23

I have a router and I'm the only user. I have a computer with Linux and a tablet with Windows 8.1.

Because of a few problems, I had to reinstall Windows on the tablet. Since I'm a bit paranoid about virus and malware, I would like to ask:

Even if I only used the Internet to download Windows updates and get the antivirus software from the official website (using IE), is it possible to get infected only by staying connected to the Internet (doing nothing else)?

Also note that I never had both computer and tablet connected at the same time.

I read somewhere that is possible to get the router infected, so to prevent this, I'm doing almost everything with attention.

Vilican
  • 2,703
  • 8
  • 21
  • 35
Nori-chan
  • 995
  • 2
  • 9
  • 11
  • 4
    If there is a worm going around infecting router then there is nothing you can do about it apart from patching the router's firmware, it might get infected just by getting connected to the Internet – Ulkoma Jun 27 '15 at 14:14
  • @Ulkoma Here, when I'm not using the internet, I normally disconnect the cable from the router to prevent infections. Also, I have the last firmware for the router (actually, there's no updates for it, as far as I know). – Nori-chan Jun 27 '15 at 18:18
  • 1
    Keep in mind that, even if you don't explicitly access your network, other processes running on the machine might (e.g. software auto-updaters). – JvR Jun 27 '15 at 19:34
  • 1
    @JvR Ah yes, but normally, when I'm not doing anything related to use of Internet, I normally turn on the airplane mode. – Nori-chan Jun 28 '15 at 03:17
  • 6
    I once had an OpenBSD workstation setup between my internet and Wifi. It crashed because the disk-drive filled up with log files filled with failed SSH login attempts from the internet side. Something was hitting me 24/7 for months, the HD partition was wrong, and I had no log rotations or expirations setup. – Nathan Goings Jun 28 '15 at 04:57
  • For what its worth, a good starting point other then auto applying patches/windows updates, is changing the default password for your router. Leaving it as the default password is asking for trouble. – n00b Jun 29 '15 at 02:57
  • 1
    @n00b Even the manual said that, so I changed that too. – Nori-chan Jun 29 '15 at 03:27
  • 1
    @Nori-chan You actually READ the manual? Wow. you are paranoid :D – n00b Jun 29 '15 at 03:38
  • @n00b Is that something good? Well, at least it makes a safer environment for me. – Nori-chan Jun 29 '15 at 03:41
  • 1
    @NathanGoings , that happens to me (and probably everyone) whenever I expose shell on its default port to the Internet. It happens with far less frequency when I use a non-standard port on the edge and forward, and of course doesn't happen at all when I keep it behind the edge and use only VPN to get in. But you can use `fail2ban` to protect against this scenario. – tacos_tacos_tacos Jun 29 '15 at 03:46
  • @tacos_tacos_tacos It went away when I enforced connection limits at the firewall level. Eventually I ended up closing SSH with "port knocking" – Nathan Goings Jun 29 '15 at 04:40
  • @NathanGoings in my experience that's good enough in most cases. If possible I prefer VPN still for something like RDP or shell though – tacos_tacos_tacos Jun 29 '15 at 04:45

8 Answers8

33

A few years ago (2003), there was this worm called "Blaster" (or MSBlast, Lovesan etc. - read more on https://en.wikipedia.org/wiki/Blaster_(computer_worm)). It spread by using a vulnerability in an RPC service, running on Windows XP and 2000.

At the time where it was "worst", you could get infected within minutes, if you didn't have a firewall set up. I remember installing a clean Windows XP, putting it online (without a firewall), and watch it get infected within minutes.

So to answer your question: Yes, if you're connected to the internet, you're vulnerable as long as there's open ports with services listening on them (and there's a vulnerability in the software).

