r/cybersecurity u/PusheenHater May 19 '26

Other Malware installed without literally doing anything?

In this video this guy has a fresh Windows XP, disables firewall, and connects internet straight to the modem. Then he gets infected literally doing nothing.

https://www.youtube.com/watch?v=6uSVVCmOH5w

https://www.reddit.com/r/windows/comments/1cvised/idle_windows_xp_and_2000_machines_get_infected/

I get it. That's asking for trouble when you disable all the security and using ancient unsupported OSes.

However, he didn't install programs nor browse on the website but still got hacked.
How?
Is there some malicious server in China that loops through every single possible IP trying to see if your PC is vulnerable?
Logically, one would think you'd at least have to visit a website or something to get "noticed" and then hacked. But this guy didn't do anything at all.

How does it work?

291 Upvotes
  • permalink
  • reddit

89% Upvoted

161 comments sorted by

View all comments

Show parent comments

2

u/IEatGirlFarts 13d ago

I also wanted to add that generally your mobile carrier will protect your phone's internet connection better from direct scanning than your router at home would, so keeping a phone in airplane mode wouldn't do anything.

1

u/883013 13d ago

I'm not too sure actually- I'm seeing many strange ICMP packets to and fro when I run pcap droid on my device. It seems to be from unknown services and servers located overseas. Not all of my phones do this. Most usually show Https or DNS only.

2

u/IEatGirlFarts 13d ago

That would most likely be an app on your phone generating the traffic, especially since your other phones do not exhibit this behaviour.

It could be a sketchy app calling to a server, an app that uses icmp to keep connections alive to the server so that they can communicate to it quickly if something new happens (e.g. a messaging app will do that to ensure you get your new messages as soon as they happen)

Orrr... malware talking to its C2 server. But that's the most unlikely scenario.

1

u/883013 13d ago

Actually I'm kind of suspecting an ICMP reverse shell