuration check of
> laptops brought in by students? Maybe to go along with a good audit of
> traffic on the hotel network? I think that would be an interesting
> exercise. The goal would be to explain as much of the traffic as
> possible on the hotel network (I don't expect to be able to "explain"
> all of it). I actually think either project would be a great basis for
> a GIAC Gold paper ;-). SANSFIRE anyone?
> I think these days, your standard PC is rather "noisy" on the network
> and it can be challenging to figure out every single packet it sends.
> But if you can't do that: How do you identify bad traffic?
> - ---------
> SANS 2008 - Orlando, FL; 41 courses, April 18-25
More information about the list