So you can definitely get infected by just being online and not doing anything. Remember, even if you're not doing anything, your computer is still connected to various services online and using the internet.

user22866
  • 454
  • 3
  • 2
  • Ok,I can be infected just by doing nothing online, but, since I was installing the updates for Windows, I actually had a chance of being infected, right? But since the tablet has been updated, the chances now probably lower. – Nori-chan Jun 28 '15 at 03:14
  • @Nori-chan You have a window of risk between the moment you plug your machine with stock Windows into the Internet and the moment it finishes downloading and installing the relevant update. If you absolutely paranoid you have to download all updates and security software from other machine, transfer it by off-line methods and install it before plugging in. – hijarian Jun 28 '15 at 18:33
  • @hijarian I'm not that paranoid, but I just want to be safe. Tht's why I'm asking this question. But it seems that I'm safe, even if I had to update Windows, right? – Nori-chan Jun 29 '15 at 03:39
  • @Nori-chan As I said, you are safe **after** you installed the updates, firewall and, optionally, antivirus software, but _strictly speaking_, _until you have done so_, all the time you are connected to the Internet, you are vulnerable. This answer already told you so. – hijarian Jun 29 '15 at 10:05
  • @hijarian Yeah, but I mean the chances are kinda small, right? (from what I'm seeing from the other answers) – Nori-chan Jun 29 '15 at 10:19
  • 1
    @Nori-chan Yes, of course. You were first to say that you're a bit paranoid regarding the malware. ;) And your question is "whether it's possible", not "what are chances to". ;) – hijarian Jun 29 '15 at 12:09
  • 3
    There are no certainties. Even if you have applied all updates you may still be vulnerable to a zero day which the vendor does not know about or a vulnerability which has not yet been patched. All you can do is reduce the risk to a level which is acceptable. What is acceptable depends on what you do. In your case, based on what you have said, I suspect your at low risk. – Tim X Jul 02 '15 at 23:27
  • @Nori-chan Microsoft has a history of *first* giving vulnerabilities to NSA and fixing them only after some time passes since that. So, if you are really concerned about these scenarios, a good investment would be to learn to use a free (as in free speech) OS — for example, GNU+Linux or *BSD. – Display Name Mar 20 '17 at 14:35
5

It might be possible to be infected if your computer is directly accessible from the Internet (without NAT, router, etc.). But the attacker will need to find a vulnerablity in TCP stack of your operating system that would allow him to execute arbitrary code on the machine (e.g. by sending a malformed packet), and those are very uncommon nowadays.

There can also be exploit in some system services that are listening (Windows has couple of these). This is how major Internet worms spread (e.g. Sasser, Conficker). It would also require your computer to be directly accessible from Internet (no firewall or NAT) or your router hacked.

But the probablity of both is so low that you shouldn't be concerned.

prq
  • 171
  • 2
  • Well, even when I had to install Windows updates, Windows still comes with a firewall turned on. But since the probability is low, I will try to calm down a little. – Nori-chan Jun 28 '15 at 03:20
1

Short: Don't download anything and you will be fine.

Long: If you aren't downloading any file from the Internet there is almost no possibilty that your computer will be infected.
If you aren't downloading any file from the Internet and you only fear from viruses that affect your computer directly then the only way to actually infect your computer is through an open port.
The way to secure open ports is using an antivirus or a firewall to block them.
If you aren't downloading anything to your computer then the open ports on your machine will be secured if you use Windows Updates regularly.

If you want to check your open ports you have few ways:
1. Use Nmap on your linux machine to map the windows machine ports.
2. In windows you can type netstat -ab | more in your command line.

