How can malware immediately infect a Windows XP computer as soon as it goes online without any user action?

Question

This is a thing I used to hear back in the olden days of Windows XP...

People were telling me that a computer running on an out-of-date Windows XP system with no antivirus software was getting infected with malicious software within a few minutes after connecting it to the internet without any user action. For this reason, a computer right after reinstalling OS must never go online, not even to download updates or AV software; instead, relevant Windows updates must be downloaded on an already working computer, burnt on a CD / DVD disc, installed on the new system offline, and only then we could connect it to the internet. Same for AV.

I wonder how was it possible for malicious software to autoinfect regular users the moment they go online? I know it must be possible since I've experienced this myself (on a grossly out-of-date WinXP system, for granted).

I suppose there must have been botnets constantly port-scanning all valid IPv4 addresses... because how else could they download themselves the moment a user was going online? But there are almost 4 billion valid public IPv4 addresses! Am I to understand it was possible to keep such amount of addresses constantly in check?

Back in these times there were simple ADSL modems. I don't know, but I suppose they were not implementing NAT, right? So it was possible for bots to directly initiate connection to IPv4 addresses found vulnerable and infect them on sight. Is what I wrote so far correct?

If so, then I suppose this problem is no longer a thing? Machines are behind routers nowadays, which usually implement rudimentary firewalls. Also they implement NAT on IPv4, and while this does not happen with IPv6, there are far too many IPv6 addresses to keep them all in check all the time. Finally, current Windows systems come with firewalls enabled on default, further preventing botnets from connecting to these freshly installed systems. Is this correct?

Answer 1

Even if you are not actively accessing anything, your computer is. Windows is a very talkative OS, and will broadcast all his services all around the network, and depending on the network misconfiguration, to the entire world.

NAT will protect you under certain circumstances, but if your router have UPnP active and allows connection from the internet, it can create a path from the internet direct to your Windows computer, because Windows broadcasted his printer service. Any exploit running against SMB print service can reach it. Again, this depends on a couple variables: OS version and configuration, network topology, router/modem version and configuration, and specifics of the attack. Some combinations of those variables will surely open a port from the internet direct to a vulnerable service on an internal computer.

There are billions of IPv4 addresses, of course, but they aren't attacked by only one actor. It's common for scanning malware to start scanning its own subnet, and after that scan a random one. If any user of your ISP is infected, you will probably be scanned soon by his computer, not by a random computer half the planet away.

And even with routers, its security depends on your ISP settings. In Brazil, a large ISP deployed modems with telnet enabled, and without password. Any botnet targeting modems WILL compromise it, and compromise internal computers without too much trouble.

Answer 2

a computer running on an out-of-date Windows XP system with no antivirus software was getting infected with malicious software within a few minutes after connecting it to the internet without any user action

No user action, except having the device access the Internet.

Most computers have (and XP much more so) so-called services installed, that you can connect to and, if you have the access, ask information of, or send orders to.

This is true not of computers only, but of almost everything connected to the Internet (yes, your brand-new IoT thermostat qualifies. Your phone too. And your printer).

Nowadays most Internet access is masqueraded by an access point or a modem/router, so that it is not possible to reach a computer from the outside without some steps being taken.

How this works: addressing

There are many more people and people's rooms than houses in the world, so if I want an invitation delivered exactly to you I must not only identify your house (which receives its address by the Town Council) but your room also. This is not allowed under IPv4 postal regulations.

So your room address (which is allocated by your family) is unknown to the wide world, which cannot communicate with you.

Of course, other protocols - such as IPv6 - have more flexible addresses:

Otherwise, the only cases when I can communicate with "you" are:

• "you" are the doorman of a single room house (out of metaphor, a modem directly connected to a PC). Then, your address is the IPv4 house address. This was quite common back in the days.
• "you" have an agreement with the doorman, and everything arriving to the house door gets routed to your room, or "DMZ". Or maybe all pink envelopes go to you, all cologne-scented envelopes go to your sister, and so on. Say hello to port forwarding.
• the doorman takes notice of whom you send letters to, and any letters coming to the house from an address to which your father sent a letter get rerouted to your father's room. The sender's address is always your house's - you get "masqueraded".

To be able to send unsolicited envelopes to you, an attacker would first need to subvert the doorman - your access point, or home router; which is a computer like any other. There is no relevant difference between a software firewall, a hardware fireall, a router, a smartphone, a printer or a home PC or laptop from this point of view. It's always a slab of silicon performing calculations according to a set of rules.

If that system has some service open, and it either does not check credentials, or uses weak credential securing, or either the credential checking or the public part of the service have errors that could be exploited, then a hostile entity could get that system to do stuff.

"Stuff" includes forwarding packets inside the house, where other systems are much less suspicious since they know they're safely inside.

But the attacker still needs a vulnerable system. XP was one (SP1 had famously several insufficiently secured services exposed to the world).

And since this was true for lots of XP computers, many people actively scanned the Internet for vulnerable XP systems. Then, viruses could do the same, and instruct infected victims to do the same, which rapidly snowballed the problem until any random IPv4 address was checked at least once every few minutes by some hostile or other. Needless to say, if you were vulnerable, those few minutes were all you had before becoming the next victim.

Since those days, security measures have improved measurably, most services come deactivated by default, credential checking is better and more ubiquitous, encryption is stronger and connections safer. This has led to a marked decrease in that sort of attacks (but others have increased - for example vulnerabilities in Web apps and websites).

Of course, there are still vulnerable systems being released; typically your home access point or ADSL router has an administrative interface, with username "admin", password "admin", and anyone can access it from the outside.

Some vulnerabilities are slightly sneakier, so they're trolled differently: the administrative interface is perhaps closed from the outside unless you say otherwise, but you can say otherwise by clicking on the router's interface, which has typically a home address of 192.168.0.1. So I send you an email (or prepare a banner ad) with a link to 192.168.0.1/cgi-bin/commands?cmd=open_interface&areyousure=yes&reallysure=yes&pleasedontdothat=yes, you click on it and you unlock your door to me.

That's why it might be a good idea, before purchasing say a home router, to google "router-make-and-model vulnerability" or "brand-name vulnerability 2016-2018" to have an idea of who you're trusting your security to.

Also, check "features" like "Internet Printing" for your printer: some printers can be convinced not only to waste their paper from the outside as a prank, but also to act as routers or "beachheads" for more sinister deeds.

And so on.

Answer 3

You are correct in assuming there were (and still are) botnets constantly portscanning all valid IPv4 addresses. You can actually observe this in the log of every Internet firewall. This isn't as incredible a feat as you seem to be thinking. There are millions of botnet members out there, and they scan thousands of addresses in parallel, so every single one of the 4 billion valid public IPv4 addresses has a good chance of being scanned by at least one of them at every moment.

You are also correct in assuming that the problem is greatly reduced by having a NAT router between your PC and the Internet. Portscans can then no longer directly access the ports of the PC. They will instead portscan the router, which may however have vulnerabilities of its own. Today's botnets do in fact target routers as well as PCs. If they find an unpatched vulnerability on a router they may exploit it either to manipulate the router into allowing access to computers behind it so that it can be attacked in turn, or to implant malware on the router itself.