twenty-six

I watched this YouTube video where the uploader connected a Windows 2000 virtual machine directly to the internet, no NAT or firewall.

Within minutes, his VM is infected with malware, the overwhelming majority of which is quite old. No browsing is needed, no executing of strange downloads, he simply connects and is infected.

Why does this happen for systems that are 20+ years old? Obviously they no longer get security updates and the exploits themselves still exist on those systems, but I would have thought that the malware using ancient exploits eventually "dies out" in the wild as there becomes progressively fewer and fewer older hosts to sustain it. Are there threat actors still maintaining large botnets of Windows 2000 machines simply to infect more 2000 machines? What would be the motivation behind this if these infections are essentially powerless against modern systems? I can't imagine there are that many systems still running Windows 2000 without being behind their own router at the very least, so how are there enough infected hosts enough to scan and infect new machines that quickly?

(Likely) Alternative: Needless to say infosec is not my field. Am I simply misinformed in how these viruses spread so rapidly, and are the actual infection methods completely independent of volume of hosts?

Improve this question
six
  • Related (and possible duplicate): security.stackexchange.com/questions/254027/… and security.stackexchange.com/questions/262738/… and security.stackexchange.com/questions/26307/…
    –  schroeder
    Commented May 19 at 12:25
  • Note also that "connecting to the internet" doesn't mean connecting to the entire internet all at once. If your device (no matter how unpatched) is only on for an hour you would pretty much have to connect to a malicious site to get malware. If you leave it up long enough eventually someone will find it and take advantage (probably) . Keep in mind a "malicious site" could easily just be the ads from an otherwise harmless site. Also being a VM even if exploited only the image itself can likely be damaged.
    –  aslum
    Commented May 20 at 20:36
  • four
    @aslum That is not the case in the video, his VM is infected within mere minutes.
    –  ElectricHellKnight
    Commented May 21 at 9:11
  • @ElectricHellKnight I am honestly kind of surprised at the speed of infection - with it being basically instant it almost seems like the install was already compromised before he connected...
    –  aslum
    Commented May 21 at 17:12
  • one
    @aslum Eh... the "internet" is a hostile entity. I am a web developer and manage servers. Any newly spun up servers, even on private co-loc, are pinged and attacked within minutes of coming online. if there are no firewalls stopping them. The internet literally has massive bot armies scanning every port all the time. This has been happening for at least 20 years, if not more.
    –  Nelson
    Commented May 22 at 1:46

4 Answers four

Reset to default
forty-seven

You might be misunderstanding how infections work. There aren't specialised "infectors" that look for specific targets (i.e. Win2k infectors looking for Win2k targets). Rather, infectors find targets, figure out what they are, then look for exploits for that target. It's simple and easy and cheap to maintain a database of these exploits even for old targets, so there is no reason to "trim" the database. And if you do find a really old, unpatched vulnerable system, that tends to be a huge win due to the fact that old systems tend to have lots of vulnerabilities that can be exploited and leveraged in multiple ways.

So, the infection process is more like this:

  • scan for targets
  • find target
  • identify target (OS, software, services, etc. along with versions)
  • match target to database of exploits
  • try exploits specific to the OS/software/service and version

And that whole process can be, and is, automated.

Improve this answer
four
  • eleven
    And old systems can prove useful in gaining access to a wider network of new systems, or to persist presence in a network. After all, who dares to even install a virus scanner on that critically important old system that no-one has touched since Bob left in 2003? :)
    –  jpa
    Commented May 19 at 16:18
  • eight
    Exactly. Or the printer. Or turnstile system (Windows ME *cough cough*(nope, not an actual discovery at all, nuh uh)). Or some other system that was installed by someone else that you have no control over to harden or add things like AV...
    –  schroeder
    Commented May 19 at 17:06
  • two
    Old Window systems are just basically unsafe. If you happen to get unpatched old OSes, it is basically automatic remote root access from the get-go.
    –  Nelson
    Commented May 20 at 7:50
  • five
    @Nelson Old systems in general. Windows is the poster child for this because it has been widely used in embedded systems it has no business being used in and there are many well documented high profile examples of active exploitation in the wild, but just because a system is not using Windows does not make it ‘safe’. RHEL 2.1, Debian 3.0, Ubuntu 4.10, Fedora 2, Mac OS X 10.3, and FreeBSD 5.0 are all about the same in terms of ‘safety’, and none of them is much better than Windows XP.
    –  Austin Hemmelgarn
    Commented May 21 at 1:40
sixteen

One can easily be surprised of how many systems there are out there that are still vulnerable to old exploits that have long since had patches available. Some exploits require some manual work and it is not viable to do that for every system in the world, so some vulnerable systems will inevitably go under the radar. And if an attacker finds a vulnerability in a system they are not exactly incentivised to take the system down or to make their presence known to the system admins.

Most malware today is not very innovative. There are so many known exploits that still work, so attackers keep using them. An old solution that works will always provide a higher return-on-investment than if you needed to build a new solution that works similarly well.

One famous exploit is heartbleed which according to Wikipedia saw ca 80% of public web servers patched after three years and 90% patched after five years. There was still 10% of the original number left after five years that had not updated their systems or been taken offline. It is slow to get everyone to update their systems, especially if they are not aware of the security implications or if they have other obstacles to overcome such as organisational hurdles.

Improve this answer
three
  • twelve
    Also lots of computers aren't just computers. If an ATM, airliner, petrochemical refinery system, medical diagnostic imager, etc, was built in the early 2000s it probably used 2k or XP, but that system is still in use today, nowhere near fully depreciated, and replacing it to fix the now obsolete and vulnerable computer inside might cost hundreds of thousands or millions of dollars or more. So people don't.
    –  dave_thompson_085
    Commented May 19 at 8:37
  • I wonder if large servers get updated first. I might run a vulnerable server at home with 10 visitors a year, while Google’s servers were updated very quickly. And does a server with 128 cores count as ONE server or 128?
    –  gnasher729
    Commented May 20 at 11:10
  • two
    @gnasher729 A box with 128 cores that presents a website and handles email is usually referred to as just one server (computer), but in a stricter sense, it may be counted as two server (processes). -- For the other question, your server at home probably produces less revenue and is less prominent than Google's, so Google have greater interest in their system functioning and dedicate more resources accordingly.
    –  Hagen von Eitzen
    Commented May 20 at 21:03
fifteen

Focusing on one aspect of your question:

Are there threat actors still maintaining large botnets of Windows 2000 machines simply to infect more 2000 machines?

Even if the original vulnerability was in how a group of Windows 2000 machines communicated, you would (almost certainly) not need a Windows 2000 machine to carry out such an attack. The (modern) attack software, running on (modern-ish) botnet machines could easily be written to trigger the vulnerability, should it end up talking to an old, unprotected Windows 2000 machine.

Improve this answer
one

Like natural viruses, the affinity of malware lasts as long as there is no "immunity".

It's why a lot of antivirus programs are becoming resource hogs. They need to reference bigger and bigger databases of signatures to look out for.

Improve this answer
one
  • I'm afraid you have a very antiquated view of viruses and antiviruses.
    –  schroeder
    Commented Jun 3 at 11:56

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .