Attracting Attackers: Windows vs. Unix

Lots of people believe that the reason there are more attacks on Windows machines than on Unix machines is simply that Windows dominates desktop markets. According to their logic, 90 plus percent of the desktops should lead to 90 plus percent of the attacks. The question is whether they are right.

Look just at the number of victims and they’re more than right. Microsoft, according to Netcraft’s surveys, only has about one third of the Web servers on the internet, but it also has about all of the servers known to have been compromised through external attack.

The same Microsoft over-representation takes place on the desktop with Microsoft users accounting for almost all of the virus and worm victims known.

Of course, this skewing doesn’t help decide the question because it’s more likely to be effect than cause. A better way to approach the issue is to ask a very different question: Are the ideas behind the attacks on the two environments sufficiently closely related that we can say they’re drawn from the same hypothetical population of possible attacks?

If so, the numerical dominance of one type of target (Windows) over another (Unix) should lead to comparable dominance in the number of attacks. However, if the attacks are drawn from different populations, then the numerical dominance in the target universe won’t suffice as an explanation for numerical dominance on the attack side.

Peeling the Layers

There are lots of layers to this onion. First, we need to strip away the impact the click and drool crowd has on the numbers. These are people who sometimes modify but don’t originate attacks, and spray them at all and sundry.

Speculatively, you have to assume that the real originators feed code to the drooloids because their activities are of benefit to the criminals. In particular, the hue and cry set off by these people casts a protective layer of noise and confusion over criminal activities, keeps the police focused in the wrong places, distracts prosecutors and reinforces the stereotype of the destructive hacker as a socially incompetent 16 year old with mental problems — an image the real criminals, many of whom seem to have legitimate computer science degrees, don’t fit.

We need to understand how the value returned to the criminal influences decisions affecting the relative number of attacks. Some attacks are just naturally targeted at the Windows communities simply because that’s where the money is. For example, second-generation phishing schemes with HTML interpretation dependencies have to target the PC community because the distribution method, spam, is a numbers game and random e-mail is something like nine times more likely to hit a PC user than a Mac or other Unix user.

To the rogue programmers developing attack code, however, simply hitting a bunch of users doesn’t achieve anything. They’re out to steal for personal gain and you don’t do that by going around annoying the grownups. Their goal, instead, is to steal information, remain undetected and then turn that information into cash or political advantage. Look at how that’s actually done and a dramatic, nearly absolute difference shows up between attacks aimed at Unix and those aimed at Windows variants like Windows 2003 Server and XP.

Attacker Communities

Although I’m only about halfway through trying to categorize attacks listed in the ICAT database in terms of whether or not they can be exploited to steal data, it’s already obvious that one difference is so sharply demarcated that it allows an unambiguous answer to the question: Windows and Unix attacks are not drawn from the same population of possible attacks.

Dropping denial-of-service and x86 architecture attacks on Linux as unlikely to remain undetected leaves a stark contrast between “qualifying” attacks on Windows and “qualifying” attacks on Unix. Windows attacks play the numbers game: Spray the code around the internet and wait for vulnerable systems to self-report. Nearly all known effective attacks on Risc-based Unix require legal access to the machine and therefore have to be targeted one machine at a time.

Don’t misunderstand. There are lots of attacks on Risc/Unix that require Internet distribution. They just don’t work for data-theft purposes. Like denial-of-service attacks, they don’t make money for the perpetrators. For example, my winface.com server gets probed almost every day and seriously attacked several times a week with dtlogin being a favorite target. Fundamentally, however, that’s just vandalism; even if they got full control of the machine, it wouldn’t get them a nickel.

Bottom Line

Right now, all known real attacks on Unix outside the x86 world require that the attacker have the right to compile and run new code on that machine. Indeed, most are variants of traditional Unix attacks focused on upgrading user authority by taking advantage of a timing or control issue in a legal call to a suid function or on making use of a piece of linked or re-entrant code running under an authority higher than the user’s.

The Windows situation is completely different. There the rule seems to be that you own any machine you can access with no one looking over your shoulder. The vast majority of even the most recent attacks assume you don’t have any kind of legal access.

There are claims (on phrack.org), for example, that Microsoft’s firewall after SP2 always opens the same port for DNS queries and waits a full minute for a response — thereby enabling DNS spoofing, in turn enabling the attacker to connect the user’s browser to a Web site from which more direct attacks like MHTML embedded scripts can be launched.

The bottom-line difference is that essentially all Unix attacks currently considered likely to succeed require legal access, while those on Windows uniformly don’t. The comparisons on this are so skewed that you don’t need a statistical test — the Kolmogorov-Smirnov two-sample test — to know that this isn’t a coincidence and thus that the root populations are different.

Relative Dominance

What that means is that the number of attacks of each kind doesn’t reflect the relative dominance of the targets, which leaves us free to pursue alternative hypotheses, including my favorite: Windows gets attacked more simply because it’s easier and therefore more profitable for comparable levels of effort. Getting legal access, knowing enough about Unix to initiate and benefit from an attack, and then covering your tracks can all be hard things — much harder than spraying an attack script at the world and waiting for results.

Overall, it also produces less data, although whether that translates to less value for the thief is a difficult question. It might be possible, for example, for someone renting Web space and a sign-on account allowing him or her to compile code on an Apache virtual hosting box run under Linux, to get the mod_perl module to issue apparently legal queries to the other guy’s online database without getting caught. What that’s worth, however, depends on the target and the criminal’s access to markets or other means of exploiting the information.

Certainly, value isn’t a question we can answer in general, but it’s obviously easier and less risky for the criminal to obtain value from the undetected theft of lots of identity data from tens or hundreds of e-commerce databases stored using SQL Server then from a few records stolen from one database.

It’s also technically easier, so what we have here is a winning combination for Microsoft of easier thefts producing greater value at lower risk — something that has everything to do with technology and nothing at all to do with market dominance.