HackinGuy
  • 127
  • 3
  • 1
    Should probably clarify what you mean by an open port. Theoretically, if you have no services running on your computer and all of the ports are open (that is, not blocked by the firewall), then it doesn't matter. If there's nothing that will listen for a connection on a port then it's as good as being closed (which is partially why I think software firewalls are a big gimmick, if anything it just adds 1 more piece of software that might have a vulnerability). At that, the only way of compromising the machine is through a vulnerability in the OS, which nothing will save you from anyway. – Cruncher Jun 27 '15 at 17:40
  • -1. This is clearly wrong. – Quora Feans Jun 27 '15 at 17:53
  • @Cruncher well you are correct in theory but in the real world it most of the times not what actually happens. For example port 445 in windows will automatically be open for `microsoft-ds`. Anyway you are completely correct in theory. – HackinGuy Jun 28 '15 at 19:11
  • 1
    @QuoraFeans I would be happy if you will explain why you think that. – HackinGuy Jun 28 '15 at 19:14
1

Edit:

If you are connected to the Internet, then yes it is possible.

When you say

connected to the Internet (doing nothing else)

Do you browse websites? Receive email? Connect to any other computer from the Internet?

If you do any of these things, you can still get infected.

If you do none of these things, then it is still possible (although unlikely).

And if you do none of these things, I have to ask why you are connected to the Internet. If you only use the computer to download updates, I recommend you turn the computer offwhen not downloading. That will lessen the chances of being attacked.

Ron Trunk
  • 627
  • 3
  • 6
  • 1
    This does not answer the question if it is possible to get infected. – Vilican Jun 27 '15 at 15:30
  • Edited to make it clearer. – Ron Trunk Jun 27 '15 at 15:52
  • @RonTrunk No, when I say connected to the internet doing nothing, in this case it was after downloading the Windows updates (in this case, installing them). But yes, I should have turned off the internet. Still, the chances of being are minimal? Even if I was installing the updates? – Nori-chan Jun 27 '15 at 18:14
  • 2
    Yes it is minimal, unless someone is specifically targeting *you*. – Ron Trunk Jun 27 '15 at 18:30
1

By just being connected to the Internet ther is risk of being vulnerated.

This risk can be mitigated with software updates and some security products (antimalware, firewall, intrusion detection systems, etc...).

On an ideal setting, the risk is very low. You would be running behind one or two routers on a NAT, with a fully updated operating system, no services open to the public network... and no port forwarding anyway.

To get to you on that situation, they need to compromise the routers first.

Then again if you are connected directly to the ISP (not behind a NAT nor a proxy) the risk is higher.

In theory the attacker will need an exploit for a vulnerability in your particular system. And the chances of an attacker picked at random knowning what vulnerabilities you have is low....

But! there are two scenarios in which this is not the case:

  • If you are a target of a persistent treat, they will find a vulnerability sooner or later. When they do, it will be race to see if you patch it before they exploit it.
  • If the attackers are looking for a random victim*, they will look for hosts that are vulnerable to the exploits they have, instead of looking for exploits for the vulnerabilities you have. And that search will probably be automated. Given enough time and enough exploits laying around, they will get you.

*: they may looking for hosts to add to a botnet, for example.

All of this is made worse if you have particulary vulnerable services installed... or simply poorly configured ones. For instance a web server, a database engine, or file sharing service can be targeted.

And finally you are hardly "doing nothing else". As you recon, you would download updates... perhaps your dns gets poisoned and it start directing you to a fake update server (that may even appear to have valid certificates and digital signatures due to a collision attack on the hash algorithms used to create those by the real author). And then you get infected from the updates.

Also, what else is installed on your machine? Do you have... I don't know... a Java updater? Flash updater? Chrome updater? Acrobat Reader updater? etc... any of those could be used to harm you.

Also, many user will sync files with a remote server, via Dropbox, OneDrive, Google Drive, etc...

Did you remember to disable remote assistance? Do you have a convenient Team Viewer service running all the time? How about that tool that comes with the drivers for your audio or video adapter that will look for drivers updates?

Etc...

Edit: no, I'm not saying that you should not update. It is a higher risk to not update and be stuck with and old version for which there will be known exploits that will continue to work forever because you never update. It is better to take the risk of updating, even considering the occasional faults update form legitimate source.

