Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Window Attacks. Show all posts

Legacy Windows OSes Fall Prey to Rapid Online Attacks

 


In 2014, Windows XP was officially retired, marking the end of a decade that has seen it occupy our desktops for more than a decade. The beloved OS was given one last security update in 2019, but for all intents and purposes, Jim, it is no longer around. Nevertheless, some are still using the software, including the US State Department, according to the General Accounting Office (GAO) of the federal government. 

In light of that, a curious YouTuber decided to check if a computer connected to the internet would get infected after a short period. There is an answer to this question in about 10 minutes. In a recent YouTube video, YouTuber Eric Parker demonstrated the danger of connecting classic Windows operating systems to the internet in 2024 without using any security measures (including firewalls and routers) to prevent viruses from spreading. 

As a result of setting up a virtual machine of Windows XP with a completely unsecured internet connection, the YouTuber was able to notice several viruses attacking the OS almost immediately. Getting your PC connected to the Internet without using any security might seem silly, but back in the early 2000s, catching a PC connected directly to the Internet without a router was very common. 

However, Windows XP indeed came with a built-in firewall and most people used anti-virus software as well. Even so, it was much easier to run a PC entirely unprotected (intentionally or accidentally) when compared to newer operating systems at that time. In addition to this, in 2024, running Windows XP unprotected is even more dangerous, since the operating system doesn't receive any security updates, which makes it pretty easy for hackers to hack into the system, making it very easy to penetrate the system. 

The virus that Eric Parker discovered on his Windows XP virtual machine two minutes after hooking it up to the internet, dubbed "conhoz.exe," suddenly installed itself on his computer randomly, and it appeared to be the same virus as the one on the desktop machine. Another virus followed soon after that by creating an entirely new account on Windows XP called "admin" which was hosting a file server hosted by an FTP server. 

Some strange things are going on in this experiment, so several hours after he had first started, he decided to return to it only to find that a new user named "Admina" had been added to the account, and this without him touching anything at all. He logged into the regular account and noticed a service named ftp.exe running, which did not sound very promising. Upon examining these files in Process Explorer, it became apparent that conhoz.exe was created by a program called "Microsoft Compilation." This has been a wild ride, with various nasty bits traced back to IP addresses in Russia (naturally), with more appearing and popping up as time goes on. 

Eric Parker runs the legacy version of Malwarebytes during the latter half of the video and, after running an initial scan, he finds eight different types of malware, which are discussed in the following sections. A change that was made during the installation was to the DNS (Domain Name System) that is used by the virtual private server from the Chinese company Alibaba for browsing and network access. It is not a good sign to see that sort of thing happening.

By the time the video ends, the malware has won, and an outdated anti-virus program, unable to deal with the various threats, is left to deal with the aftermath. Using the same open network setup as in Windows 7, Eric Parker notes that after several hours of using the same open network setup, there was no issue or evidence of malware running on that network. To identify the Russian fingerprints found on the suspect files, Mr Parker downloaded Malwarebytes and ran a scan against these files using the malware detection software. 

A quick scan of the system revealed that there were eight threats: four trojans, two backdoors, and two instances of adware. Having used a browser to look up some of the malware, PCGamer reported that in this case, the machine was most likely being used as a part of a botnet in a botnet in an attempt to obtain personal information from the users. Malwarebytes did not find conhoz.exe when he clicked on the quarantine button, but once the eight threats were quarantined and the system was rebooted, conhoz.exe did not begin automatically when the computer booted. 

The file remained in the Windows/Temp folder, indicating that the program's launcher might have been neutralized. However, this was not the case. After a few minutes, the program started running again. In response, Malwarebytes was run a second time to detect illicit services. Surprisingly, Malwarebytes suddenly shut down and disappeared. Upon checking the Task Manager, the process conhoz.exe was once again found running in the background. Mr Parker described this as a "victory for the malware." These incidents exemplify a worst-case scenario for both Windows XP and Windows 2000 operating systems. 

Without fundamental security measures, online hackers can exploit tools such as Nmap to identify the specific operating system version running on a vulnerable system. Once they ascertain that the system is vulnerable, they can freely download and execute viruses and malware directly on the system. Such severe security vulnerabilities do not exist in modern operating systems. Windows 10 and Windows 11, for instance, are equipped with significantly more robust security measures that prevent malware from installing itself, even if the firewall is disabled. 

Eric Parker confirmed that Microsoft operating systems dating back to Windows 7 are not affected by the previously demonstrated security vulnerabilities. He conducted a test by running Windows 7 for several hours without antivirus software or a firewall on another virtual machine and did not detect any viruses on the system. This demonstrates substantial improvements in security measures in modern operating systems compared to their legacy counterparts.