Monday, March 31, 2014

Y2K and Mayan apocalypse had a mutant baby: the end of XP support

I ran across this post earlier today, and by the end of the first paragraph, was convinced it was an
early April Fool's post. Come on - Y2K references and "The End is Coming"? Could we be more alarmist here? Here's the myths I see being perpetuated in this article:

  • "All hell will break loose"
    • Probably not - bad guys don't like to rock the boat - if they alert you to their presence, they increase the chance that they'll get removed. Remember Conficker? It infected millions of systems and waited silently. Most didn't know they were infected. On a side note, if you take the 'e' out of Confickr, it sounds like a Hadoop startup. Of course, it depends on the malware's purpose - if ransomware gets installed on 100 million systems in a week's timeframe, then yes - all hell can be considered broken and loose.
    • Did I miss the 'hell that broke loose' when Win2000 hit end of support?
  • The whole tone of the article treats XP as if it has some sort of hermetic, unbroken seal on it with phrases like, "will probably be hacked within a short timeframe" and "hackers are counting down the days".
    • XP has been through a lot. It has been hacked and infected non-stop over the past 13 years. I still sit down at XP systems belonging to friends, family and businesses with "65 updates ready to install". If someone smart and skillful decides to take out most of the remaining XP machines with a worm and some dir /s /b | del /f, it could probably be done, but I think if someone was going to do that... why wait? You could do plenty of damage now, or 2 years ago. Or 4 years ago.
  • We're assuming the bad guys are really excited about compromising 12 year-old Dell Dimensions.
    • If you were putting together a bitcoin mining botnet, would you target octo-core gaming systems with dual-nVidia cards running Windows 7, or single-core Dell Optiplexes with 20GB hard drives, ATI Rage 128 onboard and an 8-year old install of WinXP that's constantly running out of RAM and swapping hard? Sure, you'll get 8 WinXP systems for every Win7 system, but one good tire rolls a lot better than 8 flats.

Don't get me wrong - the fact that support for XP is going away is a big deal, and people need to get off the operating system. However, I disagree that it is going to be an earth-shattering end-of-times affair for several reasons. The article cites numbers that 29% the 'systems in the world' still run XP, but it is a gross estimate from a small sample that ignores the fact that a huge number of systems in the world don't browse the Internet at all, and aren't considered by that sample. I've seen numbers as low as 10%, but even those fancy zmap scans of the Internet can't give us an accurate number because most XP machines will be NATed behind firewalls and routers. Microsoft might possibly have the most accurate numbers, from Windows Update data and other 'phone home' functionality in Windows. If they have those numbers, I haven't found them or they're not sharing.

Different sources cite that anywhere from a third to half of XP systems are already compromised. I suppose it is possible that someone might compromise a compromised XP and take away their compromise in a compromise battle... We've actually seen malware that removes its competitors before, especially in crimeware turf battles. It is also possible that half of the numbers reported by AV vendors are OpenCandy (if that counts as malware, a pint of Jeni's counts as medication). I found another report that said infection rates could jump 66% after support ends. That means we could see rates of infection as high as 116%. I'd cite my sources, but they vary so wildly, I see no point. Each source of statistics is a tiny window into one vendor or website's log counters. Combine that knowledge with the fact that 60% of statistics are too conservative in their estimates by 30%, and infection rate could soar as high as 151%.

You get the idea.

So, in summary:

  • There are kajillions of XP machines still out there (ShodanHQ regularly shows over 4 million that are Internet accessible)
  • Tons of them are already pwned
  • We might see the emergence of a large botnet based on XP systems, but I'd say it is more likely we'll just see a modest bump up from the norm.
  • Permanent zero-days will impact XP, but not all at once in a 2012-style cataclysm.
  • The article that kicked this rant off is right, there are things you can do to protect XP and extend its life, but it would probably make more sense (and be cheaper) to replace it.