Edit 2: yes, your router can be compromised. Heck, even "mine" probably is compromised and I don't even know. That is because "my" router is form the IPS and they don't give me full access to it. That's why I have a second router behind it, and this one is trully mine! I can set a more secure wifi on it, I can also see its activity logs, keep a backup of its system, and I can even update it's firmware (I did once already).

Edit 3: By the way, by just being connected to the Internet is how honeypots work. Of course honeypots are usually intentionally vulnerable. By keeping you machine updated you are mitigating the risk, but not eliminating it. There will always be a residual risk... the only way to actually delete the risk is to be disconnected.

Theraot
  • 254
  • 1
  • 5
1

It is possible for several reasons - but your intuition is fundamentally correct, because the fundamental issue is always the "attack surface." And network security is all about minimizing the attack surface (and locking down the surface that must be exposed).

You probably have a combination router/firewall at your "edge" that serves as the default gateway for your LAN and is connected to a modem that either bridges or routes traffic to/from the edge. These devices run on software, just like any other network node, and therefore are only as good as the software they rely upon. Because of NAT, or network address translation, your PC is not addressable from the Internet, meaning that incoming traffic must first pass through your edge and get filtered, routed, and filtered again.

NAT can give a false sense of security because it feels as though you are "hiding" behind the edge, and in a sense you are. But, when you open a connection to the outside, the outside must be able to get the traffic back in, and so your NAT device (your edge) will typically open a random port (typically a very high number) when you place the request so that it can get back to you. Incoming requests are usually blocked by default because there is no NAT rule to send traffic to your node, but an attacker who gains access to the edge via shell or (sadly) the web configuration tool can add that kind of rule, or set your PC as the DMZ host.

So, the motivated attacker would look in a certain subnet and/or range of IP addresses for nodes that seem to be running vulnerable software. Maybe you bought your edge device in 2010, at which time it was loaded with the latest version of CentOS or something. Now five years later, maybe the manufacturer and/or you have not been keeping up-to-date with CentOS patches. The attacker would do something like this:

  1. Pick a range of targets to assess
  2. Look for nodes that respond in any fashion at all (ICMP, TCP, whatever. Anything is something.)
  3. On those nodes, try to fingerprint them or figure out what software they are running on each exposed protocol + port.
  4. Lookup the fingerprints that are found and match to known vulnerabilities (CentOS 2.1, Apache 5.0.28 or lower, etc.)
  5. Try exploit to gain elevated access
  6. If successful, set up a backdoor quietly
  7. Inspect the INTERNAL (LAN) nodes using tools of choice, split output of all traffic to the attacker (ie man in the middle), poison DNS, etc.

Once the attacker has access to your edge, it can really hurt. For instance, they can intercept DNS requests (domain names to IP addresses) to point you to their servers. This is why SSL exists, but they could easily find a way to trick you by doing this for non-SSL sites. ("Please contact Time Warner tech support...")

They could also quietly log all your traffic to sift and analyze.

And of course, they could try to repeat the same classic procedure described above on your internal network, and find your node just sitting there. From there, your node has an expanded attack surface because Windows by default treats LAN traffic with more respect - so more services are exposed, like NetBIOS and File Sharing or in the older days, RPC. I mean, the sky is the limit.

This would be a lot of effort, so in all likelihood, you'll be okay if you stick to patching on the reg. But that includes patching your edge and anything in between.

tacos_tacos_tacos
  • 173
  • 1
  • 7
  • Thank you for the answer. And yes, the first thing I always do in my computer and tablet is verify for updates. – Nori-chan Jun 29 '15 at 03:34
  • Unless you are very unlucky or a wanted person, this should be sufficient. But if you can, always keep your tablet (however updated it is) *behind* the edge and not exposed, because it is just begging for trouble otherwise. – tacos_tacos_tacos Jun 29 '15 at 03:47
1

First and foremost, anything non-trivial is theoretically possible.

Now, on to practicality.

