Attracting Attackers: Windows vs. Unix

Windows vs. Unix: the attacker's attraction

- by Paul Murphy -

Lots of people believe that the reason there are more attacks on Windows machines than on Unix machines is simply that Windows dominates desktop markets. According to their logic, 90 plus percent of the desktops, should lead to 90 plus percent of the attacks. The question is: are they right?

Look just at the number of victims and they're more than right. Microsoft, according to netcraft's surveys only has about one third of the web servers on the internet, but it also has about all of the servers known to have been compromised through external attack.

The same Microsoft over-representation takes place on the desktop with Microsoft users accounting for almost all of the virus and worm victims known.

Of course this skewing doesn't help decide the question because its more likely to be effect than cause. A better way to approach the issue is to ask a very different question: are the ideas behind the attacks on the two environments sufficiently closely related that we can say they're drawn from the same hypothetical population of possible attacks? If so, the numerical dominance of one type of target (Windows) over another (Unix) should lead to comparable dominance in the number of attacks. However, if the attacks are drawn from different populations, then the numerical dominance in the target universe won't suffice as an explanation for numerical dominance on the attack side.

There are lots of layers to this onion. First, we need to strip away the impact the click and drool crowd has on the numbers. These are people who sometimes modify, but don't originate, attacks and spray them at all and sundry. Speculatively you have to assume that the real originators feed code to the drooloids because their activities are of benefit to the criminals. In particular the hue and cry set off by these people casts a protective layer of noise and confusion over criminal activities, keeps the police focused in the wrong places, distracts prosecutors, and reinforces the stereotype of the destructive hacker as a socially incompetent sixteen year old with mental problems - an image the real criminals, many of whom seem to have legitimate computer science degrees, don't fit.

Secondly we need to understand how the value returned to the criminal influences decisions affecting the relative number of attacks. Some attacks are just naturally targetted at the Windows communities simply because that's where the money is. For example, second generation phishing schemes with HTML interpretation dependencies have to target the PC community because the distribution method, spam, is a numbers game and random email is something like nine times more likely to hit a PC user than a Mac or other Unix user.

To the rogue programmers developing attack code, however, simply hitting a bunch of users doesn't achieve anything. They're out to steal for personal gain and you don't do that by going around annoying the grownups. Their goal, instead, is to steal information, remain undetected, and then turn that information into cash or political advantage. Look at how that's actually done and a dramatic, nearly absolute, difference shows up between attacks aimed at Unix and those aimed at Windows variants like Windows 2003/XP Server.

Although I'm only about halfway through trying to categorize attacks listed in the ICAT database in terms of whether or not they can be exploited to steal data it's already obvious that "qualifying" attacks on Windows and "qualifying" attacks on Unix are totally different. Windows attacks play the numbers game: spray the code around the internet and wait for vulnerable systems to self-report, while nearly all known effective attacks on RISC based Unix require legal access to the machine and therefore have to be targetted one machine at a time.

Don't mis-understand, there are lots of attacks on RISC/Unix that require internet distribution; they just don't work for data theft purposes. Like denial of service attacks, they don't make money for the perpetrators. For example, my server gets probed almost every day and seriously attacked several times a week with dtlogin a favorite target. Fundamentally, however, that's just vandalism; even if they got full control of the machine, it wouldn't get them a nickel.

Right now all known real attacks on Unix outside the x86 world require that the attacker have the right to compile and run new code on that machine. Indeed most are variants of traditional Unix attacks focused on upgrading user authority by taking advantage of a timing or control issue in a legal call to a suid function or on making use of a piece of linked or reentrant code running under an authority higher than the user's.

The Windows situation is completely different. There the rule seems to be that you own any machine you can access with no one looking over your shoulder and the vast majority of even the most recent attacks assume you don't have any kind of legal access.

There are claims (on, for example, that Microsoft's firewall after SP2 always opens the same port for DNS queries and waits a full minute for a response - thereby enabling DNS spoofing, in turn enabling the attacker to connect the user's browser to an website from which more direct attacks like MHTML embedded scripts can then be launched.

The bottom line difference is that essentially all Unix attacks currently considered likely to succeed require legal access while those on Windows uniformly don't. The comparisons on this are so skewed that you don't need a statistical test (e.g. the Kolmogorov-Smirnov two-sample test) to know that this isn't a coincidence and thus that the root populations are different. What that means is that the number of attacks of each kind doesn't reflect the relative dominance of the targets and this leaves us free to pursue alternative hypotheses - including my favorite: that Windows gets attacked more simply because it's easier and therefore more profitable for comparable levels of effort.

Getting legal access, knowing enough about Unix to initiate and benefit from an attack, and then covering your tracks can all be hard things - much harder than spraying an attack script at the world and waiting for results.

Overall it also produces less data, although whether that translates to less value for the thief is a difficult question. It may be possible, for example, for someone renting webspace and a sign-on account allowing him to compile code on an apache virtual hosting box run under Linux, to get the mod_perl module to issue apparently legal queries to the other guy's on-line database without getting caught. What that's worth, however, depends on the target and the criminal's access to markets or other means of exploiting the information.

Certainly value isn't a question we can answer in general, but it's obviously easier and less risky for the criminal to obtain value from the undetected theft of lots of identity data from tens or hundreds of ecommerce databases stored using SQL Server, then from a few records stolen from one database.

It's also technically easier, so what we have here is a winning combination for Microsoft of easier thefts producing greater value at lower risk - something that has everything to do with technology and nothing at all to do with market dominance.

Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 20-year veteran of the IT consulting industry.