It is exceedingly improbable that you'd get infected in this situation. The router is kind of like a phone system in an office: instead of global "phone numbers" (IP addresses), your internal machines only get "extensions" (internal, non-routable addresses). There's no direct way for an external machine to address an internal one.

However, if the router were to become compromised, that would be a "forward base," so to speak, facilitating a multi-stage attack. Fortunately, this level of sophistication is basically unheard of in malware today, and your attack surface is very small in this configuration. Ensuring "remote administration" is turned off in the router and that there isn't a DMZ set up will make it practically (if not actually) impossible for your Windows machine to get compromised.

This, of course, assumes that the only thing you do is access Windows Update. There is a type of attack called "DNS cache poisoning;" someone could theoretically get you to connect to a different machine than you intend to using this or other attacks (man-in-the-middle). But...

That's where digital signatures and SSL come into play. They make it possible to have reasonable end-to-end security.

Still doesn't make it impossible. Say Microsoft's code signing certificate gets compromised. The attacker can then sign binaries that your machine will happily accept and run. It could even be cracked rather than stolen. For that matter, it might be that the would-be attacker might have access to a quantum computer; then, all bets are off.

In short... you're NEVER 100% safe unless you physically disconnect the uplink cable. But in the situation you describe, you're probably in the 99.999% range or so. Otherwise... there's no such thing as "perfect" security.

Barry J. Burns
  • 19
  • 2
  • I think it's safe to say that by patching your edge and your clients you are better off than 99% of client nodes out there, but of course, you're right - never 100%, there are too many moving parts. – tacos_tacos_tacos Jun 29 '15 at 04:44
0

If you are just connected to the Internet (so you are not downloading anything), your computer cannot be infected, but attacker can get to your computer through an open ports.

Another problem will be if you already have virus in the computer (like malware), it can use the connection to send data (e.g. passwords) to the attacker.

So there is no possibility to get infected, however, attacker can use this state to attack your computer or virus (already inside) to send data.

Vilican
  • 2,703
  • 8
  • 21
  • 35
  • In this case, I was only installing the Windows updates, nothing else, just waiting them to be installed and them restart the system. Also, since I just reinstalled Windows (factory mode, something like that), them the chance of having any mlware are minimal right? – Nori-chan Jun 27 '15 at 18:16
  • 1
    Attacker can give you a false files claiming to be Windows updates - to be really punctual. But generally, it is minimal unless you are a target of somebody. – Vilican Jun 27 '15 at 18:40
  • 1
    If an attacker can get to your computer through open ports, then you can also be infected... Your statement seems contradictory. If there's a service running on the OS, or a vulnerability in the networking stack of the OS, then it's possible to get infected by an attacker just by connecting to the network. – Cornstalks Jun 27 '15 at 19:58
  • 1
    This comment (and whole discussion) stands on one hypothesis: Does anyone what data of Nori-Chan? If not, the possibility is very low. – Vilican Jun 27 '15 at 20:08
  • XP SP0 would be infected by Blaster in a few minutes. – Loren Pechtel Jun 27 '15 at 21:24
  • @Vilican So, just to be sure: If I'm not a target, then the chances of being infected while being online is low (doing nothing, and also having softwares updated), right? – Nori-chan Jun 28 '15 at 03:11
  • @LorenPechtel: I have a computer with Linux and a tablet with Windows 8.1 - this is the first line of question. – Vilican Jun 28 '15 at 08:54
  • 2
    @Nori-chan: Yes, it is very low. – Vilican Jun 28 '15 at 08:54
  • @Vilican I have searched about infections for routers, and I have found that it's possible to routers to get infected. But, a malware that infects a router is different from a malware that infectes a computer? – Nori-chan Jun 28 '15 at 11:48
  • Yes, it is. In router, you will have to infect other type of system than in computers normally is. – Vilican Jun 28 '15 at 15:53
  • @Vilican Them it looks like that I'm actually safe. Everything here is behaving normally. – Nori-chan Jun 29 '15 at 03:30